-OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) ### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. @@ -235,7 +235,7 @@ After you’ve collected your data, you’ll need to get the local files off of -OR- - Collect your hardware inventory using the MOF Editor with a .MOF import file.
-OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
### Collect your hardware inventory using the MOF Editor while connected to a client device
You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
@@ -277,8 +277,8 @@ You can collect your hardware inventory using the MOF Editor and a .MOF import f
4. Click **OK** to close the default windows.
Your environment is now ready to collect your hardware inventory and review the sample reports.
-### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
+### Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
+You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
**To collect your inventory**
@@ -352,14 +352,14 @@ You can collect your hardware inventory using the using the Systems Management S
Your environment is now ready to collect your hardware inventory and review the sample reports.
## View the sample reports with your collected data
-The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data.
+The sample reports, **Configuration Manager Report Sample – ActiveX.rdl** and **Configuration Manager Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data.
-### SCCM Report Sample – ActiveX.rdl
+### Configuration Manager Report Sample – ActiveX.rdl
Gives you a list of all of the ActiveX-related sites visited by the client computer.
-### SCCM Report Sample – Site Discovery.rdl
+### Configuration Manager Report Sample – Site Discovery.rdl
Gives you a list of all of the sites visited by the client computer.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
index 187e1eade3..0175cb7bbe 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/choose-how-to-install-ie11.md
@@ -29,7 +29,7 @@ Before you install Internet Explorer 11, you should:
- **Choose how you'll deploy your installation package.** Your deployment method should be based on whether you're installing to computers already running Windows, or if you're deploying IE11 as part of a Windows installation.
- - **Existing computers running Windows.** Use System Center R2 2012 System Center 2012 R2 Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [System Center 2012 R2 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
+ - **Existing computers running Windows.** Use Configuration Manager, System Center Essentials 2010, Windows Server Updates Services (WSUS), or Microsoft Intune to deploy IE11. For more information about how to use these systems, see [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), [System Center Essentials 2010](https://go.microsoft.com/fwlink/p/?LinkId=395200), [Windows Server Update Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)), and [Microsoft Intune Overview](https://www.microsoft.com/cloud-platform/microsoft-intune).
- **As part of a Windows deployment.** Update your Windows images to include IE11, and then add the update to your MDT deployment share or to your Windows image. For instructions about how to create and use Windows images, see [Create and Manage a Windows Image Using DISM](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825251(v=win.10)). For general information about deploying IE, see [Microsoft Deployment Toolkit (MDT)](/mem/configmgr/mdt/), [Windows ADK Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825486(v=win.10)).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 8cef068687..24265e0261 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -142,7 +142,7 @@ Before you can start to collect your data, you must run the provided PowerShell
-OR-
- Collect your hardware inventory using the MOF Editor with a .MOF import file.
-OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only) ### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. @@ -239,7 +239,7 @@ After you’ve collected your data, you’ll need to get the local files off of -OR- - Collect your hardware inventory using the MOF Editor with a .MOF import file.
-OR-
-- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
+- Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
### Collect your hardware inventory using the MOF Editor while connected to a client device
You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices.
@@ -281,8 +281,8 @@ You can collect your hardware inventory using the MOF Editor and a .MOF import f
4. Click **OK** to close the default windows.
Your environment is now ready to collect your hardware inventory and review the sample reports.
-### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only)
-You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
+### Collect your hardware inventory using the SMS\DEF.MOF file (Configuration Manager 2007 only)
+You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option.
**To collect your inventory**
@@ -356,14 +356,14 @@ You can collect your hardware inventory using the using the Systems Management S
Your environment is now ready to collect your hardware inventory and review the sample reports.
## View the sample reports with your collected data
-The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data.
+The sample reports, **Configuration Manager Report Sample – ActiveX.rdl** and **Configuration Manager Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data.
-### SCCM Report Sample – ActiveX.rdl
+### Configuration Manager Report Sample – ActiveX.rdl
Gives you a list of all of the ActiveX-related sites visited by the client computer.
-### SCCM Report Sample – Site Discovery.rdl
+### Configuration Manager Report Sample – Site Discovery.rdl
Gives you a list of all of the sites visited by the client computer.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
index 9e65453694..7eaac18e22 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md
@@ -21,7 +21,7 @@ ms.date: 07/27/2017
If you already manage software distribution and updates on your network through software distribution tools, you can also use these tools for ongoing deployments of Internet Explorer. Software distribution tools include:
-- **System Center R2 2012 System Center 2012 R2 Configuration Manager.** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [System Center R2 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)).
+- **Configuration Manager** Deploy and install Internet Explorer 11 on your user's computers through a software distribution package. For more information about using this tool, see [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)).
- **Windows Server Update Services (WSUS).** Download a single copy of the IE11 updates, caching them to local servers so your users' computers can receive the updates directly from the WSUS servers, instead of through Windows Update. For more information about using this tool, see [Windows Server Update Services](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh852345(v=ws.11)).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
index 3ec3c7c763..13e84a6792 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md
@@ -75,7 +75,7 @@ If you use Automatic Updates in your company, but want to stop your users from a
> [!NOTE]
>The toolkit won't stop users with local administrator accounts from manually installing Internet Explorer 11. Using this toolkit also prevents your users from receiving automatic upgrades from Internet Explorer 8, Internet Explorer 9, or Internet Explorer 10 to Internet Explorer 11. For more information, see the [Internet Explorer 11 Blocker Toolkit frequently asked questions](../ie11-faq/faq-for-it-pros-ie11.yml).
-- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
+- **Use an update management solution to control update deployment.** If you already use an update management solution, like [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus) or the more advanced [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682129(v=technet.10)), you should use that instead of the Internet Explorer Blocker Toolkit.
> [!NOTE]
> If you use WSUS to manage updates, and Update Rollups are configured for automatic installation, Internet Explorer will automatically install throughout your company.
diff --git a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml
index 178595abf4..618ec339b5 100644
--- a/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml
+++ b/browsers/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit.yml
@@ -22,7 +22,7 @@ summary: |
Get answers to commonly asked questions about the Internet Explorer 11 Blocker Toolkit.
> [!Important]
- > If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or System Center 2012 Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
+ > If you administer your company’s environment using an update management solution, such as Windows Server Update Services (WSUS) or Configuration Manager, you don’t need to use the Internet Explorer 11 Blocker Toolkit. Update management solutions let you completely manage your Windows Updates and Microsoft Updates, including your Internet Explorer 11 deployment.
- [Automatic updates delivery process](/internet-explorer/ie11-faq/faq-ie11-blocker-toolkit#automatic-updates-delivery-process)
@@ -47,7 +47,7 @@ sections:
- question: |
Whtools cI use to manage Windows Updates and Microsoft Updates in my company?
answer: |
- We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You calso use the more advanced configuration management tool, [System Center 2012 Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)).
+ We encourage anyone who wants full control over their company’s deployment of Windows Updates and Microsoft Updates, to use [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus), a free tool for users of Windows Server. You calso use the more advanced configuration management tool, [Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg682041(v=technet.10)).
- question: |
How long does the blocker mechanism work?
diff --git a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
index c92fd17fd3..bb2983bca4 100644
--- a/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
+++ b/browsers/internet-explorer/includes/microsoft-365-ie-end-of-support.md
@@ -1,13 +1,17 @@
---
-author: pamgreen-msft
-ms.author: pamgreen
-ms.date: 10/02/2018
+author: dansimp
+ms.author: dansimp
+ms.date:
ms.reviewer:
audience: itpro
-manager: pamgreen
+manager: dansimp
ms.prod: ie11
ms.topic: include
---
> [!IMPORTANT]
-> The Internet Explorer 11 desktop application will be retired and go out of support on June 15, 2022. For a list of what’s in scope, see [the FAQ](https://aka.ms/IEModeFAQ). The same IE11 apps and sites you use today can open in Microsoft Edge with Internet Explorer mode. [Learn more here](https://blogs.windows.com/msedgedev/).
\ No newline at end of file
+> The Internet Explorer 11 desktop application is [retired and out of support](https://aka.ms/IEJune15Blog) as of June 15, 2022 for certain versions of Windows 10.
+>
+> You can still access older, legacy sites that require Internet Explorer with Internet Explorer mode in Microsoft Edge. [Learn how](https://aka.ms/IEmodewebsite).
+>
+> The Internet Explorer 11 desktop application will progressively redirect to the faster, more secure Microsoft Edge browser, and will ultimately be disabled via Windows Update. [Disable IE today](/deployedge/edge-ie-disable-ie11).
diff --git a/education/docfx.json b/education/docfx.json
index 04a27cb629..38f8413d5f 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -32,7 +32,6 @@
"ms.topic": "article",
"ms.technology": "windows",
"manager": "dansimp",
- "audience": "ITPro",
"breadcrumb_path": "/education/breadcrumb/toc.json",
"ms.date": "05/09/2017",
"feedback_system": "None",
@@ -51,6 +50,9 @@
"Kellylorenebaker",
"jborsecnik",
"tiburd",
+ "AngelaMotherofDragons",
+ "dstrome",
+ "v-dihans",
"garycentric"
]
},
diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md
index 73b3828e76..825288c869 100644
--- a/education/includes/education-content-updates.md
+++ b/education/includes/education-content-updates.md
@@ -2,39 +2,9 @@
-## Week of May 02, 2022
+## Week of June 27, 2022
| Published On |Topic title | Change |
|------|------------|--------|
-| 5/3/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
-| 5/3/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified |
-| 5/3/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified |
-| 5/3/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
-| 5/3/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified |
-| 5/3/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-| 5/3/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
-| 5/3/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
-| 5/3/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
-| 5/3/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
-| 5/3/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified |
-| 5/3/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified |
-| 5/3/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
-| 5/3/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified |
-
-
-## Week of April 25, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-| 4/25/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
-
-
-## Week of April 18, 2022
-
-
-| Published On |Topic title | Change |
-|------|------------|--------|
-| 4/21/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
+| 6/30/2022 | Get Minecraft Education Edition with your Windows 10 device promotion | removed |
diff --git a/education/windows/TOC.yml b/education/windows/TOC.yml
index 3a592b8263..717ae6c902 100644
--- a/education/windows/TOC.yml
+++ b/education/windows/TOC.yml
@@ -53,8 +53,6 @@
href: teacher-get-minecraft.md
- name: "For IT administrators: get Minecraft Education Edition"
href: school-get-minecraft.md
- - name: "Get Minecraft: Education Edition with Windows 10 device promotion"
- href: get-minecraft-device-promotion.md
- name: Test Windows 10 in S mode on existing Windows 10 education devices
href: test-windows10s-for-edu.md
- name: Enable Windows 10 in S mode on Surface Go devices
diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md
index 9a828c6755..68e0429bb0 100644
--- a/education/windows/change-history-edu.md
+++ b/education/windows/change-history-edu.md
@@ -135,7 +135,7 @@ The topics in this library have been updated for Windows 10, version 1607 (also
| New or changed topic | Description|
| --- | --- |
| [Windows 10 editions for education customers](windows-editions-for-education-customers.md) | New. Learn about the two editions in Windows 10, version 1607 that's designed for the needs of K-12 institutions. |
-|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New. Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, AD DS, and Microsoft Azure AD, use SCCM, Intune, and Group Policy to manage devices. |
+|[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)|New. Learn how to deploy Windows 10 in a school district. Integrate the school environment with Office 365, AD DS, and Microsoft Azure AD, use Configuration Manager, Intune, and Group Policy to manage devices. |
## June 2016
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
index 9d165c8892..d1ed1e7192 100644
--- a/education/windows/change-to-pro-education.md
+++ b/education/windows/change-to-pro-education.md
@@ -28,7 +28,7 @@ To take advantage of this offering, make sure you meet the [requirements for cha
## Requirements for changing
Before you change to Windows 10 Pro Education, make sure you meet these requirements:
- Devices must be running Windows 10 Pro, version 1607 or higher.
-- Devices must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices).
+- Devices must be Azure Active Directory-joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices).
If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses).
@@ -47,7 +47,7 @@ For schools that want to standardize all their Windows 10 Pro devices to Windows
In this scenario:
-- The IT admin of the tenant chooses to turn on the change for all Azure AD joined devices.
+- The IT admin of the tenant chooses to turn on the change for all Azure AD-joined devices.
- Any device that joins the Azure AD will change automatically to Windows 10 Pro Education.
- The IT admin has the option to automatically roll back to Windows 10 Pro, if desired. See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
@@ -92,7 +92,7 @@ You can use Windows Configuration Designer to create a provisioning package that
3. In the **Enter a product key** window, enter the MAK key for Windows 10 Pro Education and click **Next**.
-## Education customers with Azure AD joined devices
+## Education customers with Azure AD-joined devices
Academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education without using activation keys or reboots. When one of your users enters their Azure AD credentials associated with a Windows 10 Pro Education license, the operating system changes to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have an Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features.
@@ -145,7 +145,7 @@ Enabling the automatic change also triggers an email message notifying all globa
So what will users experience? How will they change their devices?
-### For existing Azure AD joined devices
+### For existing Azure AD-joined devices
Existing Azure AD domain joined devices will be changed to Windows 10 Pro Education the next time the user logs in. That's it! No other steps are needed.
### For new devices that are not Azure AD joined
@@ -251,7 +251,7 @@ Devices must be running Windows 10 Pro, version 1607 or higher, or domain joined
dsregcmd /status
```
-2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
+2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory-joined.
**To determine the version of Windows 10**
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 37e9cba645..6ecad551d4 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -485,7 +485,7 @@ Table 9. Management systems and deployment resources
|--- |--- |
|Windows provisioning packages|
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619098)| |Ralink|D-Link AirPlus G DWL-G510 Wireless PCI Adapter(rev.C)|pci\ven_1814&dev_0302&subsys_3c091186&rev_00|[32-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619099)
[64-bit driver](https://go.microsoft.com/fwlink/p/?LinkId=619100)|
-IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that is not supported by class drivers. Some consumer devices require OEM-specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825212(v=win.10)).
+IT administrators that want to target Windows To Go images for specific systems should test their images to ensure that the necessary system drivers are in the image, especially for critical functionality like Wi-Fi that isn't supported by class drivers. Some consumer devices require OEM-specific driver packages, which may not be available on Windows Update. For more information on how to add a driver to a Windows Image, please refer to the [Basic Windows Deployment Step-by-Step Guide](/previous-versions/windows/it-pro/windows-8.1-and-8/hh825212(v=win.10)).
### Application installation and domain join
-Unless you are using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace will not be domain joined and will not contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications
+Unless you're using a customized Windows image that includes unattended installation settings, the initial Windows To Go workspace won't be domain joined and won't contain applications. This is exactly like a new installation of Windows on a desktop or laptop computer. When planning your deployment, you should develop methods to join Windows to Go drives to the domain and install the standard applications that users in your organization require. These methods probably will be similar to the ones used for setting up desktop and laptop computers with domain privileges and applications
### Management of Windows To Go using Group Policy
@@ -116,20 +109,20 @@ The use of the Store on Windows To Go workspaces that are running Windows 8 can
- **Allow hibernate (S4) when started from a Windows To Go workspace**
- This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it is important that the hardware attached to the system, as well as the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace is not being used to roam between host PCs.
+ This policy setting specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. By default, hibernation is disabled when using Windows To Go workspace, so enabling this setting explicitly turns this ability back on. When a computer enters hibernation, the contents of memory are written to disk. When the disk is resumed, it's important that the hardware attached to the system, and the disk itself, are unchanged. This is inherently incompatible with roaming between PC hosts. Hibernation should only be used when the Windows To Go workspace isn't being used to roam between host PCs.
> [!IMPORTANT]
> For the host-PC to resume correctly when hibernation is enabled the Windows To Go workspace must continue to use the same USB port.
- **Disallow standby sleep states (S1-S3) when starting from a Windows To Go workspace**
- This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it is shut down. It could be very easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC, which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace cannot use the standby states to cause the PC to enter sleep mode. If you disable or do not configure this policy setting, the Windows To Go workspace can place the PC in sleep mode.
+ This policy setting specifies whether the PC can use standby sleep states (S1–S3) when started from a Windows To Go workspace. The Sleep state also presents a unique challenge to Windows To Go users. When a computer goes to sleep, it appears as if it's shut down. It could be easy for a user to think that a Windows To Go workspace in sleep mode was actually shut down and they could remove the Windows To Go drive and take it home. Removing the Windows To Go drive in this scenario is equivalent to an unclean shutdown, which may result in the loss of unsaved user data or the corruption on the drive. Moreover, if the user now boots the drive on another PC and brings it back to the first PC, which still happens to be in the sleep state, it will lead to an arbitrary crash and eventually corruption of the drive and result in the workspace becoming unusable. If you enable this policy setting, the Windows To Go workspace can't use the standby states to cause the PC to enter sleep mode. If you disable or don't configure this policy setting, the Windows To Go workspace can place the PC in sleep mode.
**Settings for host PCs**
- **Windows To Go Default Startup Options**
- This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users will not be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the firmware. If you do not configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog.
+ This policy setting controls whether the host computer will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the **Windows To Go Startup Options** settings dialog. If you enable this policy setting, booting to Windows To Go when a USB device is connected will be enabled and users won't be able to make changes using the **Windows To Go Startup Options** settings dialog. If you disable this policy setting, booting to Windows To Go when a USB device is connected won't be enabled unless a user configures the option manually in the firmware. If you don't configure this policy setting, users who are members of the local Administrators group can enable or disable booting from USB using the **Windows To Go Startup Options** settings dialog.
> [!IMPORTANT]
> Enabling this policy setting will cause PCs running Windows to attempt to boot from any USB device that is inserted into the PC before it is started.
@@ -141,7 +134,7 @@ The biggest hurdle for a user wanting to use Windows To Go is configuring their
> [!NOTE]
> Enabling a system to always boot from USB first has implications that you should consider. For example, a USB device that includes malware could be booted inadvertently to compromise the system, or multiple USB drives could be plugged in to cause a boot conflict. For this reason, the Windows To Go startup options are disabled by default. In addition, administrator privileges are required to configure Windows To Go startup options.
-If you are going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
+If you're going to be using a Windows 7 computer as a host-PC, see the wiki article [Tips for configuring your BIOS settings to work with Windows To Go](https://go.microsoft.com/fwlink/p/?LinkID=618951).
### Roaming between different firmware types
@@ -149,9 +142,9 @@ Windows supports two types of PC firmware: Unified Extensible Firmware Interface
-This presented a unique challenge for Windows To Go because the firmware type is not easily determined by end users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware.
+This presented a unique challenge for Windows To Go because the firmware type isn't easily determined by end users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware.
-To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command:
+To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually, you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command:
@@ -159,7 +152,7 @@ This is the only supported disk configuration for Windows To Go. With this disk
### Configure Windows To Go startup options
-Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured.
+Windows To Go Startup Options is a setting available on Windows 10-based PCs that enables the computer to be booted from a USB without manually changing the firmware settings of the PC. To configure Windows To Go Startup Options, you must have administrative rights on the computer and the **Windows To Go Default Startup Options** Group Policy setting must not be configured.
**To configure Windows To Go startup options**
@@ -176,7 +169,7 @@ Windows To Go Startup Options is a setting available on Windows 10-based PCs tha
### Change firmware settings
-If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer you will need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7 you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you do not suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode.
+If you choose to not use the Windows To Go startup options or are using a PC running Windows 7 as your host computer, you'll need to manually configure the firmware settings. The process used to accomplish this will depend on the firmware type and manufacturer. If your host computer is protected by BitLocker and running Windows 7, you should suspend BitLocker before making the change to the firmware settings. After the firmware settings have been successfully reconfigured, resume BitLocker protection. If you don't suspend BitLocker first, BitLocker will assume that the computer has been tampered with and will boot into BitLocker recovery mode.
## Related topics
diff --git a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
index bcad4a3136..9e64ab8e0b 100644
--- a/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
+++ b/windows/deployment/planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
@@ -1,15 +1,10 @@
---
title: Enabling and Disabling Compatibility Fixes in Compatibility Administrator
description: You can disable and enable individual compatibility fixes in your customized databases for testing and troubleshooting purposes.
-ms.assetid: 6bd4a7c5-0ed9-4a35-948c-c438aa4d6cb6
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
ms.custom: seo-marvel-apr2020
diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md
index df0e93d341..0bb13ccd0f 100644
--- a/windows/deployment/planning/features-lifecycle.md
+++ b/windows/deployment/planning/features-lifecycle.md
@@ -2,10 +2,7 @@
title: Windows client features lifecycle
description: Learn about the lifecycle of Windows 10 features, as well as features that are no longer developed, removed features, and terminology assigned to a feature.
ms.prod: w10
-ms.mktglfcycl: plan
ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: aczechowski
manager: dougeby
ms.author: aaroncz
diff --git a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
index 1f81b6a7ea..54b85fbaa4 100644
--- a/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
+++ b/windows/deployment/planning/fixing-applications-by-using-the-sua-tool.md
@@ -1,15 +1,10 @@
---
title: Fixing Applications by Using the SUA Tool (Windows 10)
description: On the user interface for the Standard User Analyzer (SUA) tool, you can apply fixes to an application.
-ms.assetid: 7f5947b1-977b-4d7e-bb52-fbe8e76f6b8b
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md
index 9e06b64d91..72b7ebe705 100644
--- a/windows/deployment/planning/index.md
+++ b/windows/deployment/planning/index.md
@@ -1,11 +1,7 @@
---
title: Plan for Windows 10 deployment (Windows 10)
description: Find resources for your Windows 10 deployment. Windows 10 provides new deployment capabilities and tools, and introduces new ways to keep the OS up to date.
-ms.assetid: 002F9B79-B50F-40C5-A7A5-0B4770E6EC15
-keywords: deploy, upgrade, update, configure
ms.prod: w10
-ms.mktglfcycl: plan
-ms.sitesec: library
ms.localizationpriority: medium
author: aczechowski
ms.author: aaroncz
diff --git a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
index 75bd75782f..cdd078d772 100644
--- a/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
+++ b/windows/deployment/planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
@@ -1,15 +1,10 @@
---
title: Install/Uninstall Custom Databases (Windows 10)
description: The Compatibility Administrator tool enables the creation and the use of custom-compatibility and standard-compatibility databases.
-ms.assetid: 659c9d62-5f32-433d-94aa-12141c01368f
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
index 242674d390..9e24aa3ddf 100644
--- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
+++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
@@ -1,15 +1,10 @@
---
title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10)
description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases.
-ms.assetid: 9c2e9396-908e-4a36-ad67-2e40452ce017
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
index 4e1df0cd04..78f1404be6 100644
--- a/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
+++ b/windows/deployment/planning/prepare-your-organization-for-windows-to-go.md
@@ -1,16 +1,10 @@
---
title: Prepare your organization for Windows To Go (Windows 10)
description: Though Windows To Go is no longer being developed, you can find info here about the the “what”, “why”, and “when” of deployment.
-ms.assetid: f3f3c160-90ad-40a8-aeba-2aedee18f7ff
ms.reviewer:
manager: dougeby
ms.author: aaroncz
-keywords: ["mobile, device, USB, deploy"]
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: mobility
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
ms.custom: seo-marvel-apr2020
diff --git a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
index b350133316..53d51c7ea4 100644
--- a/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-fixed-applications-in-compatibility-administrator.md
@@ -1,15 +1,10 @@
---
title: Searching for Fixed Applications in Compatibility Administrator (Windows 10)
description: Compatibility Administrator can locate specific executable (.exe) files with previously applied compatibility fixes, compatibility modes, or AppHelp messages.
-ms.assetid: 1051a2dc-0362-43a4-8ae8-07dae39b1cb8
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
index 62b098d6e5..496856bf9f 100644
--- a/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
+++ b/windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
@@ -1,15 +1,10 @@
---
title: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator (Windows 10)
description: You can access the Query tool from within Compatibility Administrator. The Query tool provides the same functionality as using the Search feature.
-ms.assetid: dd213b55-c71c-407a-ad49-33db54f82f22
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
---
diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
index f2d306f5bd..cbb62f87be 100644
--- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md
@@ -1,16 +1,10 @@
---
title: Security and data protection considerations for Windows To Go (Windows 10)
description: Ensure that the data, content, and resources you work with in the Windows To Go workspace are protected and secure.
-ms.assetid: 5f27339f-6761-44f4-8c29-9a25cf8e75fe
ms.reviewer:
manager: dougeby
ms.author: aaroncz
-keywords: mobile, device, USB, secure, BitLocker
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: mobility, security
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
---
diff --git a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
index 550c1b7cb8..f6e9d05353 100644
--- a/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
+++ b/windows/deployment/planning/showing-messages-generated-by-the-sua-tool.md
@@ -1,15 +1,10 @@
---
title: Showing Messages Generated by the SUA Tool (Windows 10)
description: On the user interface for the Standard User Analyzer (SUA) tool, you can show the messages that the tool has generated.
-ms.assetid: 767eb7f2-d6c4-414c-a7b3-a997337d904a
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/planning/sua-users-guide.md b/windows/deployment/planning/sua-users-guide.md
index 2936429060..50bae4c447 100644
--- a/windows/deployment/planning/sua-users-guide.md
+++ b/windows/deployment/planning/sua-users-guide.md
@@ -2,15 +2,10 @@
title: SUA User's Guide (Windows 10)
description: Learn how to use Standard User Analyzer (SUA). SUA can test your apps and monitor API calls to detect compatibility issues related to the Windows User Account Control (UAC) feature.
ms.custom: seo-marvel-apr2020
-ms.assetid: ea525c25-b557-4ed4-b042-3e4d0e543e10
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
index 247dae8ef3..ab6c4e83a7 100644
--- a/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
+++ b/windows/deployment/planning/tabs-on-the-sua-tool-interface.md
@@ -1,15 +1,10 @@
---
title: Tabs on the SUA Tool Interface (Windows 10)
description: The tabs in the Standard User Analyzer (SUA) tool show the User Account Control (UAC) issues for the applications that you analyze.
-ms.assetid: 0d705321-1d85-4217-bf2c-0ca231ca303b
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/planning/testing-your-application-mitigation-packages.md b/windows/deployment/planning/testing-your-application-mitigation-packages.md
index 375609958a..4ab4be6a19 100644
--- a/windows/deployment/planning/testing-your-application-mitigation-packages.md
+++ b/windows/deployment/planning/testing-your-application-mitigation-packages.md
@@ -1,15 +1,10 @@
---
title: Testing Your Application Mitigation Packages (Windows 10)
description: Learn how to test your application-mitigation packages, including how to report your information and how to resolve any outstanding issues.
-ms.assetid: ae946f27-d377-4db9-b179-e8875d454ccf
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
index 755b66cf80..d91279a5d5 100644
--- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
+++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
@@ -1,15 +1,10 @@
---
title: Understanding and Using Compatibility Fixes (Windows 10)
description: As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change.
-ms.assetid: 84bf663d-3e0b-4168-99d6-a26e054821b7
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
---
diff --git a/windows/deployment/planning/using-the-compatibility-administrator-tool.md b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
index 991cc5eabc..2e1dbd9ead 100644
--- a/windows/deployment/planning/using-the-compatibility-administrator-tool.md
+++ b/windows/deployment/planning/using-the-compatibility-administrator-tool.md
@@ -1,15 +1,10 @@
---
title: Using the Compatibility Administrator Tool (Windows 10)
description: This section provides information about using the Compatibility Administrator tool.
-ms.assetid: 57271e47-b9b9-4018-a0b5-7115a533166d
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
index 498a0d4424..e4196523e8 100644
--- a/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
+++ b/windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
@@ -1,15 +1,10 @@
---
title: Using the Sdbinst.exe Command-Line Tool (Windows 10)
description: Learn how to deploy customized database (.sdb) files using the Sdbinst.exe Command-Line Tool. Review a list of command-line options.
-ms.assetid: c1945425-3f8d-4de8-9d2d-59f801f07034
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md
index 7dd26dfa38..f4de4f8ae5 100644
--- a/windows/deployment/planning/using-the-sua-tool.md
+++ b/windows/deployment/planning/using-the-sua-tool.md
@@ -1,15 +1,10 @@
---
title: Using the SUA Tool (Windows 10)
description: The Standard User Analyzer (SUA) tool can test applications and monitor API calls to detect compatibility issues with the User Account Control (UAC) feature.
-ms.assetid: ebe52061-3816-47f7-a865-07bc5f405f03
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md
index 408504f26c..e0a506b5ca 100644
--- a/windows/deployment/planning/using-the-sua-wizard.md
+++ b/windows/deployment/planning/using-the-sua-wizard.md
@@ -1,15 +1,10 @@
---
title: Using the SUA wizard (Windows 10)
description: The Standard User Analyzer (SUA) wizard, although it doesn't offer deep analysis, works much like the SUA tool to test for User Account Control (UAC) issues.
-ms.assetid: 29d07074-3de7-4ace-9a54-678af7255d6c
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
index 9a7abdef9a..3d363d0db4 100644
--- a/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
+++ b/windows/deployment/planning/viewing-the-events-screen-in-compatibility-administrator.md
@@ -1,15 +1,10 @@
---
title: Viewing the Events Screen in Compatibility Administrator (Windows 10)
description: You can use the Events screen to record and view activities in the Compatibility Administrator tool.
-ms.assetid: f2b2ada4-1b7b-4558-989d-5b52b40454b3
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
---
diff --git a/windows/deployment/planning/windows-10-compatibility.md b/windows/deployment/planning/windows-10-compatibility.md
index a1b074a935..790592964c 100644
--- a/windows/deployment/planning/windows-10-compatibility.md
+++ b/windows/deployment/planning/windows-10-compatibility.md
@@ -1,17 +1,11 @@
---
title: Windows 10 compatibility (Windows 10)
description: Windows 10 will be compatible with most existing PC hardware; most devices running Windows 7, Windows 8, or Windows 8.1 will meet the requirements for Windows 10.
-ms.assetid: 829BE5B5-330A-4702-807A-8908B4FC94E8
ms.reviewer:
manager: dougeby
ms.author: aaroncz
-keywords: deploy, upgrade, update, appcompat
ms.prod: w10
-ms.mktglfcycl: plan
-ms.pagetype: appcompat
ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
---
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index 6d2b053310..a9fb6d7c33 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -1,16 +1,11 @@
---
title: Windows 10 deployment considerations (Windows 10)
description: There are new deployment options in Windows 10 that help you simplify the deployment process and automate migration of existing settings and applications.
-ms.assetid: A8DD6B37-1E11-4CD6-B588-92C2404219FE
ms.reviewer:
manager: dougeby
ms.author: aaroncz
-keywords: deploy, upgrade, update, in-place
ms.prod: w10
ms.localizationpriority: medium
-ms.mktglfcycl: plan
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
---
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index bfe6fbc509..4bde7474f4 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -1,16 +1,11 @@
---
title: Windows 10 infrastructure requirements (Windows 10)
description: Review the infrastructure requirements for deployment and management of Windows 10, prior to significant Windows 10 deployments within your organization.
-ms.assetid: B0FA27D9-A206-4E35-9AE6-74E70748BE64
ms.reviewer:
manager: dougeby
ms.author: aaroncz
-keywords: deploy, upgrade, update, hardware
ms.prod: w10
-ms.mktglfcycl: plan
ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
---
diff --git a/windows/deployment/planning/windows-10-removed-features.md b/windows/deployment/planning/windows-10-removed-features.md
index 9df0d61488..baa2e8882e 100644
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@@ -2,10 +2,7 @@
title: Windows 10 - Features that have been removed
description: In this article, learn about the features and functionality that has been removed or replaced in Windows 10.
ms.prod: w10
-ms.mktglfcycl: plan
ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.author: aaroncz
manager: dougeby
diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
index 468fb48151..f57d4eedc3 100644
--- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
+++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.yml
@@ -162,7 +162,7 @@ sections:
- question: |
Can the user self-provision Windows To Go?
answer: |
- Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, System Center 2012 Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746).
+ Yes, if the user has administrator permissions they can self-provision a Windows To Go drive using the Windows To Go Creator wizard which is included in Windows 10 Enterprise, Windows 10 Education and Windows 10 Professional. Additionally, Configuration Manager SP1 and later releases includes support for user self-provisioning of Windows To Go drives. Configuration Manager can be downloaded for evaluation from the [Microsoft TechNet Evaluation Center](https://go.microsoft.com/fwlink/p/?LinkID=618746).
- question: |
How can Windows To Go be managed in an organization?
diff --git a/windows/deployment/planning/windows-to-go-overview.md b/windows/deployment/planning/windows-to-go-overview.md
index 79b583332b..483767ebfe 100644
--- a/windows/deployment/planning/windows-to-go-overview.md
+++ b/windows/deployment/planning/windows-to-go-overview.md
@@ -1,16 +1,10 @@
---
title: Windows To Go feature overview (Windows 10)
description: Windows To Go is a feature in Windows 10 Enterprise and Windows 10 Education that lets you create a workspace that can be booted from a USB-connected drive.
-ms.assetid: 9df82b03-acba-442c-801d-56db241f8d42
ms.reviewer:
manager: dougeby
ms.author: aaroncz
-keywords: workspace, mobile, installation, image, USB, device, image, edu
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: mobility, edu
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
---
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index cc1cf8f69d..59ec7c3e89 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -1,17 +1,11 @@
---
title: Windows 10 Pro in S mode
description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers?
-keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode
-ms.mktglfcycl: deploy
ms.localizationpriority: high
ms.prod: w10
-ms.sitesec: library
-ms.pagetype: deploy
manager: dougeby
-ms.audience: itpro
author: aczechowski
ms.author: aaroncz
-audience: itpro
ms.topic: article
ms.custom: seo-marvel-apr2020
ms.collection: highpri
diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md
index e58eabf981..60bc7df800 100644
--- a/windows/deployment/update/PSFxWhitepaper.md
+++ b/windows/deployment/update/PSFxWhitepaper.md
@@ -1,10 +1,7 @@
---
title: Windows Updates using forward and reverse differentials
description: A technique to produce compact software updates optimized for any origin and destination revision pair
-keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index aedd92040e..3551bd63d5 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -1,12 +1,8 @@
---
title: Introduction to the Windows Insider Program for Business
description: In this article, you'll learn about the Windows Insider Program for Business and why IT Pros should join.
-keywords: updates, servicing, current, deployment, General Availability Channel, General Availability Channel, feature, quality, rings, insider, WiP4Biz, enterprise, rings, flight
ms.custom: seo-marvel-apr2020
ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
-ms.audience: itpro
author: aczechowski
ms.author: aaroncz
manager: dougeby
@@ -48,7 +44,7 @@ Windows 10 Insider Preview builds offer organizations a valuable and exciting op
|Release channel |**Fast Ring:** Insider Preview builds in the Fast Ring are released approximately once a week and contain the very latest features. This makes them ideal for feature exploration.|
|Users | Because Fast Ring builds are released so early in the development cycle, we recommend limiting feature exploration in your organization to IT administrators and developers running Insider Preview builds on secondary devices. |
|Tasks | - Install and manage Insider Preview builds on devices (per device or centrally across multiple devices)
- Explore new features in Windows designed for organizations, including new features related to current and planned line of business applications
- Before running an Insider Preview build, check our [Windows Insider blog](https://blogs.windows.com/windowsexperience/tag/windows-insider-program/#k3WWwxKCTWHCO82H.97) for a summary of current features. |
-|Feedback | - This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their AAD work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/) |
+|Feedback | - This helps us make adjustments to features as quickly as possible.
- Encourage users to sign into the Feedback Hub using their Azure Active Directory work accounts. This enables both you and Microsoft to track feedback submitted by users within your specific organization. (Note: This tracking is only visible to Microsoft and registered Insiders within your organization’s domain.)
- [Learn how to provide effective feedback in the Feedback Hub](https://insider.windows.com/how-to-feedback/) |
## Validate Insider Preview builds
Along with exploring new features, you also have the option to validate your apps and infrastructure on Insider Preview builds. Early validation has several benefits:
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
index 753d519263..8b93291b64 100644
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@@ -3,12 +3,9 @@ title: "How to check Windows release health"
ms.author: v-nishmi
author: DocsPreview
manager: jren
-audience: Admin
ms.topic: article
ms.prod: w10
localization_priority: Normal
-f1.keywords:
-- CSH
ms.custom:
- Adm_O365
- 'O365P_ServiceHealthModern'
@@ -24,7 +21,6 @@ search.appverid:
- MOE150
- BCS160
- IWA160
-ms.assetid: 932ad3ad-533c-418a-b938-6e44e8bc33b0
description: "Check the release health status of Microsoft 365 services before you call support to see if there is an active service interruption."
feedback_system: none
---
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index ded102a0f2..03631234e5 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -2,7 +2,6 @@
title: Create a deployment plan
description: Devise the number of deployment rings you need and how you want to populate them
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md
index 6570e67a7b..ef6be01503 100644
--- a/windows/deployment/update/deploy-updates-configmgr.md
+++ b/windows/deployment/update/deploy-updates-configmgr.md
@@ -2,7 +2,6 @@
title: Deploy Windows client updates with Configuration Manager
description: Deploy Windows client updates with Configuration Manager
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md
index 9e9e69d824..d63870c7e0 100644
--- a/windows/deployment/update/deploy-updates-intune.md
+++ b/windows/deployment/update/deploy-updates-intune.md
@@ -2,7 +2,6 @@
title: Deploy updates with Intune
description: Deploy Windows client updates with Intune
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 6aae1788d5..933d4dd014 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -3,7 +3,6 @@ title: Windows Update for Business deployment service
description: Overview of deployment service to control approval, scheduling, and safeguarding of Windows updates
ms.custom: seo-marvel-apr2020
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md
index 5d39dc754b..aa89b4a23a 100644
--- a/windows/deployment/update/deployment-service-troubleshoot.md
+++ b/windows/deployment/update/deployment-service-troubleshoot.md
@@ -3,7 +3,6 @@ title: Troubleshoot the Windows Update for Business deployment service
description: Solutions to common problems with the service
ms.custom: seo-marvel-apr2020
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index 7ad2af4d6f..4ba30f5bc9 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -1,15 +1,11 @@
---
title: Evaluate infrastructure and tools
description: Steps to make sure your infrastructure is ready to deploy updates
-keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.localizationpriority: medium
-ms.audience: itpro
ms.topic: article
ms.collection: m365initiative-coredeploy
---
diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md
index b2be74389a..41810807d7 100644
--- a/windows/deployment/update/feature-update-user-install.md
+++ b/windows/deployment/update/feature-update-user-install.md
@@ -2,8 +2,6 @@
title: Best practices - deploy feature updates for user-initiated installations
description: Learn recommendations and best practices for manually deploying a feature update for a user-initiated installation.
ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md
index 012deeba47..01de0f8c92 100644
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@@ -2,10 +2,7 @@
title: Make FoD and language packs available for WSUS/Configuration Manager
description: Learn how to make FoD and language packs available when you're using WSUS/Configuration Manager.
ms.prod: w10
-ms.mktglfcycl: manage
-ms.pagetype: article
ms.author: aaroncz
-audience: itpro
author: aczechowski
ms.localizationpriority: medium
ms.date: 03/13/2019
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index 611548db79..b7b501f2c4 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -1,9 +1,7 @@
---
title: Windows client updates, channels, and tools
description: Brief summary of the kinds of Windows updates, the channels they are served through, and the tools for managing them
-keywords: updates, servicing, current, deployment, General Availability Channel, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index f666a097be..4d9b31486c 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -2,8 +2,6 @@
title: How Windows Update works
description: In this article, learn about the process Windows Update uses to download and install updates on a Windows client devices.
ms.prod: w10
-ms.mktglfcycl:
-audience: itpro
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
@@ -99,7 +97,7 @@ For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP]
> [!Note]
> For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior.
-For WU URLs that _aren't_ used for update detection, such as for download or reporting:
+For Windows Update URLs that _aren't_ used for update detection, such as for download or reporting:
- User proxy is attempted.
- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then the system proxy is attempted.
@@ -116,7 +114,7 @@ For WU URLs that _aren't_ used for update detection, such as for download or rep
|Service|ServiceId|
|-------|---------|
-|Unspecified / Default|WU, MU, or WSUS
00000000-0000-0000-0000-000000000000 |
+|Unspecified / Default|Windows Update, Microsoft Update, or WSUS
00000000-0000-0000-0000-000000000000 |
|Windows Update|9482F4B4-E343-43B6-B170-9A65BC822C77|
|Microsoft Update|7971f918-a847-4430-9279-4a52d1efe18d|
|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289|
diff --git a/windows/deployment/update/includes/update-compliance-endpoints.md b/windows/deployment/update/includes/update-compliance-endpoints.md
index 864f4d38dd..ebb1b35eb2 100644
--- a/windows/deployment/update/includes/update-compliance-endpoints.md
+++ b/windows/deployment/update/includes/update-compliance-endpoints.md
@@ -4,8 +4,6 @@ ms.author: mstewart
manager: dougeby
ms.prod: w10
ms.collection: M365-modern-desktop
-ms.mktglfcycl: deploy
-audience: itpro
ms.topic: include
ms.date: 04/06/2022
ms.localizationpriority: medium
diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md
index cb16c3b261..effea4ec16 100644
--- a/windows/deployment/update/index.md
+++ b/windows/deployment/update/index.md
@@ -2,7 +2,6 @@
title: Update Windows client in enterprise deployments
description: Windows as a service provides an all-new way to think about building, deploying, and servicing Windows client.
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
manager: dougeby
ms.localizationpriority: high
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 1b91bae1a5..acc9d2ff15 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -2,8 +2,6 @@
title: Update Windows installation media with Dynamic Update
description: Learn how to deploy feature updates to your mission critical devices
ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
author: SteveDiAcetis
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index 363891d8a9..a10b3e8bbf 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -5,11 +5,9 @@ ms.author: aaroncz
ms.topic: article
ms.prod: w10
ms.technology: windows
-audience: itpro
author: aczechowski
ms.reviewer:
manager: dougeby
-keywords: insider, trial, enterprise, lab, corporation, test
ms.custom: seo-marvel-apr2020
---
@@ -47,7 +45,7 @@ As part of Windows Insider Lab for Enterprise, you can upgrade to Windows client
Choose one of the following two enrollment options:
-- To set up an AAD-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account.
+- To set up an Azure Active Directory-registered device, [follow these steps](#enrollment-keep-current-edition). In this case, you log onto the device by using an existing (non-Olympia) account.
- If you are running Windows client Pro, we recommend that you upgrade to Windows client Enterprise by following these steps to [set up an Azure Active Directory-joined device](#enrollment-upgrade-to-enterprise). In this case, you will be able to log on to the device with your Olympia account.
@@ -55,7 +53,7 @@ Choose one of the following two enrollment options:
### Set up an Azure Active Directory-REGISTERED Windows client device
-This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Set up Azure Active Directory registered Windows 10 devices](/azure/active-directory/device-management-azuread-registered-devices-windows10-setup) for additional information.
+This is the Bring Your Own Device (BYOD) method--your device will receive Olympia policies and features, but a new account will not be created. See [Azure AD register FAQ](/azure/active-directory/devices/faq) for additional information.
1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/windows/create-a-local-user-or-administrator-account-in-windows-20de74e0-ac7f-3502-a866-32915af2a34d)).
@@ -91,7 +89,7 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
### Set up Azure Active Directory-JOINED Windows client device
-- This method will upgrade your Windows client Pro license to Enterprise and create a new account. See [Set up Azure Active Directory joined devices](/azure/active-directory/device-management-azuread-joined-devices-setup) for more information.
+- This method will upgrade your Windows client Pro license to Enterprise and create a new account. See [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join) for more information.
> [!NOTE]
> Make sure that you save your Pro license key before upgrading to the Enterprise edition. If the device gets disconnected from Olympia, you can use the Pro key to reactivate the license manually in the unlikely event that the license fails to downgrade back to Pro automatically. To reactivate manually, see [Upgrade by manually entering a product key](../../upgrade/windows-10-edition-upgrades.md#upgrade-by-manually-entering-a-product-key).
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index 2630a35fbb..ad5d745581 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -2,8 +2,6 @@
title: Migrating and acquiring optional Windows content
description: Keep language resources and Features on Demand during operating system updates
ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
index f91ecfe962..3b0180ab07 100644
--- a/windows/deployment/update/plan-define-readiness.md
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -1,15 +1,11 @@
---
title: Define readiness criteria
description: Identify important roles and figure out how to classify apps
-keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.localizationpriority: medium
-ms.audience: itpro
ms.topic: article
ms.collection: m365initiative-coredeploy
---
diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md
index cbe6e4c8b7..33c9252297 100644
--- a/windows/deployment/update/plan-define-strategy.md
+++ b/windows/deployment/update/plan-define-strategy.md
@@ -1,9 +1,7 @@
---
title: Define update strategy
description: Two examples of a calendar-based approach to consistent update installation
-keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, tools
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index 6c84e09b15..ffe6a2795d 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -2,12 +2,8 @@
title: Determine application readiness
manager: dougeby
description: How to test your apps to know which need attention prior to deploying an update
-keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
ms.localizationpriority: medium
-ms.audience: itpro
ms.topic: article
ms.collection: m365initiative-coredeploy
ms.author: aaroncz
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index d915b07973..070a39e360 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -1,9 +1,7 @@
---
title: Prepare to deploy Windows
description: Final steps to get ready to deploy Windows, including preparing infrastructure, environment, applications, devices, network, capability, and users
-keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/quality-updates.md b/windows/deployment/update/quality-updates.md
index 903804f4c4..4bc2d59668 100644
--- a/windows/deployment/update/quality-updates.md
+++ b/windows/deployment/update/quality-updates.md
@@ -1,9 +1,7 @@
---
title: Monthly quality updates (Windows 10/11)
description: Learn about Windows monthly quality updates to stay productive and protected.
-keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, insider, tools
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index c5c58daacb..bfae10b8e8 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -2,7 +2,6 @@
title: Safeguard holds
description: What are safeguard holds, how can you tell if one is in effect, and what to do about it
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md
index afbf77e07c..b217acde9b 100644
--- a/windows/deployment/update/safeguard-opt-out.md
+++ b/windows/deployment/update/safeguard-opt-out.md
@@ -2,7 +2,6 @@
title: Opt out of safeguard holds
description: Steps to install an update even it if has a safeguard hold applied
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index bafff90d2b..fe131c3f60 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -2,8 +2,6 @@
title: Servicing stack updates
description: In this article, learn how servicing stack updates improve the code that installs the other updates.
ms.prod: w10
-ms.mktglfcycl: manage
-audience: itpro
author: aczechowski
ms.localizationpriority: high
ms.author: aaroncz
diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md
index 58b209d82f..2c977fd2f0 100644
--- a/windows/deployment/update/update-baseline.md
+++ b/windows/deployment/update/update-baseline.md
@@ -1,9 +1,7 @@
---
title: Update Baseline
description: Use an update baseline to optimize user experience and meet monthly update goals
-keywords: updates, servicing, current, deployment, General Availability Channel, feature, quality, rings, tools, group policy
ms.prod: w10
-ms.mktglfcycl: manage
author: aczechowski
ms.localizationpriority: medium
ms.author: aaroncz
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
index c64b4fd3da..3f1840da1b 100644
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -3,11 +3,7 @@ title: Manually configuring devices for Update Compliance
ms.reviewer:
manager: dougeby
description: Manually configuring devices for Update Compliance
-keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.author: aaroncz
ms.localizationpriority: medium
@@ -22,9 +18,6 @@ ms.topic: article
- Windows 10
- Windows 11
-> [!NOTE]
-> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
-
There are a number of requirements to consider when manually configuring devices for Update Compliance. These can potentially change with newer versions of Windows client. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) will be updated when any configuration requirements change so only a redeployment of the script will be required.
The requirements are separated into different categories:
@@ -53,10 +46,11 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e
|**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. |
|**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
| **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
-
+| **System/**[AllowCommercialDataPipeline](/windows/client-management/mdm/policy-csp-system#system-allowcommercialdatapipeline) | Integer | 1 - Enabled | Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. |
+
### Group policies
-All Group policies that need to be configured for Update Compliance are under **Computer Configuration>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.
+All Group policies that need to be configured for Update Compliance are under **Computer Configuration>Policies>Administrative Templates>Windows Components\Data Collection and Preview Builds**. All of these policies must be in the *Enabled* state and set to the defined *Value* below.
| Policy | Value | Function |
|---------------------------|-|-----------------------------------------------------------|
@@ -65,6 +59,8 @@ All Group policies that need to be configured for Update Compliance are under **
|**Configure telemetry opt-in setting user interface** | 1 - Disable diagnostic data opt-in Settings |(in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy, otherwise the effective diagnostic data level on devices might not be sufficient. |
|**Allow device name to be sent in Windows diagnostic data** | 1 - Enabled | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or Disabled, Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. |
|**Allow Update Compliance processing** | 16 - Enabled | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. |
+| **Allow commercial data pipeline** | 1 - Enabled | Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device. |
+
## Required endpoints
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
index 8d47eba6f3..6db9d2bb84 100644
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -3,11 +3,7 @@ title: Configuring Microsoft Endpoint Manager devices for Update Compliance
ms.reviewer:
manager: dougeby
description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance
-keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav, intune, mem
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.author: aaroncz
ms.localizationpriority: medium
@@ -19,13 +15,10 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
- Windows 11
-> [!NOTE]
-> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
-
-This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within MEM itself. Configuring devices for Update Compliance in MEM breaks down to the following steps:
+This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps:
1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured.
2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured.
@@ -72,6 +65,13 @@ Take the following steps to create a configuration profile that will set require
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
- **Data type**: Integer
- **Value**: 16
+ 6. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance:
+ - **Name**: Allow commercial data pipeline
+ - **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device.
+ - **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline`
+ - **Data type**: Integer
+ - **Value**: 1
+
7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
8. Review and select **Create**.
diff --git a/windows/deployment/update/update-compliance-configuration-script.md b/windows/deployment/update/update-compliance-configuration-script.md
index f62bf4a4da..bb275f2935 100644
--- a/windows/deployment/update/update-compliance-configuration-script.md
+++ b/windows/deployment/update/update-compliance-configuration-script.md
@@ -3,17 +3,13 @@ title: Update Compliance Configuration Script
ms.reviewer:
manager: dougeby
description: Downloading and using the Update Compliance Configuration Script
-keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
-ms.date: 04/27/2022
+ms.date: 06/16/2022
---
# Configuring devices through the Update Compliance Configuration Script
@@ -23,8 +19,6 @@ ms.date: 04/27/2022
- Windows 10
- Windows 11
-> [!NOTE]
-> A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing." If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must rerun the script so the new policy can be configured.
The Update Compliance Configuration Script is the recommended method of configuring devices to send data to Microsoft for use with Update Compliance. The script configures the registry keys backing policies, ensures required services are running, and more. This script is a recommended complement to configuring the required policies documented in [Manually configured devices for Update Compliance](update-compliance-configuration-manual.md), as it can provide feedback on whether there are any configuration issues outside of policies being configured.
@@ -81,7 +75,7 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru
| 51 | Unexpected exception when attempting to run Census.exe|
| 52 | Could not find Census.exe|
| 53 | There are conflicting CommercialID values.|
-| 54 | Microsoft Account Sign In Assistant (MSA) Service disabled.|
+| 54 | Microsoft account (MSA) Sign In Assistant Service disabled.|
| 55 | Failed to create new registry path for SetDeviceNameOptIn|
| 56 | Failed to create property for SetDeviceNameOptIn at registry path|
| 57 | Failed to update value for SetDeviceNameOptIn|
@@ -98,6 +92,10 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru
| 92 | Failed to create property for EnableAllowUCProcessing at registry path|
| 93 | Failed to update value for EnableAllowUCProcessing|
| 94 | Unexpected exception in EnableAllowUCProcessing|
+| 95 | Failed to create new registry path for EnableAllowCommercialDataPipeline |
+| 96 | Failed to create property for EnableAllowCommercialDataPipeline at registry path |
+| 97 | Failed to update value for EnableAllowCommercialDataPipeline |
+| 98 | Unexpected exception in EnableAllowCommercialDataPipeline |
| 99 | Device is not Windows 10.|
diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md
index 654ade49f0..97771928db 100644
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@@ -4,12 +4,8 @@ ms.reviewer:
manager: dougeby
description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.author: aaroncz
-keywords: oms, operations management suite, optimization, downloads, updates, log analytics
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
@@ -50,7 +46,7 @@ The table breaks down the number of bytes from each download source into specifi
The download sources that could be included are:
- LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network
- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the "Group" download mode is used)
-- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an SCCM Distribution Point for Express Updates.
+- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an Configuration Manager Distribution Point for Express Updates.
[!INCLUDE [Monitor Delivery Optimization](../do/includes/waas-delivery-optimization-monitor.md)]
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 6313b0c269..aef454e5ea 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -4,9 +4,6 @@ ms.reviewer:
manager: dougeby
description: Learn how the Feature Update Status report provides information about the status of feature updates across all devices.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.author: aaroncz
ms.collection: M365-analytics
diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 6d03b36b95..2497f639dc 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -2,11 +2,7 @@
title: Get started with Update Compliance
manager: dougeby
description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance
-keywords: update compliance, oms, operations management suite, prerequisites, requirements, updates, upgrades, antivirus, antimalware, signature, log analytics, wdav
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.author: aaroncz
ms.localizationpriority: medium
@@ -24,11 +20,6 @@ ms.date: 05/03/2022
- Windows 10
- Windows 11
-> [!IMPORTANT]
-> **A new policy is required to use Update Compliance: "AllowUpdateComplianceProcessing"**. If you're already using Update Compliance and have configured your devices prior to May 10, 2021, you must configure devices with this additional policy. You can do this by rerunning the [Update Compliance Configuration Script](update-compliance-configuration-script.md) if you configure your devices through Group Policy, or refer to [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md) for details on manually configuring the new policy for both Group Policy and MDM.
->
-> Devices must have this policy configured by January 31, 2022, to remain enrolled in Update Compliance. Devices without this policy configured, including Windows 10 releases prior to version 1809 which do not support this policy, will stop appearing in Update Compliance reports after this date.
-
This topic introduces the high-level steps required to enroll to the Update Compliance solution and configure devices to send data to it. The following steps cover the enrollment and device configuration workflow.
1. Ensure you can [meet the requirements](#update-compliance-prerequisites) to use Update Compliance.
diff --git a/windows/deployment/update/update-compliance-monitor.md b/windows/deployment/update/update-compliance-monitor.md
index 029fbe9034..14be646f48 100644
--- a/windows/deployment/update/update-compliance-monitor.md
+++ b/windows/deployment/update/update-compliance-monitor.md
@@ -3,11 +3,7 @@ title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance
ms.reviewer:
manager: dougeby
description: You can use Update Compliance in Azure portal to monitor the progress of updates and key anti-malware protection features on devices in your network.
-keywords: oms, operations management suite, wdav, updates, upgrades, antivirus, antimalware, signature, log analytics
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.author: aaroncz
ms.localizationpriority: medium
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index 64d5014cac..a72b0bd9e9 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -2,9 +2,6 @@
title: Update Compliance - Need Attention! report
manager: dougeby
description: Learn how the Need attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance.
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.author: aaroncz
ms.collection: M365-analytics
diff --git a/windows/deployment/update/update-compliance-privacy.md b/windows/deployment/update/update-compliance-privacy.md
index 881d8736c3..25616519e4 100644
--- a/windows/deployment/update/update-compliance-privacy.md
+++ b/windows/deployment/update/update-compliance-privacy.md
@@ -4,9 +4,6 @@ ms.reviewer:
manager: dougeby
description: an overview of the Feature Update Status report
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.author: aaroncz
ms.collection: M365-analytics
diff --git a/windows/deployment/update/update-compliance-safeguard-holds.md b/windows/deployment/update/update-compliance-safeguard-holds.md
index daa6e15a43..c745e589a3 100644
--- a/windows/deployment/update/update-compliance-safeguard-holds.md
+++ b/windows/deployment/update/update-compliance-safeguard-holds.md
@@ -4,9 +4,6 @@ ms.reviewer:
manager: dougeby
description: Learn how the Safeguard Holds report provides information about safeguard holds in your population.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.author: aaroncz
ms.collection: M365-analytics
diff --git a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
index 116ada644d..ec78a072db 100644
--- a/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
+++ b/windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
@@ -4,9 +4,6 @@ ms.reviewer:
manager: dougeby
description: WaaSDeploymentStatus schema
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.author: aaroncz
ms.collection: M365-analytics
@@ -15,17 +12,18 @@ ms.topic: article
# WaaSDeploymentStatus
+
WaaSDeploymentStatus records track a specific update's installation progress on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, and one tracking a Windows Quality Update, at the same time.
|Field |Type |Example |Description |
|-|-|-----|------------------------|
|**Computer** |[string](/azure/kusto/query/scalar-data-types/string) |`JohnPC-Contoso` |User or Organization-provided device name. If this appears as '#', then Device Name may not be sent through telemetry. To enable Device Name to be sent with telemetry, see [Enroll devices in Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). |
-|**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user Managed Service Account (MSA) service is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
+|**ComputerID** |[string](/azure/kusto/query/scalar-data-types/string) |`g:6755412281299915` |Microsoft Global Device Identifier. This is an internal identifier used by Microsoft. A connection to the end-user managed service account is required for this identifier to be populated; no device data will be present in Update Compliance without this identifier. |
|**DeferralDays** |[int](/azure/kusto/query/scalar-data-types/int) |`0` |The deferral policy for this content type or `UpdateCategory` (Windows `Feature` or `Quality`). |
-|**DeploymentError** |[string](/azure/kusto/query/scalar-data-types/string) |`Disk Error` |A readable string describing the error, if any. If empty, there is either no string matching the error or there is no error. |
-|**DeploymentErrorCode** |[int](/azure/kusto/query/scalar-data-types/int) |`8003001E` |Microsoft internal error code for the error, if any. If empty, there is either no error or there is *no error code*, meaning that the issue raised does not correspond to an error, but some inferred issue. |
-|**DeploymentStatus** |[string](/azure/kusto/query/scalar-data-types/string) |`Failed` |The high-level status of installing this update on this device. Possible values are:
You can also download the Windows Assessment and Deployment Kit (ADK) for Windows 10 and install Application Compatibility Tools.| -|0x8007002|This error is specific to upgrades using System Center 2012 Configuration Manager R2 SP1 CU3 (5.00.8238.1403)|Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)
The error 80072efe means that the connection with the server was terminated abnormally.
To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.| +|0x8007002|This error is specific to upgrades using Configuration Manager R2 SP1 CU3 (5.00.8238.1403)|Analyze the SMSTS.log and verify that the upgrade is failing on "Apply Operating system" Phase: Error 80072efe DownloadFileWithRanges() failed. 80072efe. ApplyOperatingSystem (0x0760)
The error 80072efe means that the connection with the server was terminated abnormally.
To resolve this issue, try the OS Deployment test on a client in same VLAN as the Configuration Manager server. Check the network configuration for random client-server connection issues happening on the remote VLAN.| |0x80240FFF|Occurs when update synchronization fails. It can occur when you're using Windows Server Update Services on its own or when it's integrated with Microsoft Endpoint Configuration Manager. If you enable update synchronization before you install hotfix 3095113, WSUS doesn't recognize the Upgrades classification and instead treats the upgrade like a regular update.|You can prevent this by installing hotfix 3095113 before you enable update synchronization. However, if you have already run into this problem, do the following:
For detailed information on how to run these steps check out How to delete upgrades in WSUS.| |0x8007007E|Occurs when update synchronization fails because you don't have hotfix 3095113 installed before you enable update synchronization. Specifically, the CopyToCache operation fails on clients that have already downloaded the upgrade because Windows Server Update Services has bad metadata related to the upgrade. It can occur when you're using standalone Windows Server Update Services or when WSUS is integrated with Microsoft Endpoint Configuration Manager.|Use the following steps to repair Windows Server Update Services. You must run these steps on each WSUS server that synched metadata before you installed the hotfix.
Stop the Windows Update service.
Delete all files and folders under c:\Windows\SoftwareDistribution\DataStore.
Restart the Windows Update service.|
@@ -189,5 +184,5 @@ Also see the following sequential list of modern setup (mosetup) error codes wit
- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
- [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/home?category=Windows10ITPro)
- [Fix Windows Update errors by using the DISM or System Update Readiness tool](/troubleshoot/windows-server/deployment/fix-windows-update-errors)
-- [Win 7 to Win 10 upgrade error (0x800707E7 - 0x3000D)](https://answers.microsoft.com/en-us/windows/forum/all/win-7-to-win-10-upgrade-error-0x800707e7-0x3000d/1273bc1e-8a04-44d4-a6b2-808c9feeb020))
-- [Win 10 upgrade error: User profile suffix mismatch, 0x800707E7 - 0x3000D](https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/win-10-upgrade-error-user-profile-suffix-mismatch/0f006733-2af5-4b42-a2d4-863fad05273d?page=3)
+- [Windows 7 to Windows 10 upgrade error (0x800707E7 - 0x3000D)](https://answers.microsoft.com/en-us/windows/forum/all/win-7-to-win-10-upgrade-error-0x800707e7-0x3000d/1273bc1e-8a04-44d4-a6b2-808c9feeb020))
+- [Windows 10 upgrade error: User profile suffix mismatch, 0x800707E7 - 0x3000D](https://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/win-10-upgrade-error-user-profile-suffix-mismatch/0f006733-2af5-4b42-a2d4-863fad05273d?page=3)
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index 57df118f87..059f0801cb 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -3,12 +3,7 @@ title: Resolve Windows 10 upgrade errors - Windows IT Pro
manager: dougeby
ms.author: aaroncz
description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
-keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 505f23ab18..b6b9becf85 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -3,13 +3,8 @@ title: SetupDiag
manager: dougeby
ms.author: aaroncz
description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors.
-keywords: deploy, troubleshoot, windows, 10, upgrade, update, setup, diagnose
ms.custom: seo-marvel-apr2020
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.localizationpriority: medium
ms.topic: article
@@ -298,7 +293,7 @@ Each rule name and its associated unique rule identifier are listed with a descr
39. WimApplyExtractFailure – 746879E9-C9C5-488C-8D4B-0C811FF3A9A8
- Matches a wim apply failure during wim extraction phases of setup. Will output the extension, path and error code.
40. UpdateAgentExpanderFailure – 66E496B3-7D19-47FA-B19B-4040B9FD17E2
- - Matches DPX expander failures in the down-level phase of update from WU. Will output the package name, function, expression and error code.
+ - Matches DPX expander failures in the down-level phase of update from Windows Update. Will output the package name, function, expression and error code.
41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636
- Matches any plug-in failure that setupplatform decides is fatal to setup. Will output the plugin name, operation and error code.
42. AdvancedInstallerFailed - 77D36C96-32BE-42A2-BB9C-AAFFE64FCADC
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index 17692fe281..78530d857f 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -4,12 +4,7 @@ ms.reviewer:
manager: dougeby
ms.author: aaroncz
description: Download the Feedback Hub app, and then submit Windows 10 upgrade errors for diagnosis using feedback hub.
-keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, feedback
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
index 736fd59813..5b8cff866c 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
@@ -3,12 +3,7 @@ title: Troubleshoot Windows 10 upgrade errors - Windows IT Pro
manager: dougeby
ms.author: aaroncz
description: Understanding the Windows 10 upgrade process can help you troubleshoot errors when something goes wrong. Find out more with this guide.
-keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index 3b0ef7d8df..6d09c5829a 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -3,12 +3,7 @@ title: Upgrade error codes - Windows IT Pro
manager: dougeby
ms.author: aaroncz
description: Understand the error codes that may come up if something goes wrong during the Windows 10 upgrade process.
-keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 959bb7e649..fee71f1399 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -1,15 +1,10 @@
---
title: Windows 10 edition upgrade (Windows 10)
description: With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported.
-ms.assetid: A7642E90-A3E7-4A25-8044-C4E402DC462A
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
ms.localizationpriority: medium
-ms.sitesec: library
-ms.pagetype: mobile
-audience: itpro
author: aczechowski
ms.topic: article
ms.collection: highpri
@@ -57,15 +52,15 @@ X = unsupported Devices successfully registered and healthy don't appear in the Not ready tab. |
+| Ready | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service. |
+| Not ready | The purpose of the Not ready tab is to help you identify and remediate devices that don't meet the pre-requisite checks to register into the Windows Autopatch service. This tab only shows devices that didn't successfully register into Windows Autopatch. |
## Built-in roles required for device registration
A role defines the set of permissions granted to users assigned to that role. You can use one of the following built-in roles in Windows Autopatch to register devices:
- Azure AD Global Administrator
-- Service Support Administrator
- Intune Service Administrator
- Modern Workplace Intune Administrator
-For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
+For more information, see [Azure AD built-in roles](/azure/active-directory/roles/permissions-reference) and [Role-based access control (RBAC) with Microsoft Intune](/mem/intune/fundamentals/role-based-access-control).
> [!NOTE]
> The Modern Workplace Intune Admin role is a custom created role during the Windows Autopatch tenant enrollment process. This role can assign administrators to Endpoint Manager roles, and allows you to create and configure custom Endpoint Manager roles.
@@ -94,26 +107,62 @@ For more information, see [Azure AD built-in roles](/azure/active-directory/role
Registering your devices in Windows Autopatch does the following:
1. Makes a record of devices in the service.
-2. Assign devices into the ring groups and other groups required for software updates management.
+2. Assign devices into the deployment ring groups and other groups required for software updates management.
## Steps to register devices
-**To register devices into Windows Autopatch:**
+### Physical devices
+
+**To register physical devices into Windows Autopatch:**
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Windows Autopatch** from the left navigation menu.
3. Select **Devices**.
4. Select the **Ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens.
-5. Add either devices through direct membership or other Azure Active Directory dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group.
+5. Add either devices through direct membership, or other Azure Active Directory dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group.
-Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices and runs device-level prerequisite checks to try to register them.
+> [!NOTE]
+> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both Ready and Not ready tabs.
-> [!IMPORTANT]
-> It might take up to an hour for a device to change its status from **Ready for User** to **Active** in the Ready tab during the public preview.
+Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices, and runs software-based prerequisite checks to try to register them with its service.
-## Other device lifecycle management scenarios
+### Virtual devices
-There are a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch.
+#### Windows Autopatch on Windows 365 Enterprise Workloads
+
+With Windows 365 Enterprise, you can include Windows Autopatch onboarding as part of your provision process providing a seamless experience for admins and users to ensure your Cloud PCs are always up to date.
+
+#### Deploy Windows Autopatch on a Windows 365 Provisioning Policy
+
+For general guidance, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy).
+
+**To deploy Windows Autopatch on a Windows 365 Provisioning Policy:**
+
+1. Go to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
+1. In the left pane, select **Devices**.
+1. Navigate to Provisioning > **Windows 365**.
+1. Select Provisioning policies > **Create policy**.
+1. Provide a policy name and select **Join Type**. For more information, see [Device join types](/windows-365/enterprise/identity-authentication#device-join-types).
+1. Select **Next**.
+1. Choose the desired image and select **Next**.
+1. Under the **Microsoft managed services** section, select **Windows Autopatch**. Then, select **Next**. If the *Windows Autopatch (preview) cannot manage your Cloud PCs until a Global Admin has finished setting it up.* message appears, you must [enroll your tenant](../prepare/windows-autopatch-enroll-tenant.md) to continue.
+1. Assign your policy accordingly and select **Next**.
+1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch.
+
+#### Deploy Autopatch on Windows 365 for existing Cloud PC
+
+All your existing Windows 365 Enterprise workloads can be registered into Windows Autopatch by leveraging the same method as your physical devices. For more information, see [Physical devices](#physical-devices).
+
+#### Contact support
+
+Support is available either through Windows 365, or Windows Autopatch for update related incidents.
+
+- For Windows 365 support, see [Get support](/mem/get-support).
+- For Windows Autopatch support, see [Submit a support request](/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request).
+
+## Device management lifecycle scenarios
+
+There's a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch.
### Device refresh
@@ -132,4 +181,4 @@ If you need to repair a device that was previously registered into the Windows A
When one of these hardware changes occurs, Azure AD creates a new device ID record for that device, even if it's technically the same device.
> [!IMPORTANT]
-> If a new Azure AD device ID is generated for a device that was previously registered into Windows Autopatch, even if it's the same device, the new Azure AD device ID must be added either through device direct membership or through nested Azure AD dynamic/assigned group into the **Windows Autopatch Device Registration** group. This process guarantees the newly generated Azure AD device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service.
+> If a new Azure AD device ID is generated for a device that was previously registered into the Windows Autopatch service, even if it's technically same device, the new Azure AD device ID must be added either through device direct membership or through nested Azure AD dynamic/assigned group into the **Windows Autopatch Device Registration** Azure AD group. This process guarantees that the newly generated Azure AD device ID is registered with Windows Autopatch and that the device continues to have its software updates managed by the service.
diff --git a/windows/deployment/windows-autopatch/media/windows-feature-force-update.png b/windows/deployment/windows-autopatch/media/windows-feature-force-update.png
new file mode 100644
index 0000000000..a1752b7996
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-feature-force-update.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png b/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png
new file mode 100644
index 0000000000..0b926b62f6
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-feature-release-process-timeline.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png b/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png
new file mode 100644
index 0000000000..f05268d372
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-feature-typical-update-experience.png differ
diff --git a/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png b/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png
new file mode 100644
index 0000000000..a0899ccf6c
Binary files /dev/null and b/windows/deployment/windows-autopatch/media/windows-feature-update-grace-period.png differ
diff --git a/windows/deployment/windows-autopatch/operate/index.md b/windows/deployment/windows-autopatch/operate/index.md
index 44954ce00f..88dfceb72d 100644
--- a/windows/deployment/windows-autopatch/operate/index.md
+++ b/windows/deployment/windows-autopatch/operate/index.md
@@ -14,12 +14,15 @@ msreviewer: hathind
# Operating with Windows Autopatch
-This section includes information about Windows Autopatch update management, types of updates managed by Windows Autopatch, and how to contact the Windows Autopatch Service Engineering Team:
+This section includes information about Windows Autopatch update management, types of updates managed by Windows Autopatch, maintaining your Windows Autopatch environment, how to contact the Windows Autopatch Service Engineering Team, and unenrolling your tenant:
- [Update management](windows-autopatch-update-management.md)
- [Windows quality updates](windows-autopatch-wqu-overview.md)
+- [Windows feature updates](windows-autopatch-fu-overview.md)
- [Microsoft 365 Apps for enterprise updates](windows-autopatch-microsoft-365-apps-enterprise.md)
- [Microsoft Edge updates](windows-autopatch-edge.md)
- [Microsoft Teams updates](windows-autopatch-teams.md)
+- [Maintain the Windows Autopatch environment](windows-autopatch-maintain-environment.md)
- [Deregister devices](windows-autopatch-deregister-devices.md)
- [Submit a support request](windows-autopatch-support-request.md)
+- [Unenroll your tenant](windows-autopatch-unenroll-tenant.md)
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
index bfb6b35250..4fe92e457d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-deregister-devices.md
@@ -1,7 +1,7 @@
---
title: Deregister a device
description: This article explains how to deregister devices
-ms.date: 05/31/2022
+ms.date: 06/15/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
@@ -14,7 +14,7 @@ msreviewer: andredm7
# Deregister a device
-To avoid end-user disruption, device de-registration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device de-registration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
+To avoid end-user disruption, device deregistration in Windows Autopatch only deletes the Windows Autopatch device record itself. Device deregistration can't delete Microsoft Intune and/or the Azure Active Directory device records. Microsoft assumes you'll keep managing those devices yourself in some capacity.
**To deregister a device:**
@@ -24,14 +24,17 @@ To avoid end-user disruption, device de-registration in Windows Autopatch only d
1. In either **Ready** or **Not ready** tab, select the device(s) you want to deregister.
1. Once a device or multiple devices are selected, select **Device actions**, then select **Deregister device**.
+> [!WARNING]
+> Removing devices from the Windows Autopatch Device Registration Azure AD group doesn't deregister devices from the Windows Autopatch service.
+
## Excluded devices
-When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded" so Windows Autopatch doesn't try to re-register the device into the service again, since the de-registration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group.
+When you deregister a device from the Windows Autopatch service, the device is flagged as "excluded" so Windows Autopatch doesn't try to reregister the device into the service again, since the deregistration command doesn't trigger device membership removal from the **Windows Autopatch Device Registration** Azure Active Directory group.
> [!IMPORTANT]
> The Azure AD team doesn't recommend appending query statements to remove specific device from a dynamic query due to dynamic query performance issues.
-If you want to re-register a device that was previously deregistered from Windows Autopatch, you must [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the de-registration process. After the Windows Autopatch Service Engineering Team removes the flag, you can re-register a device or a group of devices.
+If you want to reregister a device that was previously deregistered from Windows Autopatch, you must [submit a support request](../operate/windows-autopatch-support-request.md) with the Windows Autopatch Service Engineering Team to request the removal of the "excluded" flag set during the deregistration process. After the Windows Autopatch Service Engineering Team removes the flag, you can reregister a device or a group of devices.
## Hiding unregistered devices
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
index 3f0a1a95c6..988fb95d21 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-edge.md
@@ -14,7 +14,7 @@ msreviewer: hathind
# Microsoft Edge
-Windows Autopatch uses the [Stable channel](/deployedge/microsoft-edge-channels%22%20/l%20%22stable-channel) of Microsoft Edge.
+Windows Autopatch uses the [Stable Channel](/deployedge/microsoft-edge-channels#stable-channel) of Microsoft Edge.
## Device eligibility
@@ -22,7 +22,7 @@ For a device to be eligible for Microsoft Edge updates as a part of Windows Auto
- The device must be powered on and have an internet connection.
- There are no policy conflicts between Windows Autopatch policies and customer policies.
-- The device must be able to access the required network endpoints to reach the Microsoft Edge update service.
+- The device must be able to access the required network endpoints to reach the Microsoft Edge update service.
- If Microsoft Edge is open, it must restart for the update process to complete.
## Update release schedule
@@ -31,7 +31,7 @@ Microsoft Edge will check for updates every 10 hours. Quality updates occur week
Browser updates with critical security fixes will have a faster rollout cadence than updates that don't have critical security fixes to ensure prompt protection from vulnerabilities.
-Devices in the Test device group receive feature updates from the [Beta channel](/deployedge/microsoft-edge-channels#beta-channel). This channel is fully supported and automatically updated with new features approximately every four weeks.
+Devices in the Test device group receive feature updates from the [Beta Channel](/deployedge/microsoft-edge-channels#beta-channel). This channel is fully supported and automatically updated with new features approximately every four weeks.
## Pausing and resuming updates
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md
new file mode 100644
index 0000000000..15a138fcdf
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-end-user-exp.md
@@ -0,0 +1,73 @@
+---
+title: Windows feature update end user experience
+description: This article explains the Windows feature update end user experience
+ms.date: 07/11/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Windows feature update end user experience
+
+Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing reboots during business hours.
+
+## User notifications
+
+In this section we'll review what an end user would see in the following three scenarios:
+
+1. Typical update experience
+2. Feature update deadline forces an update
+3. Feature update grace period
+
+> [!NOTE]
+> Windows Autopatch doesn't yet support feature updates without notifying end users.
+
+### Typical update experience
+
+In this example, we'll be discussing a device in the First ring. The Autopatch service updates the First ring’s DSS policy to target the next version of Windows 30 days after the start of the release. When the policy is applied to the device, the device will download the update, and notify end users that the new version of Windows is ready to install. The end user can either:
+
+1. Restart immediately to install the updates
+1. Schedule the installation, or
+1. Snooze (the device will attempt to install outside of active hours.)
+
+In the following example, the user schedules the restart and is notified 15 minutes prior to the scheduled restart time. The user can reschedule, if necessary, but isn't able to reschedule past the deadline.
+
+:::image type="content" source="../media/windows-feature-typical-update-experience.png" alt-text="Typical Windows feature update experience":::
+
+### Feature update deadline forces an update
+
+The following example builds on the scenario outlined in the typical user experience, but the user ignores the notification and selects snooze. Further notifications are received, which the user ignores. The device is also unable to install the updates outside of active hours.
+
+The deadline specified in the update policy is five days. Therefore, once this deadline is passed, the device will ignore the active hours and force a restart to complete the installation. The user will receive a 15-minute warning, after which, the device will install the update and restart.
+
+:::image type="content" source="../media/windows-feature-force-update.png" alt-text="Force Windows feature update":::
+
+### Feature update grace period
+
+In the following example, the user is on holiday and the device is offline beyond the feature update deadline. The user then returns to work and the device is turned back on.
+
+Since the deadline has already passed, the device is granted a two-day grace period to install the update and restart. The user will be notified of a pending installation and given options to choose from. Once the two-day grace period has expired, the user is forced to restart with a 15-minute warning notification.
+
+:::image type="content" source="../media/windows-feature-update-grace-period.png" alt-text="Window feature update grace period":::
+
+## Servicing window
+
+Windows Autopatch understands the importance of not disrupting end users but also updating the devices quickly. To achieve this goal, updates are automatically downloaded and installed at an optimal time determined by the device. Device restarts occur outside of active hours until the deadline is reached. By default, active hours are configured dynamically based on device usage patterns. If you wish to specify active hours for your organization, you can do so by deploying both the following policies:
+
+| Policy | Description |
+| ----- | ----- |
+| [Active hours start](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) | This policy controls the start of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. |
+| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | This policy controls the end of the protected window where devices won't restart. Supported values are from zero through to 23. Zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
+
+> [!IMPORTANT]
+> Both policies must be deployed for them to work as expected.
+
+A device won't restart during active hours unless it has passed the date specified by the update deadline policy. Once the device has passed the deadline policy, the device will update as soon as possible.
+
+> [!IMPORTANT]
+> If your devices must be updated at a specific date or time, they aren't suitable for Windows Autopatch. Allowing you to choose specific dates to update devices would disrupt the rollout schedule and prevent us from delivering the service level objective. The use of any of the following CSPs on a managed device will render it ineligible for management: **To review the Windows Autopatch conditional access policy (Modern Workplace – Secure Workstation):** Go to Microsoft Endpoint Manager and navigate to **Conditional Access** in **Endpoint Security**. Do **not** modify any Azure AD conditional access policies created by Windows Autopatch that have "**Modern Workplace**" in the name. Windows Autopatch will also have created some update ring policies. all of which The policies will have "**Modern Workplace**" in the name. For example: When you update your own policies, ensure that you don't exclude the **Modern Workplace Devices - All** Azure AD group from the policies that Windows Autopatch created. **To resolve the Not ready result:** After enrolling into Autopatch, make sure that any update ring policies you have **exclude** the **Modern Workplace Devices - All** Azure Active Directory (AD) group.For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). **To resolve the Advisory result:** For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). Supported values are from zero through to 23, where zero is 12∶00AM, representing the hours of the day in local time on that device. This value can be no more than 12 hours after the time set in active hours start. |
| [Active hours max range](/windows/client-management/mdm/policy-csp-update#update-activehoursmaxrange) | Update/ActiveHoursMaxRange | Allows the IT admin to specify the max active hours range. This value sets the maximum number of active hours from the start time. Supported values are from eight through to 18. |
-## Group policy
+### Group policy
Group policy takes precedence over mobile device management (MDM) policies. For Windows quality updates, if any group policies are detected which modify the following hive in the registry, the device will be ineligible for management:
`Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\PolicyState`
-
-## Incidents and outages
-
-If devices in your tenant aren't meeting the [service level objective](../operate/windows-autopatch-wqu-overview.md#service-level-objective) for Windows quality updates, an incident will be raised, and the Windows Autopatch Service Engineering Team will work to bring the devices back into compliance.
-
-If you're experiencing other issues related to Windows quality updates, [submit a support request](../operate/windows-autopatch-support-request.md).
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
index 2c496594e3..109b68bdbe 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml
@@ -4,7 +4,7 @@ metadata:
description: Answers to frequently asked questions about Windows Autopatch.
ms.prod: w11
ms.topic: faq
- ms.date: 06/02/2022
+ ms.date: 07/06/2022
audience: itpro
ms.localizationpriority: medium
manager: dougeby
@@ -42,9 +42,10 @@ sections:
- [Azure Active Directory (Azure AD) Premium](/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses)
- [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid)
- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
- - [Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements)
- - [Configuration Manager version 2010 or later](/mem/configmgr/core/plan-design/changes/whats-new-in-version-2010)
- - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune)
+ Additional pre-requisites for devices managed by Configuration Manager:
+ - [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements)
+ - [A supported version of Configuration Manager](/mem/configmgr/core/servers/manage/updates#supported-versions)
+ - [Switch workloads for device configuration, Windows Update and Microsoft 365 Apps from Configuration Manager to Intune](/mem/configmgr/comanage/how-to-switch-workloads) (minimum Pilot Intune. Pilot collection must contain the devices you want to register into Autopatch.)
- question: What are the licensing requirements for Windows Autopatch?
answer: |
- Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. For more information, see [More about licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses).
@@ -58,6 +59,15 @@ sections:
- question: Can Autopatch customers individually approve or deny devices?
answer: |
No you can't individually approve or deny devices. Once a device is registered with Windows Autopatch, updates are rolled out to the devices according to its ring assignment. Individual device level control isn't supported.
+ - question: Does Autopatch on Windows 365 Cloud PCs have any feature difference from a physical device?
+ answer: |
+ No, Windows 365 Enterprise Cloud PC's support all features of Windows Autopatch. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
+ - question: Do my Cloud PCs appear any differently in the Windows Autopatch admin center?
+ answer: |
+ Cloud PC displays the model as the license type you have provisioned. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
+ - question: Can I run Autopatch on my Windows 365 Business Workloads?
+ answer: |
+ No. Autopatch is only available on enterprise workloads. For more information, see [Virtual devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices#virtual-devices).
- name: Update Management
questions:
- question: What systems does Windows Autopatch update?
@@ -103,4 +113,4 @@ sections:
Programmatic access to Autopatch isn't currently available.
additionalContent: |
## Additional Content
- [Provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch
\ No newline at end of file
+ [Provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch)
diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
index f2bb7d8615..107f37c50e 100644
--- a/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
+++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-overview.md
@@ -1,7 +1,7 @@
---
-title: What is Windows Autopatch? (preview)
+title: What is Windows Autopatch?
description: Details what the service is and shortcuts to articles
-ms.date: 05/30/2022
+ms.date: 07/11/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@@ -12,10 +12,7 @@ manager: dougeby
msreviewer: hathind
---
-# What is Windows Autopatch? (preview)
-
-> [!IMPORTANT]
-> **Windows Autopatch is in public preview**. It's actively being developed and may not be complete. You can test and use these features in production environments and [provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch).
+# What is Windows Autopatch?
Windows Autopatch is a cloud service that automates Windows, Microsoft 365 Apps for enterprise, Microsoft Edge, and Microsoft Teams updates to improve security and productivity across your organization.
@@ -39,6 +36,7 @@ The goal of Windows Autopatch is to deliver software updates to registered devic
| Management area | Service level objective |
| ----- | ----- |
| [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) | Windows Autopatch aims to keep at least 95% of eligible devices on the latest Windows quality update 21 days after release. |
+| [Windows feature updates](../operate/windows-autopatch-fu-overview.md) | Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates. |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Windows Autopatch aims to keep at least 90% of eligible devices on a supported version of the Monthly Enterprise Channel (MEC). |
| [Microsoft Edge](../operate/windows-autopatch-edge.md) | Windows Autopatch configures eligible devices to benefit from Microsoft Edge's progressive rollouts on the Stable channel. |
| [Microsoft Teams](../operate/windows-autopatch-teams.md) | Windows Autopatch allows eligible devices to benefit from the standard automatic update channel. |
@@ -59,33 +57,13 @@ Microsoft remains committed to the security of your data and the [accessibility]
## Need more details?
-### Prepare
+| Area | Description |
+| ----- | ----- |
+| Prepare | The following articles describe the mandatory steps to prepare and enroll your tenant into Windows Autopatch: Conditional access policies shouldn't be assigned to Windows Autopatch service accounts. For more information on steps to take, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). |
-| Windows Autopatch service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. |
+| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users. Your conditional access policies must not prevent our service accounts from accessing the service and must not require multi-factor authentication. For more information, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies). |
+| Windows Autopatch cloud service accounts | Checks that no usernames conflict with ones that Windows Autopatch reserves for its own use. The cloud service accounts are: You can complete enrollment, but you must fix these issues before you deploy your first device. |
-| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
+| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
-### Seeing issues with your tenant?
+## Step 3: Fix issues with your tenant
If the Readiness assessment tool is displaying issues with your tenant, see [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) for more information on how to remediate.
-### Delete data collected from the Readiness assessment tool
-
-Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form. You can choose to delete the data we collect directly within the Readiness assessment tool.
-
-> [!NOTE]
-> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data.
-
-**To delete the data we collect:**
-
-1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
-2. Navigate to Windows Autopatch > **Tenant enrollment**.
-3. Select **Delete all data**.
-
-## Step 3: Enroll your tenant
+## Step 4: Enroll your tenant
> [!IMPORTANT]
> You must be a Global Administrator to enroll your tenant.
@@ -105,4 +97,24 @@ Within the Readiness assessment tool, you'll now see the **Enroll** button. By s
- Provide Windows Autopatch with IT admin contacts.
- Setup of the Windows Autopatch service on your tenant. This step is where we'll create the policies, groups and accounts necessary to run the service.
-Once these actions are complete, you've now successfully enrolled your tenant. Ensure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md) before you [register your devices](../deploy/windows-autopatch-register-devices.md).
+Once these actions are complete, you've now successfully enrolled your tenant.
+
+### Delete data collected from the Readiness assessment tool
+
+You can choose to delete the data we collect directly within the Readiness assessment tool.
+
+Windows Autopatch retains the data associated with these checks for 12 months after the last time you ran a check in your Azure Active Directory organization (tenant). After 12 months, we retain the data in a de-identified form.
+
+> [!NOTE]
+> Windows Autopatch will only delete the results we collect within the Readiness assessment tool; Autopatch won't delete any other tenant-level data.
+
+**To delete the data we collect:**
+
+1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+2. Navigate to Windows Autopatch > **Tenant enrollment**.
+3. Select **Delete all data**.
+
+## Next steps
+
+1. Maintain your [Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md).
+1. Ensure you've [added and verified your admin contacts](../deploy/windows-autopatch-admin-contacts.md) before you [register your devices](../deploy/windows-autopatch-register-devices.md).
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
index b9f8c7b372..13b48f4d5d 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md
@@ -14,13 +14,17 @@ msreviewer: hathind
# Fix issues found by the Readiness assessment tool
+Seeing issues with your tenant? This article details how to remediate issues found with your tenant.
+
+## Check results
+
For each check, the tool will report one of four possible results:
| Result | Meaning |
| ----- | ----- |
| Ready | No action is required before completing enrollment. |
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users. You can complete enrollment, but you must fix these issues before you deploy your first device. |
-| Not ready | Enrollment will fail if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
+| Not ready | You must fix these issues before enrollment. You won’t be able to enroll into Windows Autopatch if you don't fix these issues. Follow the steps in the tool or this article to resolve them. |
| Error | The Azure Active Directory (AD) role you're using doesn't have sufficient permissions to run this check. |
> [!NOTE]
@@ -44,8 +48,8 @@ Your "Windows 10 update ring" policy in Intune must not target any Windows Autop
| Result | Meaning |
| ----- | ----- |
-| Not ready | You have an "update ring" policy that targets all devices, all users, or both. Change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices. After enrolling into Autopatch, make sure that any update ring policies you have exclude the **Modern Workplace Devices - All** Azure Active Directory (AD) group. For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). To resolve, change the policy to use an assignment that targets a specific Azure Active Directory (AD) group that doesn't include any Windows Autopatch devices. For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). You can continue with enrollment. However, you must resolve the advisory prior to deploying your first device. To resolve the advisory, see [Maintain the Windows Autopatch environment](../operate/windows-autopatch-maintain-environment.md). You must either rename or remove conflicting accounts to move forward with enrolling to the Windows Autopatch service as we'll create these accounts as part of running our service. For more information, see [Tenant Access](../references/windows-autopatch-privacy.md#tenant-access). For more information on available licenses, see [Microsoft 365 licensing](https://www.microsoft.com/microsoft-365/compare-microsoft-365-enterprise-plans). For more information about licensing terms and conditions for products and services purchased through Microsoft Commercial Volume Licensing Programs, see the [Product Terms site](https://www.microsoft.com/licensing/terms/). |
| Connectivity | All Windows Autopatch devices require connectivity to multiple Microsoft service endpoints from the corporate network. For the full list of required IPs and URLs, see [Configure your network](../prepare/windows-autopatch-configure-network.md). |
| Azure Active Directory | Azure Active Directory must either be the source of authority for all user accounts, or user accounts must be synchronized from on-premises Active Directory using the latest supported version of Azure Active Directory Connect to enable Hybrid Azure Active Directory join. At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below. Other device management prerequisites include: For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). |
+| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices. At a minimum, the Windows Update, Device configuration and Office Click-to-Run apps workloads must be set to Pilot Intune or Intune. You must also ensure that the devices you intend on bringing to Windows Autopatch are in the targeted device collection. For more information, see Co-management requirements for Windows Autopatch below. Other device management prerequisites include: See [Register your devices](/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices) for more details on device pre-requisites and on how the device registration process works.
+
+For more information on co-management, see [Co-management for Windows devices](/mem/configmgr/comanage/overview). |
| Data and privacy | For more information on Windows Autopatch privacy practices, see [Windows Autopatch Privacy](../references/windows-autopatch-privacy.md). |
## More about licenses
Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The following are the other licenses that grant entitlement to Windows Autopatch:
-- Windows 10/11 Enterprise E3
-- Windows 10/11 Enterprise E5
-- Microsoft 365 E3
-- Microsoft 365 E5
+| License | ID | GUID number |
+| ----- | ----- | ------|
+| [Microsoft 365 E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E3 | 05e9a617-0261-4cee-bb44-138d3ef5d965 |
+| [Microsoft 365 E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | SPE_E5 | 06ebc4ee-1bb5-47dd-8120-11324bc54e06 |
+| [Windows 10/11 Enterprise E3](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E3 | 6a0f6da5-0b87-4190-a6ae-9bb5a2b9546a |
+| [Windows 10/11 Enterprise E5](/azure/active-directory/enterprise-users/licensing-service-plan-reference) | WIN10_VDA_E5 | 488ba24a-39a9-4473-8ee5-19291e71b002 |
+| [Windows 10/11 Enterprise VDA](/windows/deployment/deploy-enterprise-licenses#virtual-desktop-access-vda) | E3_VDA_only | d13ef257-988a-46f3-8fce-f47484dd4550 |
The following Windows 64-bit editions are required for Windows Autopatch:
@@ -39,7 +44,7 @@ The following Windows 64-bit editions are required for Windows Autopatch:
- Windows 10/11 Enterprise
- Windows 10/11 Pro for Workstations
-## Co-management requirements
+## Configuration Manager Co-management requirements
Windows Autopatch fully supports co-management. The following co-management requirements apply:
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
new file mode 100644
index 0000000000..92295357e9
--- /dev/null
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
@@ -0,0 +1,33 @@
+---
+title: Microsoft 365 Apps for enterprise update policies
+description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch
+ms.date: 07/11/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Microsoft 365 Apps for enterprise update policies
+
+## Conflicting and unsupported policies
+
+Deploying any of the following policies to a managed device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
+
+### Update policies
+
+Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device won't be eligible for management.
+
+| Update setting | Value | Usage reason |
+| ----- | ----- | ----- |
+| Set updates to occur automatically | Enabled | Enable automatic updates |
+| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch |
+| Update branch | Monthly Enterprise | Supported branch for Windows Autopatch |
+| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs |
+| Set a deadline by when updates must be applied | 3 | Update deadline |
+| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated |
+| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates |
diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
index ec15b0ace9..ee8956decd 100644
--- a/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
+++ b/windows/deployment/windows-autopatch/references/windows-autopatch-privacy.md
@@ -28,7 +28,7 @@ The sources include Azure Active Directory (AD), Microsoft Intune, and Microsoft
| [Windows Update for Business](/windows/deployment/update/waas-manage-updates-wufb) | Uses Windows 10 Enterprise diagnostic data to provide additional information on Windows 10/11 update. |
| [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) | Device management and to keep your data secure. The following data sources fall under Microsoft Endpoint Manager: Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+>Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with Windows Information Protection before adding it to your **App rules** list. If you don't get this statement, it's possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
### Add a store app rule to your policy
For this example, we're going to add Microsoft OneNote, a store app, to the **App Rules** list.
@@ -278,7 +272,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
The file is imported and the apps are added to your **App Rules** list.
### Exempt apps from WIP restrictions
-If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
+If you're running into compatibility issues where your app is incompatible with Windows Information Protection (WIP), but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 3fa8df029b..39ff0696bb 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -2,13 +2,9 @@
title: Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune (Windows 10)
description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/13/2019
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index c81eea7fca..d097f3b77a 100644
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -1,16 +1,11 @@
---
title: Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune (Windows 10)
description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/05/2019
diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index a1dba47f5e..021ea7ed44 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -1,18 +1,12 @@
---
title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps. Find out which enlightened apps are provided by Microsoft. Learn how to allow-list them.
-ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/02/2019
@@ -37,7 +31,7 @@ Apps can be enlightened or unenlightened:
- Windows **Save As** experiences only allow you to save your files as enterprise.
-- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode.
+- **Windows Information Protection-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode.
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
@@ -75,10 +69,10 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Microsoft To Do
> [!NOTE]
-> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
+> Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from Windows Information Protection policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning.
## List of WIP-work only apps from Microsoft
-Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with WIP and MAM solutions.
+Microsoft still has apps that are unenlightened, but which have been tested and deemed safe for use in an enterprise with Windows Information Protection and MAM solutions.
- Skype for Business
@@ -102,7 +96,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
| PowerPoint Mobile | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on. |
+|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
+|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
+|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data. After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn Windows Information Protection back on. |
## Turn off WIP
You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied.
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index d5400291be..14f23ff7f7 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -1,16 +1,11 @@
---
title: Recommended URLs for Windows Information Protection (Windows 10)
description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Neutral Resources, WIP and Enterprise Cloud Resources
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/25/2019
@@ -25,7 +20,7 @@ ms.reviewer:
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
-We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a WIP policy. If you are using Intune, the SharePoint entries may be added automatically.
+We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings when you create a Windows Information Protection policy. If you are using Intune, the SharePoint entries may be added automatically.
## Recommended Enterprise Cloud Resources
diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
index 247a47ecf5..4f2fdaa90d 100644
--- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
@@ -1,18 +1,12 @@
---
title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
-ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/05/2019
diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
index c1188fad4b..78349eb5ab 100644
--- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
@@ -1,16 +1,11 @@
---
title: Using Outlook on the web with WIP (Windows 10)
description: Options for using Outlook on the web with Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration, OWA, Outlook Web access
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index cd707f5044..20d519622f 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -1,16 +1,11 @@
---
title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10)
description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Task Manager, app context, enterprise context
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
@@ -29,7 +24,7 @@ Use Task Manager to check the context of your apps while running in Windows Info
## Viewing the Enterprise Context column in Task Manager
You need to add the Enterprise Context column to the **Details** tab of the Task Manager.
-1. Make sure that you have an active WIP policy deployed and turned on in your organization.
+1. Make sure that you have an active Windows Information Protection policy deployed and turned on in your organization.
2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**.
@@ -50,7 +45,7 @@ The **Enterprise Context** column shows you what each app can do with your enter
- **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources.
-- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
+- **Exempt.** Shows the text, *Exempt*. Windows Information Protection policies don't apply to these apps (such as, system components).
> [!Important]
> Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index 0c0339615a..054bdf5247 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -20,7 +20,6 @@ ms.technology: windows-sec
# Monitor the use of removable storage devices
-
This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.
If you configure this policy setting, an audit event is generated each time a user attempts to copy, move, or save a resource to a removable storage device.
@@ -29,34 +28,34 @@ Use the following procedures to monitor the use of removable storage devices and
Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
-> [!NOTE]
+> [!NOTE]
> When a policy to audit removable storage is pushed to a computer, a new [Security Descriptor](/windows/win32/secauthz/audit-generation) needs to be applied to all removable storage devices with the audit settings. The [security descriptor for a device](/windows-hardware/drivers/kernel/controlling-device-access) can be set up either when the device is installed, or by setting up the [device properties in the registry](/windows-hardware/drivers/kernel/setting-device-object-registry-properties-after-installation), which is done by calling a [device installation function](/previous-versions/ff541299(v=vs.85)). This may require the device to restart to apply the new security descriptor.
-
-**To configure settings to monitor removable storage devices**
-1. Sign in to your domain controller by using domain administrator credentials.
-2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
-3. In the console tree, right-click the flexible access Group Policy Object on the domain controller, and then click **Edit**.
-4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Object Access**, and then double-click **Audit Removable Storage**.
-5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
-6. If you selected the **Failure** check box, double-click **Audit Handle Manipulation**, select the **Configure the following audit events check box**, and then select **Failure**.
-7. Click **OK**, and then close the Group Policy Management Editor.
+## To configure settings to monitor removable storage devices
+
+1. Sign in to your domain controller by using domain administrator credentials.
+2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
+3. In the console tree, right-click the flexible access Group Policy Object on the domain controller, and then click **Edit**.
+4. Double-click **Computer Configuration**, double-click **Policies**, double-click **Windows Settings**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Object Access**, and then double-click **Audit Removable Storage**.
+5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
+6. If you selected the **Failure** check box, double-click **Audit Handle Manipulation**, select the **Configure the following audit events check box**, and then select **Failure**.
+7. Click **OK**, and then close the Group Policy Management Editor.
After you configure the settings to monitor removable storage devices, use the following procedure to verify that the settings are active.
-**To verify that removable storage devices are monitored**
+## To verify that removable storage devices are monitored
-1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window.
+1. Sign in to the computer that hosts the resources that you want to monitor. Press the Windows key + R, and then type **cmd** to open a Command Prompt window.
> [!NOTE]
> If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
-
-2. Type **gpupdate /force**, and press ENTER.
-3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy.
-4. In Server Manager, click **Tools**, and then click **Event Viewer**.
-5. Expand **Windows Logs**, and then click **Security**.
-6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device. Failures will log event 4656. Both events include **Task Category = Removable Storage device**.
-
+
+2. Type **gpupdate /force**, and press ENTER.
+3. Connect a removable storage device to the targeted computer and attempt to copy a file that is protected with the Removable Storage Audit policy.
+4. In Server Manager, click **Tools**, and then click **Event Viewer**.
+5. Expand **Windows Logs**, and then click **Security**.
+6. Look for event 4663, which logs successful attempts to write to or read from a removable storage device. Failures will log event 4656. Both events include **Task Category = Removable Storage device**.
+
For more information, see [Audit Removable Storage](audit-removable-storage.md).
Key information to look for includes the name and account domain of the user who attempted to access the file, the object that the user is attempting to access, resource attributes of the resource, and the type of access that was attempted.
@@ -66,7 +65,8 @@ After you configure the settings to monitor removable storage devices, use the f
> [!NOTE]
> We do not recommend that you enable this category on a file server that hosts file shares on a removable storage device. When Removable Storage Auditing is configured, any attempt to access the removable storage device will generate an audit event.
-
+
### Related resource
-- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
\ No newline at end of file
+- [Using advanced security auditing options to monitor dynamic access control objects](using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+- [Microsoft Defender for Endpoint Device Control Removable Storage Access Control](/microsoft-365/security/defender-endpoint/device-control-removable-storage-access-control)
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 4d66697518..4a0981cf1f 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -75,9 +75,10 @@ Set the following registry keys to enable HVCI. This provides exactly the same s
> [!IMPORTANT]
+>
> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
>
-> In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.
+> - In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have Windows Defender Application Control enabled.
>
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
@@ -312,7 +313,7 @@ C. If you experience a critical error during boot or your system is unstable aft
## HVCI deployment in virtual machines
-HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable WDAC are the same from within the virtual machine.
+HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Windows Defender Application Control are the same from within the virtual machine.
WDAC protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable WDAC for a virtual machine:
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 21f2516780..82d351a624 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -24,7 +24,7 @@ Windows 10 includes a set of hardware and OS technologies that, when configured
WDAC policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices.
-Using WDAC to restrict devices to only authorized apps has these advantages over other solutions:
+Using Windows Defender Application Control to restrict devices to only authorized apps has these advantages over other solutions:
1. WDAC policy is enforced by the Windows kernel itself, and the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. WDAC lets you set application control policy for code that runs in user mode, kernel mode hardware and software drivers, and even code that runs as part of Windows.
@@ -37,7 +37,7 @@ When we originally promoted Device Guard, we did so with a specific security pro
WDAC has no specific hardware or software requirements other than running Windows 10, which means customers were denied the benefits of this powerful application control capability due to Device Guard confusion.
-Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we now discuss and document WDAC as an independent technology within our security stack and gave it a name of its own: [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md).
+Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we now discuss and document Windows Defender Application Control as an independent technology within our security stack and gave it a name of its own: [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md).
We hope this change will help us better communicate options for adopting application control within your organizations.
## Related articles
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index 3e5afc56d4..b641427ea4 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -44,7 +44,7 @@ sections:
To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
- Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”.
- - It must be a FQDN. A simple IP address will not work.
+ - It must be an FQDN. A simple IP address won't work.
- Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
- question: |
@@ -53,7 +53,7 @@ sections:
Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
- question: |
- Which Input Method Editors (IME) in 19H1 are not supported?
+ Which Input Method Editors (IME) in 19H1 aren't supported?
answer: |
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
@@ -73,17 +73,15 @@ sections:
- question: |
I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
answer: |
- This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
+ This feature is currently experimental only and isn't functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
- question: |
What is the WDAGUtilityAccount local account?
answer: |
- WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. If *Run as a service* permissions are revoked for this account, you might see the following error:
+ WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error:
**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
- We recommend that you do not modify this account.
-
- question: |
How do I trust a subdomain in my site list?
answer: |
@@ -92,35 +90,35 @@ sections:
- question: |
Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
answer: |
- When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
+ When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode doesn't. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
- question: |
Is there a size limit to the domain lists that I need to configure?
answer: |
- Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 1,6383 bytes limit.
+ Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 1,6383-byte limit.
- question: |
Why does my encryption driver break Microsoft Defender Application Guard?
answer: |
- Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
+ Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
- question: |
Why do the Network Isolation policies in Group Policy and CSP look different?
answer: |
- There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
+ There's not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
- - For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
+ - For EnterpriseNetworkDomainNames, there's no mapped CSP policy.
- Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
+ Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
- question: |
Why did Application Guard stop working after I turned off hyperthreading?
answer: |
- If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
+ If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there's a possibility Application Guard no longer meets the minimum requirements.
- question: |
Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 576cbdac19..60dacaca16 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -27,7 +27,7 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and
**Microsoft Defender SmartScreen determines whether a site is potentially malicious by:**
-- Analyzing visited webpages looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
+- Analyzing visited webpages and looking for indications of suspicious behavior. If Microsoft Defender SmartScreen determines that a page is suspicious, it will show a warning page to advise caution.
- Checking the visited sites against a dynamic list of reported phishing sites and malicious software sites. If it finds a match, Microsoft Defender SmartScreen shows a warning to let the user know that the site might be malicious.
@@ -41,24 +41,24 @@ Microsoft Defender SmartScreen protects against phishing or malware websites and
Microsoft Defender SmartScreen provide an early warning system against websites that might engage in phishing attacks or attempt to distribute malware through a socially engineered attack. The primary benefits are:
-- **Anti-phishing and anti-malware support.** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more info about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
+- **Anti-phishing and anti-malware support:** Microsoft Defender SmartScreen helps to protect users from sites that are reported to host phishing attacks or attempt to distribute malicious software. It can also help protect against deceptive advertisements, scam sites, and drive-by attacks. Drive-by attacks are web-based attacks that tend to start on a trusted site, targeting security vulnerabilities in commonly used software. Because drive-by attacks can happen even if the user does not click or download anything on the page, the danger often goes unnoticed. For more information about drive-by attacks, see [Evolving Microsoft Defender SmartScreen to protect you from drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/SmartScreen-drive-by-improvements/#3B7Bb8bzeAPq8hXE.97)
-- **Reputation-based URL and app protection.** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
+- **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users won't see any warnings. If, however, there's no reputation, the item is marked as a higher risk and presents a warning to the user.
-- **Operating system integration.** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) attempts to download and run.
+- **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run.
-- **Improved heuristics and diagnostic data.** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
+- **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files.
-- **Management through Group Policy and Microsoft Intune.** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
+- **Management through Group Policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both Group Policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md).
-- **Blocking URLs associated with potentially unwanted applications.** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
+- **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
> [!IMPORTANT]
> SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares.
## Submit files to Microsoft Defender SmartScreen for review
-If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more info, see [Submit files for analysis](../intelligence/submission-guide.md).
+If you believe a warning or block was incorrectly shown for a file or application, or if you believe an undetected file is malware, you can [submit a file](https://www.microsoft.com/wdsi/filesubmission/) to Microsoft for review. For more information, see [Submit files for analysis](../intelligence/submission-guide.md).
When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu.
@@ -67,7 +67,7 @@ When submitting Microsoft Defender SmartScreen products, make sure to select **M
## Viewing Microsoft Defender SmartScreen anti-phishing events
> [!NOTE]
-> No SmartScreen events will be logged when using Microsoft Edge version 77 or later.
+> No SmartScreen events will be logged when using Microsoft Edge version 77 or later.
When Microsoft Defender SmartScreen warns or blocks a user from a website, it's logged as [Event 1035 - Anti-Phishing](/previous-versions/windows/internet-explorer/ie-developer/compatibility/dd565657(v=vs.85)).
@@ -94,3 +94,4 @@ wevtutil sl Microsoft-Windows-SmartScreen/Debug /e:true
- [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx)
- [Threat protection](../index.md)
- [Available Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings](/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings)
+- [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference.md#configuration-service-provider-reference)
\ No newline at end of file
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index 3463eceedc..1c229713a8 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -75,7 +75,7 @@ This section describes how an attacker might exploit a feature or its configurat
### Vulnerability
-Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is not only beneficial, but required for Azure AD joined devices, where they are signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it does not pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate.
+Enabling this policy setting allows a user’s account on one computer to be associated with an online identity, such as Microsoft account or an Azure AD account. That account can then log on to a peer device (if the peer device is likewise configured) without the use of a Windows logon account (domain or local). This setup is not only beneficial, but required for Azure AD-joined devices, where they are signed in with an online identity and are issued certificates by Azure AD. This policy may not be relevant for an *on-premises only* environment and might circumvent established security policies. However, it does not pose any threats in a hybrid environment where Azure AD is used as it relies on the user's online identity and Azure AD to authenticate.
### Countermeasure
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index a0a8270da7..305941019b 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -23,6 +23,7 @@ ms.technology: windows-sec
**Applies to**
- Windows 10
+- Windows 11
This reference topic describes the common scenarios, architecture, and processes for security settings.
@@ -404,4 +405,4 @@ To ensure that data is copied correctly, you can use Group Policy Management Con
| - | - |
| [Administer security policy settings](administer-security-policy-settings.md) | This article discusses different methods to administer security policy settings on a local device or throughout a small- or medium-sized organization.|
| [Configure security policy settings](how-to-configure-security-policy-settings.md) | Describes steps to configure a security policy setting on the local device, on a domain-joined device, and on a domain controller.|
-| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|
\ No newline at end of file
+| [Security policy settings reference](security-policy-settings-reference.md) | This reference of security settings provides information about how to implement and manage security policies, including setting options and security considerations.|
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
index 19a27eb4d3..7b909e6fb0 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/debugging-operational-guide-appid-tagging-policies.md
@@ -27,13 +27,13 @@ ms.technology: windows-sec
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
After deployment of the WDAC AppId Tagging policy, WDAC will log a 3099 policy deployed event in the [Event Viewer logs](../event-id-explanations.md). You first should ensure that the policy has been successfully deployed onto the system by verifying the presence of the 3099 event.
## Verifying Tags on Running Processes
-After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since WDAC can only tag processes created after the policy has been deployed.
+After verifying the policy has been deployed, the next step is to verify that the application processes you expect to pass the AppId Tagging policy have your tag set. Note that processes running at the time of policy deployment will need to be restarted since Windows Defender Application Control (WDAC) can only tag processes created after the policy has been deployed.
1. Download and Install the Windows Debugger
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
index a8ac5aafd1..07dfa8e8f7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/deploy-appid-tagging-policies.md
@@ -29,10 +29,10 @@ ms.technology: windows-sec
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
-Similar to WDAC Application Control policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId Tagging policy, use one of the following methods to deploy:
+Similar to Windows Defender Application Control (WDAC) policies, WDAC AppId Tagging policies can be deployed locally and to your managed endpoints several ways. Once you've created your AppId Tagging policy, use one of the following methods to deploy:
1. [Deploy AppId Tagging Policies with MDM](#deploy-appid-tagging-policies-with-mdm)
-1. [Deploy policies with MEMCM](#deploy-appid-tagging-policies-with-memcm)
+1. [Deploy policies with Configuration Manager](#deploy-appid-tagging-policies-with-configuration-manager)
1. [Deploy policies using scripting](#deploy-appid-tagging-policies-via-scripting)
1. [Deploy using the ApplicationControl CSP](#deploying-policies-via-the-applicationcontrol-csp)
@@ -40,13 +40,13 @@ Similar to WDAC Application Control policies, WDAC AppId Tagging policies can be
Custom AppId Tagging policies can be deployed to endpoints using [the OMA-URI feature in MDM](../deploy-windows-defender-application-control-policies-using-intune.md#deploy-wdac-policies-with-custom-oma-uri).
-## Deploy AppId Tagging Policies with MEMCM
+## Deploy AppId Tagging Policies with Configuration Manager
-Custom AppId Tagging policies can deployed via MEMCM using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users.
+Custom AppId Tagging policies can deployed via Configuration Manager using the [deployment task sequences](/deployment/deploy-windows-defender-application-control-policies-with-memcm.md#deploy-custom-wdac-policies-using-packagesprograms-or-task-sequences), policies can be deployed to your managed endpoints and users.
### Deploy AppId Tagging Policies via Scripting
-Scripting hosts can be used to deploy AppId Tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. The [Deploy WDAC policies using script article](/deployment/deploy-wdac-policies-with-script.md) describes how to deploy WDAC AppId Tagging policies via scripting. Only the method for deploying to version 1903 and above is applicable for AppId Tagging policies.
+Scripting hosts can be used to deploy AppId Tagging policies as well. This approach is often best suited for local deployment, but works for deployment to managed endpoints and users too. The [Deploy Windows Defender Application Control policies using script article](/deployment/deploy-wdac-policies-with-script.md) describes how to deploy WDAC AppId Tagging policies via scripting. Only the method for deploying to version 1903 and above is applicable for AppId Tagging policies.
### Deploying policies via the ApplicationControl CSP
@@ -54,7 +54,7 @@ Multiple WDAC policies can be managed from an MDM server through ApplicationCont
However, when policies are unenrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
-For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use MEM Intune's Custom OMA-URI capability.
+For more information, see [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) to deploy multiple policies, and optionally use Microsoft Endpoint Manager Intune's Custom OMA-URI capability.
> [!NOTE]
-> WMI and GP do not currently support multiple policies. Instead, customers who can't directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
+> WMI and GP do not currently support multiple policies. Instead, customers who can't directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
index e39893ba64..f89802b9f4 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/design-create-appid-tagging-policies.md
@@ -27,11 +27,11 @@ ms.technology: windows-sec
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).
## Create the policy using the WDAC Wizard
-You can use the WDAC Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The WDAC Wizard is available for download at the [WDAC Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md).
+You can use the Windows Defender Application Control (WDAC) Wizard and the PowerShell commands to create an application control policy and convert it to an AppIdTagging policy. The WDAC Wizard is available for download at the [WDAC Wizard Installer site](https://aka.ms/wdacwizard). These PowerShell commands are only available on the supported platforms listed in [AppId Tagging Guide](./windows-defender-application-control-appid-tagging-guide.md).
1. Create a new base policy using the templates:
diff --git a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
index 97105395a8..3dca939ef9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/AppIdTagging/windows-defender-application-control-appid-tagging-guide.md
@@ -31,7 +31,7 @@ ms.technology: windows-sec
## AppId Tagging Feature Overview
-The Application ID (AppId) Tagging Policy feature, while based off WDAC, does not control whether applications will run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy will receive the tag while failing applications won't.
+The Application ID (AppId) Tagging Policy feature, while based off Windows Defender Application Control (WDAC), does not control whether applications will run. AppId Tagging policies can be used to mark the processes of the running application with a customizable tag defined in the policy. Application processes that pass the AppId policy will receive the tag while failing applications won't.
## AppId Tagging Feature Availability
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index bea57dd3c8..e882f22e84 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -1,6 +1,6 @@
---
title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows)
-description: Using WDAC supplemental policies, you can expand the S mode base policy on your Intune-managed devices.
+description: Using Windows Defender Application Control (WDAC) supplemental policies, you can expand the S mode base policy on your Intune-managed devices.
keywords: security, malware
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
@@ -26,7 +26,7 @@ ms.technology: windows-sec
- Windows 11
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications and Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows in S mode devices.
@@ -39,7 +39,7 @@ Refer to the below video for an overview and brief demo.
The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to WDAC PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, we recommend assigning it to a single test S-mode device to verify expected functioning before deploying the policy more broadly.
-1. Generate a supplemental policy with WDAC tooling
+1. Generate a supplemental policy with Windows Defender Application Control tooling
This policy will expand the S mode base policy to authorize additional applications. Anything authorized by either the S mode base policy or your supplemental policy will be allowed to run. Your supplemental policies can specify filepath rules, trusted publishers, and more.
@@ -63,7 +63,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
Set-RuleOption -FilePath "
| **Home > Pro for Workstations** |  |  |  |  |  |  |
| **Home > Pro Education** |  |  |  |  |  |  |
| **Home > Education** |  |  |  |  |  |  |
-| **Pro > Pro for Workstations** |  |  |  | 
(MSfB) |  |  |
-| **Pro > Pro Education** |  |  |  | 
(MSfB) |  |  |
-| **Pro > Education** |  |  |  | 
(MSfB) |  |  |
-| **Pro > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - MSfB) |  |  |
-| **Pro for Workstations > Pro Education** |  |  |  | 
(MSfB) |  |  |
-| **Pro for Workstations > Education** |  |  |  | 
(MSfB) |  |  |
-| **Pro for Workstations > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - MSfB) |  |  |
-| **Pro Education > Education** |  |  |  | 
(MSfB) |  |  |
-| **Enterprise > Education** |  |  |  | 
(MSfB) |  |  |
+| **Pro > Pro for Workstations** |  |  |  | 
(Microsoft Store for Business) |  |  |
+| **Pro > Pro Education** |  |  |  | 
(Microsoft Store for Business) |  |  |
+| **Pro > Education** |  |  |  | 
(Microsoft Store for Business) |  |  |
+| **Pro > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - Microsoft Store for Business) |  |  |
+| **Pro for Workstations > Pro Education** |  |  |  | 
(Microsoft Store for Business) |  |  |
+| **Pro for Workstations > Education** |  |  |  | 
(Microsoft Store for Business) |  |  |
+| **Pro for Workstations > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - Microsoft Store for Business) |  |  |
+| **Pro Education > Education** |  |  |  | 
(Microsoft Store for Business) |  |  |
+| **Enterprise > Education** |  |  |  | 
(Microsoft Store for Business) |  |  |
> [!NOTE]
> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md)
diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md
index 46541e996a..9bf1d82280 100644
--- a/windows/deployment/upgrade/windows-10-upgrade-paths.md
+++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md
@@ -4,11 +4,7 @@ manager: dougeby
ms.author: aaroncz
description: You can upgrade to Windows 10 from a previous version of Windows if the upgrade path is supported.
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.localizationpriority: medium
-ms.pagetype: mobile
-audience: itpro
author: aczechowski
ms.topic: article
ms.collection: highpri
@@ -30,7 +26,7 @@ If you are also migrating to a different edition of Windows, see [Windows 10 edi
- **In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 General Availability Channel](/windows/release-health/release-information)** to Windows 10 LTSC is not supported. Windows 10 LTSC 2015 did not block this in-place upgrade path. This issue was corrected in the Windows 10 LTSC 2016 release, which only allows data-only and clean install options.
- You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
+ You can upgrade from Windows 10 LTSC to Windows 10 General Availability Channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch, the option **Keep personal files and apps** option is grayed out. The command line would be `setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx`, using your relevant Windows 10 GA Channel product key. For example, if using a KMS, the command line would be `setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43`.
- **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index 74939a1ac1..c8f3986ed2 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -4,12 +4,7 @@ ms.reviewer:
manager: dougeby
ms.author: aaroncz
description: Learn how to review the events generated by Windows Error Reporting when something goes wrong during Windows 10 setup.
-keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: deploy
-audience: itpro
author: aczechowski
ms.localizationpriority: medium
ms.topic: article
diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
index f18c6db530..d07d93a95c 100644
--- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
+++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
@@ -1,14 +1,10 @@
---
title: Windows Upgrade and Migration Considerations (Windows 10)
description: Discover the Microsoft tools you can use to move files and settings between installations, as well as special considerations for performing an upgrade or migration.
-ms.assetid: 7f85095c-5922-45e9-b28e-91b1263c7281
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
---
diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
index bd5d79739e..bd09b57aab 100644
--- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
+++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md
@@ -1,14 +1,10 @@
---
title: User State Migration Tool (USMT) - Getting Started (Windows 10)
description: Plan, collect, and prepare your source computer for migration using the User State Migration Tool (USMT).
-ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
---
diff --git a/windows/deployment/usmt/migrate-application-settings.md b/windows/deployment/usmt/migrate-application-settings.md
index fa2338fdd9..1f3b261ab9 100644
--- a/windows/deployment/usmt/migrate-application-settings.md
+++ b/windows/deployment/usmt/migrate-application-settings.md
@@ -1,14 +1,10 @@
---
title: Migrate Application Settings (Windows 10)
description: Learn how to author a custom migration .xml file that migrates the settings of an application that isn't migrated by default using MigApp.xml.
-ms.assetid: 28f70a83-0a3e-4a6b-968a-2b78ccd3cc07
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index 746682f4d8..4ad81de369 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -1,14 +1,10 @@
---
title: Migration Store Types Overview (Windows 10)
description: Learn about the migration store types and how to determine which migration store type best suits your needs.
-ms.assetid: 3b6ce746-76c6-43ff-8cd5-02ed0ae0cf70
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index d3d5adc181..00215fe853 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -1,14 +1,10 @@
---
title: Offline Migration Reference (Windows 10)
description: Offline migration enables the ScanState tool to run inside a different Windows OS than the Windows OS from which ScanState is gathering files and settings.
-ms.assetid: f347547c-d601-4c3e-8f2d-0138edeacfda
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index a958ea914b..01aac53236 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -1,14 +1,10 @@
---
title: Understanding Migration XML Files (Windows 10)
description: Learn how to modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files.
-ms.assetid: d3d1fe89-085c-4da8-9657-fd54b8bfc4b7
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/usmt/usmt-best-practices.md b/windows/deployment/usmt/usmt-best-practices.md
index c5c2dd15aa..ec06b1b5ab 100644
--- a/windows/deployment/usmt/usmt-best-practices.md
+++ b/windows/deployment/usmt/usmt-best-practices.md
@@ -2,14 +2,10 @@
title: USMT Best Practices (Windows 10)
description: This article discusses general and security-related best practices when using User State Migration Tool (USMT) 10.0.
ms.custom: seo-marvel-apr2020
-ms.assetid: e3cb1e78-4230-4eae-b179-e6e9160542d2
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/usmt/usmt-choose-migration-store-type.md b/windows/deployment/usmt/usmt-choose-migration-store-type.md
index 7f4625f2a6..9b20c0385e 100644
--- a/windows/deployment/usmt/usmt-choose-migration-store-type.md
+++ b/windows/deployment/usmt/usmt-choose-migration-store-type.md
@@ -1,14 +1,10 @@
---
title: Choose a Migration Store Type (Windows 10)
description: Learn how to choose a migration store type and estimate the amount of disk space needed for computers in your organization.
-ms.assetid: 4e163e90-9c57-490b-b849-2ed52ab6765f
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/usmt/usmt-command-line-syntax.md b/windows/deployment/usmt/usmt-command-line-syntax.md
index 828f838ae9..95be767505 100644
--- a/windows/deployment/usmt/usmt-command-line-syntax.md
+++ b/windows/deployment/usmt/usmt-command-line-syntax.md
@@ -1,14 +1,10 @@
---
title: User State Migration Tool (USMT) Command-line Syntax (Windows 10)
description: Learn about the User State Migration Tool (USMT) command-line syntax for using the ScanState tool, LoadState tool, and UsmtUtils tool.
-ms.assetid: f9d205c9-e824-46c7-8d8b-d7e4b52fd514
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/usmt/usmt-common-issues.md b/windows/deployment/usmt/usmt-common-issues.md
index 9e7bb9aacb..ade22cbde7 100644
--- a/windows/deployment/usmt/usmt-common-issues.md
+++ b/windows/deployment/usmt/usmt-common-issues.md
@@ -1,15 +1,11 @@
---
title: Common Issues (Windows 10)
description: Learn about common issues that you might see when you run the User State Migration Tool (USMT) 10.0 tools.
-ms.assetid: 5a37e390-8617-4768-9eee-50397fbbb2e1
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
ms.date: 09/19/2017
-audience: itpro
author: aczechowski
ms.topic: article
---
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index a223b4db6e..854bc6b73f 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -1,14 +1,10 @@
---
title: Common Migration Scenarios (Windows 10)
description: See how the User State Migration Tool (USMT) 10.0 is used when planning hardware and/or operating system upgrades.
-ms.assetid: 1d8170d5-e775-4963-b7a5-b55e8987c1e4
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/usmt/usmt-configxml-file.md b/windows/deployment/usmt/usmt-configxml-file.md
index 22bad03e5c..63388ac85d 100644
--- a/windows/deployment/usmt/usmt-configxml-file.md
+++ b/windows/deployment/usmt/usmt-configxml-file.md
@@ -1,14 +1,10 @@
---
title: Config.xml File (Windows 10)
description: Learn how the Config.xml file is an optional User State Migration Tool (USMT) 10.0 file that you can create using the /genconfig option with the ScanState.exe tool.
-ms.assetid: 9dc98e76-5155-4641-bcb3-81915db538e8
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index 3deb500f90..2af6d73993 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -1,14 +1,10 @@
---
title: Conflicts and Precedence (Windows 10)
description: In this article, learn how User State Migration Tool (USMT) 10.0 deals with conflicts and precedence.
-ms.assetid: 0e2691a8-ff1e-4424-879b-4d5a2f8a113a
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.date: 04/19/2017
ms.topic: article
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 497ad18ac5..1d0f8da736 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -1,14 +1,10 @@
---
title: Custom XML Examples (Windows 10)
description: Use custom XML examples to learn how to migrate an unsupported application, migrate files and registry keys, and migrate the My Videos folder.
-ms.assetid: 48f441d9-6c66-43ef-91e9-7c78cde6fcc0
ms.reviewer:
manager: dougeby
ms.author: aaroncz
ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-audience: itpro
author: aczechowski
ms.topic: article
---
@@ -17,7 +13,7 @@ ms.topic: article
## Example 1: Migrating an Unsupported Application
-The following is a template for the sections that you need to migrate your application. The template is not functional on its own, but you can use it to write your own .xml file.
+The following is a template for the sections that you need to migrate your application. The template isn't functional on its own, but you can use it to write your own .xml file.
``` xml
-- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after). This was a lot easier than wipe-and-load, but it was still time-consuming.
-- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
-- **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
-- **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
-- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
-- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
+- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a "repair upgrade" because the OS version was the same before and after). This was a lot easier than wipe-and-load, but it was still time-consuming.
+- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
+- **Windows 10, version 1607** made a large leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
+- **Windows 10, version 1703** made this "step-up" from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
+- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
+- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It's no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription.
-- **Windows 11** updates Subscription Activation to work on both Windows 10 and Windows 11 devices. **Important**: Subscription activation does not update a device from Windows 10 to Windows 11. Only the edition is updated.
+- **Windows 11** updates Subscription Activation to work on both Windows 10 and Windows 11 devices. **Important**: Subscription activation doesn't update a device from Windows 10 to Windows 11. Only the edition is updated.
## Requirements
@@ -99,19 +95,19 @@ The following list illustrates how deploying Windows client has evolved with eac
> [!IMPORTANT]
> Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants.
-For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
+For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following requirements:
- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. Windows 11 is considered a "later" version in this context.
- Azure Active Directory (Azure AD) available for identity management.
-- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
+- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported.
-For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10/11 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10/11 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
+For Microsoft customers that don't have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10/11 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10/11 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
-If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
+If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
#### Multifactor authentication
-An issue has been identified with Hybrid Azure AD joined devices that have enabled [multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription.
+An issue has been identified with Hybrid Azure AD-joined devices that have enabled [multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device won't successfully upgrade to their Windows Enterprise subscription.
To resolve this issue:
@@ -119,7 +115,7 @@ If the device is running Windows 10, version 1809 or later:
- Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
-- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
+- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there's a problem. Select the notification and then select **Fix now** to step through the subscription activation process. See the example below:
@@ -129,12 +125,15 @@ If the device is running Windows 10, version 1809 or later:
Organizations that use Azure Active Directory Conditional Access may want to exclude the Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f from their all users all cloud apps MFA policy to avoid this issue.
+> [!NOTE]
+> The above recommendation also applies to Azure AD joined devices.
+
### Windows 10/11 Education requirements
- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
- A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
-- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
+- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices aren't supported.
> [!IMPORTANT]
> If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
@@ -142,18 +141,18 @@ Organizations that use Azure Active Directory Conditional Access may want to exc
## Benefits
-With Windows 10/11 Enterprise or Windows 10/11 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10/11 Education or Windows 10/11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following:
+With Windows 10/11 Enterprise or Windows 10/11 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10/11 Education or Windows 10/11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it's available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following:
-- [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)
+- [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)
- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing)
You can benefit by moving to Windows as an online service in the following ways:
- Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
-- User logon triggers a silent edition upgrade, with no reboot required.
+- User sign-in triggers a silent edition upgrade, with no reboot required.
-- Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
+- Support for mobile worker/BYOD activation; transition away from on-premises KMS and MAK keys.
- Compliance support via seat assignment.
@@ -164,15 +163,15 @@ You can benefit by moving to Windows as an online service in the following ways:
> [!NOTE]
> The following Windows 10 examples and scenarios also apply to Windows 11.
-The device is AAD joined from **Settings > Accounts > Access work or school**.
+The device is Azure Active Directory-joined from **Settings > Accounts > Access work or school**.
The IT administrator assigns Windows 10 Enterprise to a user. See the following figure.
-When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires.
+When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user's subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires.
-Devices running Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education General Availability Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel.
+Devices running Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education General Availability Channel on up to five devices for each user covered by the license. This benefit doesn't include Long Term Servicing Channel.
The following figures summarize how the Subscription Activation model works:
@@ -184,32 +183,32 @@ After Windows 10, version 1903:
> [!NOTE]
>
-> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when "Windows 10 Enterprise" license is assigned from M365 Admin center (as of May 2019).
>
-> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when "Windows 10 Enterprise" license is assigned from M365 Admin center (as of May 2019).
### Scenarios
#### Scenario #1
-You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
+You're using Windows 10, version 1803 or above, and purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven't yet deployed Windows 10 Enterprise).
All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
#### Scenario #2
-Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
+Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
-In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above.
+In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it's simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above.
-If you’re running Windows 7, it can be more work. A wipe-and-load approach works, but it is likely to be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise. This is a supported path, and completes the move in one step. This method also works if you are running Windows 8.1 Pro.
+If you're running Windows 7, it can be more work. A wipe-and-load approach works, but it's likely to be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise. This path is supported, and completes the move in one step. This method also works if you're running Windows 8.1 Pro.
### Licenses
The following policies apply to acquisition and renewal of licenses on devices:
- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license.
- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew.
-- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10/11 Pro or Windows 10/11 Pro Education.
+- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user hasn't logged in the longest will revert to Windows 10/11 Pro or Windows 10/11 Pro Education.
- If a device meets the requirements and a licensed user signs in on that device, it will be upgraded.
Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
@@ -218,14 +217,14 @@ When you have the required Azure AD subscription, group-based licensing is the p
### Existing Enterprise deployments
-If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10/11 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
+If you're running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10/11 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
-Subscription Activation doesn’t remove the need to activate the underlying operating system, this is still a requirement for running a genuine installation of Windows.
+Subscription Activation doesn't remove the need to activate the underlying operating system, this is still a requirement for running a genuine installation of Windows.
> [!CAUTION]
> Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience).
-If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
+If you're using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key.
If the computer has never been activated with a Pro key, run the following script. Copy the text below into a `.cmd` file, and run the file from an elevated command prompt:
@@ -248,7 +247,7 @@ changepk.exe /ProductKey %ProductKey%
Since [WMIC was deprecated](/windows/win32/wmisdk/wmic) in Windows 10, version 21H1, you can use the following Windows PowerShell script instead:
```powershell
-$(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;.\changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
+$(Get-WmiObject SoftwareLicensingService).OA3xOriginalProductKey | foreach{ if ( $null -ne $_ ) { Write-Host "Installing"$_;changepk.exe /Productkey $_ } else { Write-Host "No key present" } }
```
### Obtaining an Azure AD license
@@ -275,11 +274,11 @@ See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
## Virtual Desktop Access (VDA)
-Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
-## Related topics
+## Related articles
[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index b09af1725f..a95ebcecdc 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -1,15 +1,11 @@
---
title: Windows ADK for Windows 10 scenarios for IT Pros (Windows 10)
description: The Windows Assessment and Deployment Kit (Windows ADK) contains tools that can be used by IT Pros to deploy Windows.
-ms.assetid: FC4EB39B-29BA-4920-87C2-A00D711AE48B
author: aczechowski
ms.author: aaroncz
manager: dougeby
ms.prod: w10
-ms.mktglfcycl: deploy
ms.localizationpriority: medium
-ms.sitesec: library
-audience: itpro
ms.date: 07/27/2017
ms.topic: article
---
diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml
index 97e466d258..c56b83ed47 100644
--- a/windows/deployment/windows-autopatch/TOC.yml
+++ b/windows/deployment/windows-autopatch/TOC.yml
@@ -17,8 +17,9 @@
href: prepare/windows-autopatch-configure-network.md
- name: Enroll your tenant
href: prepare/windows-autopatch-enroll-tenant.md
- - name: Fix issues found by the Readiness assessment tool
- href: prepare/windows-autopatch-fix-issues.md
+ items:
+ - name: Fix issues found by the Readiness assessment tool
+ href: prepare/windows-autopatch-fix-issues.md
- name: Deploy
href: deploy/index.md
items:
@@ -32,33 +33,48 @@
- name: Update management
href: operate/windows-autopatch-update-management.md
items:
- - name: Windows quality updates
- href: operate/windows-autopatch-wqu-overview.md
- items:
- - name: Windows quality end user experience
- href: operate/windows-autopatch-wqu-end-user-exp.md
- - name: Windows quality update signals
- href: operate/windows-autopatch-wqu-signals.md
- - name: Windows quality update communications
+ - name: Windows updates
+ href:
+ items:
+ - name: Windows quality updates
+ href: operate/windows-autopatch-wqu-overview.md
+ items:
+ - name: Windows quality end user experience
+ href: operate/windows-autopatch-wqu-end-user-exp.md
+ - name: Windows quality update signals
+ href: operate/windows-autopatch-wqu-signals.md
+ - name: Windows feature updates
+ href: operate/windows-autopatch-fu-overview.md
+ items:
+ - name: Windows feature end user experience
+ href: operate/windows-autopatch-fu-end-user-exp.md
+ - name: Windows quality and feature update communications
href: operate/windows-autopatch-wqu-communications.md
- - name: Conflicting and unsupported policies
- href: operate/windows-autopatch-wqu-unsupported-policies.md
- name: Microsoft 365 Apps for enterprise
href: operate/windows-autopatch-microsoft-365-apps-enterprise.md
- name: Microsoft Edge
href: operate/windows-autopatch-edge.md
- name: Microsoft Teams
href: operate/windows-autopatch-teams.md
- - name: Deregister a device
- href: operate/windows-autopatch-deregister-devices.md
+ - name: Maintain the Windows Autopatch environment
+ href: operate/windows-autopatch-maintain-environment.md
- name: Submit a support request
href: operate/windows-autopatch-support-request.md
+ - name: Deregister a device
+ href: operate/windows-autopatch-deregister-devices.md
+ - name: Unenroll your tenant
+ href: operate/windows-autopatch-unenroll-tenant.md
- name: Reference
href:
items:
+ - name: Update policies
+ href:
+ items:
+ - name: Windows update policies
+ href: operate/windows-autopatch-wqu-unsupported-policies.md
+ - name: Microsoft 365 Apps for enterprise update policies
+ href: references/windows-autopatch-microsoft-365-policies.md
- name: Privacy
href: references/windows-autopatch-privacy.md
- name: Windows Autopatch preview addendum
- href: references/windows-autopatch-preview-addendum.md
-
-
+ href: references/windows-autopatch-preview-addendum.md
\ No newline at end of file
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
index 47d7b8677c..7793b6cb5d 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-admin-contacts.md
@@ -31,7 +31,7 @@ Your admin contacts will receive notifications about support request updates and
| Area of focus | Description |
| ----- | ----- |
| Devices |
|
-| Updates |
|
+| Updates |
|
**To add admin contacts:**
diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
index 7dbed8bc97..1d44162fb9 100644
--- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
+++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md
@@ -1,7 +1,7 @@
---
title: Register your devices
description: This article details how to register devices in Autopatch
-ms.date: 05/31/2022
+ms.date: 07/06/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
@@ -27,10 +27,10 @@ Windows Autopatch can take over software update management of supported devices
### About the use of an Azure AD group to register devices
-You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices into its service.
+You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices.
> [!NOTE]
-> All devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered.
+> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the Ready or Not ready tab to register devices on demand.
#### Supported scenarios when nesting other Azure AD groups
@@ -38,53 +38,66 @@ Windows Autopatch also supports the following Azure AD nested group scenarios:
Azure AD groups synced up from:
-- On-premises Active Directory groups (Windows server type).
+- On-premises Active Directory groups (Windows Server AD).
- [Configuration Manager collections](/mem/configmgr/core/clients/manage/collections/create-collections#bkmk_aadcollsync).
+> [!WARNING]
+> It isn't recommended to sync Configuration Manager collections straight to the **Windows Autopatch Device Registration** Azure AD group. Use a different Azure AD group when syncing Configuration Manager collections to Azure AD groups then you can nest this or these groups into the **Windows Autopatch Device Registration** Azure AD group.
+
> [!IMPORTANT]
> The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups.
> [!TIP]
-> You can also use the **Discover Devices** button in either the Ready or Not ready tabs to discover devices from the Windows Autopatch Device Registration Azure AD group on demand.
+> You can also use the **Discover Devices** button in either the Ready or Not ready tab to discover devices from the Windows Autopatch Device Registration Azure AD group on demand.
-## Prerequisites
+### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant
+
+An [Azure AD dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) occurs when a device is initially connected to Azure AD as an [Azure AD Registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but as a [Hybrid Azure AD device](/azure/active-directory/devices/concept-azure-ad-join-hybrid).
+
+In the dual state, you end up having two Azure AD device records with different join types for the same device. In this case, the Hybrid Azure AD device record takes precedence over the Azure AD registered device record for any type of authentication in Azure AD, which makes the Azure AD registered device record stale.
+
+It's recommended to detect and clean up stale devices in Azure AD before registering devices with Windows Autopatch, see [How To: Manage state devices in Azure AD](/azure/active-directory/devices/manage-stale-devices).
+
+> [!WARNING]
+> If you don't clean up stale devices in Azure AD before registering devices with Windows Autopatch, you might end up seeing devices failing to meet the **Intune or Cloud-Attached (Device must be either Intune-managed or Co-managed)** pre-requisite check in the **Not ready** tab because it's expected that these stale Azure AD devices are not enrolled into the Intune service anymore.
+
+## Prerequisites for device registration
To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites:
- [Supported Windows 10/11 Enterprise and Professional edition versions](/windows/release-health/supported-versions-windows-client)
- Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported).
- Managed by Microsoft Endpoint Manager.
- - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) or [Co-management](/prepare/windows-autopatch-prerequisites.md#co-management-requirements).
- - [Switch Microsoft Endpoint Manager-Configuration Manager Co-management workloads to Microsoft Endpoint Manager-Intune](/mem/configmgr/comanage/how-to-switch-workloads) (either set to Pilot Intune or Intune). This includes the following workloads:
+ - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements).
+ - Must switch the following Microsoft Endpoint Manager-Configuration Manager [Co-management workloads](/mem/configmgr/comanage/how-to-switch-workloads) to Microsoft Endpoint Manager-Intune (either set to Pilot Intune or Intune):
- Windows updates policies
- Device configuration
- Office Click-to-run
-- Last Intune device check-in completed within the last 28 days.
+- Last Intune device check in completed within the last 28 days.
+- Devices must have Serial Number, Model and Manufacturer.
+ > [!NOTE]
+ > Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch.
-For more details on each prerequisite check, see the [Prerequisites](../prepare/windows-autopatch-prerequisites.md) article.
+See [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md) for more details.
## About the Ready and Not ready tabs
-Windows Autopatch introduces a new user interface to help IT admins manage devices and troubleshoot device readiness statuses seamlessly with actionable in-UI device readiness reports for unregistered devices or unhealthy devices.
-
-> [!IMPORTANT]
-> The **Not ready** tab will not be available during the first week of the public preview.
+Windows Autopatch introduces a new user interface to help IT admins detect and troubleshoot device readiness statuses seamlessly with actionable in-UI device readiness reports for unregistered devices or unhealthy devices.
| Tab | Purpose |
| ----- | ----- |
-| Ready tab | The purpose of the Ready tab is to show devices that were successfully registered to the Windows Autopatch service and that have met post-registration device health requirements. |
-| Not ready tab | The purpose of the Not ready tab is to show devices that didn't successfully register into the Windows Autopatch service, or didn't pass one of the post-registration health requirements. This tab is intended to help customers identify and remediate devices that don't meet either pre or post-registration device readiness checks.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
new file mode 100644
index 0000000000..8e6075fd7e
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-fu-overview.md
@@ -0,0 +1,106 @@
+---
+title: Windows feature updates
+description: This article explains how Windows feature updates are managed in Autopatch
+ms.date: 07/11/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: conceptual
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Windows feature updates
+
+## Service level objective
+
+Windows Autopatch aims to keep at least 99% of eligible devices on a supported version of Windows so that they can continue receiving Windows feature updates.
+
+## Device eligibility
+
+For a device to be eligible for Windows feature updates as a part of Windows Autopatch it must meet the following criteria:
+
+| Criteria | Description |
+| ----- | ----- |
+| Activity | Devices must have at least six hours of usage, with at least two hours being continuous since the start of the update. |
+| Intune sync | Devices must have checked with Intune within the last five days. |
+| Storage space | Devices must have more than one GB (GigaBytes) of free storage space. |
+| Deployed | Windows Autopatch doesn't update devices that haven't yet been deployed. |
+| Internet connectivity | Devices must have a steady internet connection, and access to Windows [update endpoints](../prepare/windows-autopatch-configure-network.md). |
+| Windows edition | Devices must be on a Windows edition supported by Windows Autopatch. For more information, see [Prerequisites](../prepare/windows-autopatch-prerequisites.md). |
+| Mobile device management (MDM) policy conflict | Devices must not have deployed any policies that would prevent device management. For more information, see [Conflicting and unsupported policies](../operate/windows-autopatch-wqu-unsupported-policies.md). |
+| Group policy conflict | Devices must not have group policies deployed which would prevent device management. For more information, see [Group policy](windows-autopatch-wqu-unsupported-policies.md#group-policy) |
+
+## Windows feature update releases
+
+When the service decides to move to a new version of Windows, the following update schedule is indicative of the minimum amount of time between rings during a rollout.
+
+The final release schedule is communicated prior to release and may vary a little from the following schedule to account for business weeks or other scheduling considerations. For example, Autopatch may decide to release to the Fast Ring after 62 days instead of 60, if 60 days after the release start was a weekend.
+
+| Ring | Timeline |
+| ----- | ----- |
+| Test | Release start |
+| First | Release start + 30 days |
+| Fast | Release start + 60 days |
+| Broad | Release start + 90 days |
+
+:::image type="content" source="../media/windows-feature-release-process-timeline.png" alt-text="Windows feature release timeline":::
+
+## New devices to Windows Autopatch
+
+If a device is enrolled and it's below Autopatch's currently targeted Windows feature update, that device will update to the service's target version within five days of meeting eligibility criteria.
+
+If a device is enrolled and it's on, or above the currently targeted Windows feature update, there won't be any change to that device.
+
+## Feature update configuration
+
+When releasing a feature update, there are two policies that are configured by the service to create the update schedule described in the previous section. You’ll see four of each of the following policies in your tenant, one for each ring:
+
+- **Modern Workplace DSS Policy**: This policy is used to control the target version of Windows.
+- **Modern Workplace Update Policy**: This policy is used to control deferrals and deadlines for feature and quality updates.
+
+| Ring | Target version (DSS) Policy | Feature update deferral | Feature update deadline | Feature update grace period |
+| ----- | ----- | ----- | ----- | ----- |
+| Test | 21H2 | 0 | 5 | 0 |
+| First | 21H2 | 0 | 5 | 0 |
+| Fast | 21H2 | 0 | 5 | 2 |
+| Broad | 21H2 | 0 | 5 | 2 |
+
+> [!NOTE]
+> Customers are not able to select a target version for their tenant.
+
+During a release, the service modifies the Modern Workplace DSS policy to change the target version for a specific ring in Intune. That change is deployed to devices and updates the devices prior to the update deadline.
+
+To understand how devices will react to the change in the Modern Workplace DSS policy, it's important to understand how deferral, deadline, and grace periods effect devices.
+
+| Policy | Description |
+| ----- | ----- |
+| [Deferrals](/windows/client-management/mdm/policy-csp-update#update-deferqualityupdatesperiodindays) | The deferral policy determines how many days after a release the feature update is offered to a device. The service maximizes control over feature updates by creating individual DSS policies for each ring and modifying the ring's DSS policy to change the target update version. Therefore, the feature update deferral policy for all rings is set to zero days so that a change in the DSS policy is released as soon as possible. |
+| [Deadlines](/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours. After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule. The deadline for a specific device is set to be the specified number of days after the update is offered to the device. |
+| [Grace periods](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod) | This policy specifies a minimum number of days after an update is downloaded until the device is automatically restarted. This policy overrides the deadline policy so that if a user comes back from vacation, it prevents the device from forcing a restart to complete the update as soon as it comes online. |
+
+> [!IMPORTANT]
+> Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will render a device ineligible for management. Also, if any update related to group policy settings are detected, the device will also be ineligible for management.
+
+## Windows 11 testing
+
+To allow customers to test Windows 11 in their environment, there's a separate DSS policy that enables you to test Windows 11 before broadly adopting within your environment. When you add devices to the **Modern Workplace - Windows 11 Pre-Release Test Devices** group they'll update to Windows 11.
+
+> [!IMPORTANT]
+> This group is intended for testing purposes only and shouldn't be used to broadly update to Windows 11 in your environment.
+
+## Pausing and resuming a release
+
+You can pause or resume a Windows feature update from the Release management tab in Microsoft Endpoint Manager.
+
+## Rollback
+
+Windows Autopatch doesn't support the rollback of feature updates.
+
+## Incidents and outages
+
+If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Windows feature updates, Autopatch will raise an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring those devices onto the latest version of Windows.
+
+If you're experiencing other issues related to Windows feature updates, [submit a support request](../operate/windows-autopatch-support-request.md).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
new file mode 100644
index 0000000000..93e03a5de2
--- /dev/null
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-maintain-environment.md
@@ -0,0 +1,30 @@
+---
+title: Maintain the Windows Autopatch environment
+description: This article details how to maintain the Windows Autopatch environment
+ms.date: 07/11/2022
+ms.prod: w11
+ms.technology: windows
+ms.topic: how-to
+ms.localizationpriority: medium
+author: tiaraquan
+ms.author: tiaraquan
+manager: dougeby
+msreviewer: hathind
+---
+
+# Maintain the Windows Autopatch environment
+
+After you've completed enrollment in Windows Autopatch, some management settings might need to be adjusted. Use the following steps:
+
+1. Review the [Microsoft Intune settings](#microsoft-intune-settings) described in the following section.
+1. If any of the items apply to your environment, make the adjustments as described.
+
+> [!NOTE]
+> As your operations continue in the following months, if you make changes after enrollment to policies in Microsoft Intune, Azure Active Directory, or Microsoft 365 that affect Windows Autopatch, it's possible that Windows Autopatch could stop operating properly. To avoid problems with the service, check the specific settings described in [Fix issues found by the readiness assessment tool](../prepare/windows-autopatch-fix-issues.md) before you change the policies listed there.
+
+## Microsoft Intune settings
+
+| Setting | Description |
+| ----- | ----- |
+| Conditional access policies | If you create any new conditional access or multi-factor authentication policies related to Azure AD, or Microsoft Intune after Windows Autopatch enrollment, exclude the Modern Workplace Service Accounts Azure AD group from them. For more information, see [Conditional Access: Users and groups](/azure/active-directory/conditional-access/concept-conditional-access-users-groups). Windows Autopatch maintains separate conditional access policies to restrict access to these accounts.
|
+| Conditional access policy | Windows Autopatch will remove the Modern Workplace – Secure Workstation conditional access policy. |
+| Microsoft Endpoint Manager roles | Windows Autopatch will remove the Modern Workplace Intune Admin role. |
+
+## Your responsibilities after unenrolling your tenant
+
+| Responsibility | Description |
+| ----- | ----- |
+| Updates | After the Windows Autopatch service is unenrolled, we’ll no longer provide updates to your devices. You must ensure that your devices continue to receive updates through your own policies to ensure they're secure and up to date. |
+| Optional Windows Autopatch configuration | Windows Autopatch won’t remove the configuration policies or groups used to enable updates on your devices. You're responsible for these policies following tenant unenrollment. If you don’t wish to use these policies for your devices after unenrollment, you may safely delete them. |
+
+## Unenroll from Windows Autopatch
+
+**To unenroll from Windows Autopatch:**
+
+1. [Submit a support request](windows-autopatch-support-request.md) and request to unenroll from the Windows Autopatch service.
+1. The Windows Autopatch Service Engineering Team will communicate with your IT Administrator to confirm your intent to unenroll from the service.
+ 1. You'll have 14 days to review and confirm the communication sent by the Windows Autopatch Service Engineering Team.
+ 2. The Windows Autopatch Service Engineering Team can proceed sooner than 14 days if your confirmation arrives sooner.
+1. The Windows Autopatch Service Engineering Team will proceed with the removal of all items listed under [Microsoft's responsibilities during unenrollment](#microsofts-responsibilities-during-unenrollment).
+1. The Windows Autopatch Service Engineering Team will inform you when unenrollment is complete.
+1. You’re responsible for the items listed under [Your responsibilities after unenrolling your tenant](#your-responsibilities-after-unenrolling-your-tenant).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
index ac151e3512..04bdc38aae 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md
@@ -20,7 +20,8 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut
| Update type | Description |
| ----- | ----- |
-| Window quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). |
+| Windows quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). |
+| Windows feature update | Windows Autopatch uses four update rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-fu-overview.md).
| Anti-virus definition | Updated with each scan. |
| Microsoft 365 Apps for enterprise | For more information, see [Microsoft 365 Apps for enterprise](windows-autopatch-microsoft-365-apps-enterprise.md). |
| Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). |
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
index 2636932319..555d20ee68 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-end-user-exp.md
@@ -1,5 +1,5 @@
---
-title: End user experience
+title: Windows quality update end user experience
description: This article explains the Windows quality update end user experience
ms.date: 05/30/2022
ms.prod: w11
@@ -12,7 +12,7 @@ manager: dougeby
msreviewer: hathind
---
-# End user experience
+# Windows quality update end user experience
Windows Autopatch aims to deploy updates predictably while minimizing the effect to end users by preventing reboots during business hours.
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
index 2eebfd6f24..e58e36cbfd 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md
@@ -72,5 +72,14 @@ If Windows Autopatch detects a [significant issue with a release](../operate/win
If we pause the release, a policy will be deployed which prevents devices from updating while the issue is investigated. Once the issue is resolved, the release will be resumed.
-> [!NOTE]
-> Windows Autopatch doesn't allow you to request that a release be paused or resumed during public preview.
+You can pause or resume a Windows quality update from the Release management tab in Microsoft Endpoint Manager.
+
+## Rollback
+
+Windows Autopatch will rollback updates if we detect a [significant issue with a release](../operate/windows-autopatch-wqu-signals.md).
+
+## Incidents and outages
+
+If devices in your tenant aren't meeting the [service level objective](../operate/windows-autopatch-wqu-overview.md#service-level-objective) for Windows quality updates, an incident will be raised, and the Windows Autopatch Service Engineering Team will work to bring the devices back into compliance.
+
+If you're experiencing other issues related to Windows quality updates, [submit a support request](../operate/windows-autopatch-support-request.md).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
index 7495f42487..1ee72bdfda 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-unsupported-policies.md
@@ -1,7 +1,7 @@
---
-title: Conflicting and unsupported policies
-description: This article explains the conflicting and unsupported policies in Windows quality updates
-ms.date: 05/30/2022
+title: Windows update policies
+description: This article explains Windows update policies in Windows Autopatch
+ms.date: 07/07/2022
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
@@ -12,11 +12,94 @@ manager: dougeby
msreviewer: hathind
---
-# Conflicting and unsupported policies
+# Windows update policies
+
+## Update rings for Windows 10 and later
+
+The following policies contain settings which apply to both Windows quality and feature updates. After onboarding there will be four of these policies in your tenant with the following naming convention:
+
+**Modern Workplace Update Policy [ring name] – [Windows Autopatch]**
+
+### Windows 10 and later update settings
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Microsoft product updates | Allow | Allow | Allow | Allow |
+| Windows drivers | Allow | Allow | Allow | Allow |
+| Quality update deferral period | 0 | 1 | 6 | 9 |
+| Feature update deferral period | 0 | 0 | 0 | 0 |
+| Upgrade Windows 10 to latest Windows 11 release | No | No | No | No |
+| Set feature update uninstall period | 30 days | 30 days | 30 days | 30 days |
+| Servicing channel | General availability | General availability | General availability | General availability |
+
+### Windows 10 and later user experience settings
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Automatic update behaviour | Reset to default | Reset to default | Reset to default | Reset to default |
+| Restart checks | Allow | Allow | Allow | Allow |
+| Option to pause updates | Disable | Disable | Disable | Disable |
+| Option to check for Windows updates | Default | Default | Default | Default |
+| Change notification update level | Default | Default | Default | Default |
+| Deadline for feature updates | 5 | 5 | 5 | 5 |
+| Deadline for quality updates | 0 | 2 | 2 | 5 |
+| Grace period | 0 | 2 | 2 | 2 |
+| Auto-restart before deadline | Yes | Yes | Yes | Yes |
+
+### Windows 10 and later assignments
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad |
+| Excluded groups | None | None | None | None |
+
+## Feature update policies
+
+The service deploys policies using Microsoft Intune to control how feature updates are deployed to devices.
+
+### Feature updates for Windows 10 and later
+
+These policies control the minimum target version of Windows which a device is meant to accept. Throughout the rest of the article, you will see these policies referred to as DSS policies. After onboarding there will be four of these policies in your tenant with the following naming convention:
+
+**Modern Workplace DSS Policy [ring name]**
+
+#### Feature update deployment settings
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Name | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows | Current targeted version of Windows |
+| Rollout options | Immediate start | Immediate start | Immediate start | Immediate start |
+
+#### Feature update policy assignments
+
+| Setting name | Test | First | Fast | Broad |
+| ----- | ----- | ----- | ----- | ----- |
+| Included groups | Modern Workplace Devices–Windows Autopatch-Test | Modern Workplace Devices–Windows Autopatch-First | Modern Workplace Devices–Windows Autopatch-Fast | Modern Workplace Devices–Windows Autopatch-Broad |
+| Excluded groups | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices | Modern Workplace – Windows 11 Pre-Release Test Devices |
+
+#### Windows 11 testing
+
+To allow customers to test Windows 11 in their environment, there's a separate DSS policy which enables you to test Windows 11 before broadly adopting within your environment.
+
+##### Windows 11 deployment setting
+
+| Setting name | Test |
+| ----- | ----- |
+| Name | Windows 11 |
+| Rollout options | Immediate start |
+
+##### Windows 11 assignments
+
+| Setting name | Test |
+| ----- | ----- |
+| Included groups | Modern Workplace – Windows 11 Pre-Release Test Devices |
+| Excluded groups | None |
+
+## Conflicting and unsupported policies
Deploying any of the following policies to a Windows Autopatch device will make that device ineligible for management since the device will prevent us from delivering the service as designed.
-## Update policies
+### Update policies
Window Autopatch deploys mobile device management (MDM) policies to configure devices and requires a specific configuration. If any policies from the [Update Policy CSP](/windows/client-management/mdm/policy-csp-update) are deployed to devices that aren't on the permitted list, those devices will be excluded from management.
@@ -26,14 +109,8 @@ Window Autopatch deploys mobile device management (MDM) policies to configure de
| [Active hours end](/windows/client-management/mdm/policy-csp-update#update-activehoursend) | Update/ActiveHoursEnd | This policy controls the end of the protected window where devices won't reboot.
|
+| Deploy | Once you've enrolled your tenant, this section instructs you to:
|
+| Operate | This section includes the following information about your day-to-day life with the service:
+| References | This section includes the following articles:
|
-The following articles describe the mandatory steps to prepare for enrollment, including:
+### Have feedback or would like to start a discussion?
-- [Prerequisites](../prepare/windows-autopatch-prerequisites.md)
-- [Configure your network](../prepare/windows-autopatch-configure-network.md)
-- [Enroll your tenant with Windows Autopatch](../prepare/windows-autopatch-enroll-tenant.md)
-- [Fix issues found by the Readiness assessment tool](../prepare/windows-autopatch-fix-issues.md)
-
-### Deploy
-
-Once you're ready to enroll, this section includes the following articles:
-
-- [Add and verify admin contacts](../deploy/windows-autopatch-admin-contacts.md)
-- [Register your devices](../deploy/windows-autopatch-register-devices.md)
-
-### Operate
-
-This section includes the following information about your day-to-day life with the service:
-
-- [Update management](../operate/windows-autopatch-update-management.md)
-- [Submit a support request](../operate/windows-autopatch-support-request.md)
-- [Deregister a device](../operate/windows-autopatch-deregister-devices.md)
-
-### References
-
-This section includes the following articles:
-
-- [Privacy](../references/windows-autopatch-privacy.md)
-- [Windows Autopatch Preview Addendum](../references/windows-autopatch-preview-addendum.md)
+You can [provide feedback](https://go.microsoft.com/fwlink/?linkid=2195593) or start a discussion in our [Windows Autopatch Tech Community](https://aka.ms/Community/WindowsAutopatch).
diff --git a/windows/deployment/windows-autopatch/prepare/index.md b/windows/deployment/windows-autopatch/prepare/index.md
index 71ba6f2d78..903d732865 100644
--- a/windows/deployment/windows-autopatch/prepare/index.md
+++ b/windows/deployment/windows-autopatch/prepare/index.md
@@ -19,4 +19,4 @@ The following articles describe the steps you must take to onboard with Windows
1. [Review the prerequisites](windows-autopatch-prerequisites.md)
1. [Configure your network](windows-autopatch-configure-network.md)
1. [Enroll your tenant](windows-autopatch-enroll-tenant.md)
-1. [Fix issues found in the Readiness assessment tool](windows-autopatch-fix-issues.md)
+ 1. [Fix issues found in the Readiness assessment tool](windows-autopatch-fix-issues.md)
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
index a1fb48b746..93a0fbe3bd 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-configure-network.md
@@ -32,7 +32,7 @@ The Windows Autopatch URL is used for anything our service runs on the customer
| Microsoft service | URLs required on allowlist |
| ----- | ----- |
-| Windows Autopatch |
|
+| Windows Autopatch |
|
### Required Microsoft product endpoints
diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
index c594bece89..99940fe13f 100644
--- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
+++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md
@@ -1,7 +1,7 @@
---
title: Enroll your tenant
description: This article details how to enroll your tenant
-ms.date: 05/30/2022
+ms.date: 07/11/2022
ms.prod: w11
ms.technology: windows
ms.topic: how-to
@@ -16,7 +16,10 @@ msreviewer: hathind
Before you enroll in Windows Autopatch, there are settings and other parameters you must set ahead of time.
-The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration -related settings. This tool allows you to check the relevant settings and detailed steps to fix any settings that aren't configured properly for Windows Autopatch.
+> [!IMPORTANT]
+> You must be a Global Administrator to enroll your tenant.
+
+The Readiness assessment tool, accessed through the [Windows Autopatch admin center](https://endpoint.microsoft.com/), checks management or configuration-related settings. This tool allows you to check the relevant settings, and details steps to fix any settings that aren't configured properly for Windows Autopatch.
## Step 1: Review all prerequisites
@@ -27,18 +30,18 @@ To start using the Windows Autopatch service, ensure you meet the [Windows Autop
> [!IMPORTANT]
> The online Readiness assessment tool helps you check your readiness to enroll in Windows Autopatch for the first time. Once you enroll, you'll no longer be able to access the tool again.
-The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Co-management requirements](../prepare/windows-autopatch-prerequisites.md#co-management-requirements).
+The Readiness assessment tool checks the settings in [Microsoft Endpoint Manager](#microsoft-intune-settings) (specifically, Microsoft Intune) and [Azure Active Directory](#azure-active-directory-settings) (Azure AD) to ensure they'll work with Windows Autopatch. We aren't, however, checking the workloads in Configuration Manager necessary for Windows Autopatch. For more information about workload prerequisites, see [Configuration Manager Co-management requirements](../prepare/windows-autopatch-prerequisites.md#configuration-manager-co-management-requirements).
**To access and run the Readiness assessment tool:**
> [!IMPORTANT]
-> You must be a Global Administrator to enroll your tenant.
+> You must be a Global Administrator to run the Readiness assessment tool.
1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. In the left pane, select Tenant administration and then navigate to Windows Autopatch > **Tenant enrollment**.
> [!IMPORTANT]
-> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md).
+> If you don't see the Tenant enrollment blade, this is because you don't meet the prerequisites or the proper licenses. For more information, see [Windows Autopatch prerequisites](windows-autopatch-prerequisites.md#more-about-licenses).
A Global Administrator should be used to run this tool. Other roles, such as the Global Reader and Intune Administrator have insufficient permissions to complete the checks on Conditional Access Policies and Multi-factor Authentication. For more information about the extra permissions, see [Conditional access policies](../prepare/windows-autopatch-fix-issues.md#conditional-access-policies).
@@ -50,8 +53,8 @@ The following are the Microsoft Intune settings:
| Check | Description |
| ----- | ----- |
-| Update rings for Windows 10 or later | Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. The policy shouldn't target any Windows Autopatch devices. |
-| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. |
+| Update rings for Windows 10 or later | Verifies that Intune's Update rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure update rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). |
+| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins). |
### Azure Active Directory settings
@@ -59,38 +62,27 @@ The following are the Azure Active Directory settings:
| Check | Description |
| ----- | ----- |
-| Conditional access | Verifies that conditional access policies and multi-factor authentication aren't assigned to all users.
For more information, see [Tenant access](../references/windows-autopatch-privacy.md#tenant-access). |
| Security defaults | Checks whether your Azure Active Directory organization has security defaults enabled. |
| Licenses | Checks that you've obtained the necessary [licenses](../prepare/windows-autopatch-prerequisites.md#more-about-licenses). |
+### Check results
+
For each check, the tool will report one of four possible results:
| Result | Meaning |
| ----- | ----- |
| Ready | No action is required before completing enrollment. |
| Advisory | Follow the steps in the tool or this article for the best experience with enrollment and for users.
For more information, see [Manage Windows 10 software updates in Intune](/mem/intune/protect/windows-update-for-business-configure). |
+| Not ready | You have an "update ring" policy that targets all devices, all users, or both.
|
-| Device management | Windows Autopatch devices must be managed by Microsoft Intune. Intune must be set as the Mobile Device Management (MDM) authority or co-management must be turned on and enabled on the target devices.
| [Windows Autopatch](https://endpoint.microsoft.com/#home) | Data provided by the customer or generated by the service during running of the service. |
-| [Microsoft 365 Apps for enterprise](/microsoft-365/enterprise/compare-office-365-plans?rtc=1)| Management of Microsoft 365 Apps. |
+| [Microsoft 365 Apps for enterprise](https://www.microsoft.com/microsoft-365/enterprise/compare-office-365-plans)| Management of Microsoft 365 Apps. |
## Windows Autopatch data process and storage
@@ -58,11 +58,21 @@ Windows Autopatch only processes and stores system-level data from Windows 10 op
For more information about the diagnostic data collection of Microsoft Windows 10, see the [Where we store and process personal data](https://privacy.microsoft.com/privacystatement#mainwherewestoreandprocessdatamodule) section of the Microsoft Privacy Statement.
+## Tenant access
+
+Windows Autopatch creates and uses guest accounts leveraging just-in-time access functionality when signing into a customer tenant to manage the Windows Autopatch service. To provide additional locked down control, Windows Autopatch maintains a separate conditional access policy to restrict access to these accounts.
+
+| Account name | Usage | Mitigating controls |
+| ----- | ----- | -----|
+| MsAdmin@tenantDomain.onmicrosoft.com |
| Audited sign-ins |
+| MsAdminInt@tenantDomain.onmicrosoft.com |
|
v10c.events.data.microsoft.com
v10.vortex-win.data.microsoft.com |
-| [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com
watson.microsoft.com
umwatsonc.telemetry.microsoft.com
umwatsonc.events.data.microsoft.com
*-umwatsonc.events.data.microsoft.com
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net |
+| [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com
umwatsonc.events.data.microsoft.com
*-umwatsonc.events.data.microsoft.com
ceuswatcab01.blob.core.windows.net
ceuswatcab02.blob.core.windows.net
eaus2watcab01.blob.core.windows.net
eaus2watcab02.blob.core.windows.net
weus2watcab01.blob.core.windows.net
weus2watcab02.blob.core.windows.net |
|Authentication | login.live.com
IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.|
-| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com
oca.microsoft.com
kmwatsonc.telemetry.microsoft.com
*-kmwatsonc.telemetry.microsoft.com |
+| [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com
oca.microsoft.com
kmwatsonc.events.data.microsoft.com
*-kmwatsonc.events.data.microsoft.com |
|Settings | settings-win.data.microsoft.com
IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data. |
### Data access
@@ -260,6 +255,9 @@ Use [Policy Configuration Service Provider (CSP)](/windows/client-management/mdm
## Enable Windows diagnostic data processor configuration
+> [!IMPORTANT]
+> There are some significant changes planned for diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+
The Windows diagnostic data processor configuration enables you to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from your Windows devices that meet the configuration requirements.
### Prerequisites
@@ -269,7 +267,7 @@ The Windows diagnostic data processor configuration enables you to be the contro
- Enterprise
- Professional
- Education
-- The device must be joined to Azure Active Directory.
+- The device must be joined to Azure Active Directory (can be a hybrid Azure AD join).
For the best experience, use the most current build of any operating system specified above. Configuration functionality and availability may vary on older systems. See [Lifecycle Policy](/lifecycle/products/windows-10-enterprise-and-education)
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index adf1997249..ccc46b0a6d 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -1,16 +1,11 @@
---
title: Diagnostic Data Viewer Overview (Windows 10 and Windows 11)
description: Use this article to use the Diagnostic Data Viewer application to review the diagnostic data sent to Microsoft by your device.
-keywords: privacy
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index c867fe681a..4bac4f9032 100644
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -1,16 +1,11 @@
---
title: Enhanced diagnostic data required by Windows Analytics (Windows 10)
description: Use this article to learn more about the limit enhanced diagnostic data events policy used by Desktop Analytics
-keywords: privacy, diagnostic data
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/29/2021
@@ -119,7 +114,7 @@ Collects Office metadata through UTC to compare with equivalent data collected t
Applicable to all Win32 applications. Helps us understand the status of the update process of the office suite (Success or failure with error details).
- **build:** App version
-- **channel:** Is this part of SAC or SAC-T?
+- **channel:** Is this part of GA Channel?
- **errorCode:** What error occurred during the upgrade process?
- **errorMessage:** what was the error message during the upgrade process?
- **status:** Was the upgrade successful or not?
@@ -210,7 +205,7 @@ This event is fired when the telemetry engine within an office application has p
- **SessionID:** ID of the session
## Microsoft.Office.TelemetryEngine.ShutdownStart
-This event is fired when the telemetry engine within an office application been uninitialized, and the application is shutting down. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not.
+This event is fired when the telemetry engine within an office application has been uninitialized, and the application is shutting down. Useful for understanding whether a particular crash is happening during an app-shutdown, and could potentially lead in data loss or not.
- **appVersionBuild:** Third part of the version *.*.XXXXX.*
- **appVersionMajor:** First part of the version X.*.*.*
@@ -355,14 +350,14 @@ The following fields are available:
Initialization of Explorer is complete.
## Microsoft-Windows-Security-EFS-EDPAudit-ApplicationLearning.EdpAuditLogApplicationLearning
-For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the WIP administrator tune policy rules and prevent unnecessary user disruption.
+For a device subject to Windows Information Protection policy, learning events are generated when an app encounters a policy boundary (for example, trying to open a work document from a personal app). These events help the Windows Information Protection administrator tune policy rules and prevent unnecessary user disruption.
The following fields are available:
- **actiontype:** Indicates what type of resource access the app was attempting (for example, opening a local document vs. a network resource) when it encountered a policy boundary. Useful for Windows Information Protection administrators to tune policy rules.
- **appIdType:** Based on the type of application, this field indicates what type of app rule a Windows Information Protection administrator would need to create for this app.
- **appname:** App that triggered the event
-- **status:** Indicates whether errors occurred during WIP learning events
+- **status:** Indicates whether errors occurred during Windows Information Protection learning events
## Win32kTraceLogging.AppInteractivitySummary
Summarizes which app windows are being used (for example, have focus) to help Microsoft improve compatibility and user experience. Also helps organizations (by using Desktop Analytics) to understand and improve application reliability on managed devices.
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index 00b49e112b..a4f4601c25 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -1,15 +1,11 @@
---
title: Essential services and connected experiences for Windows
description: Explains what the essential services and connected experiences are for Windows
-keywords: privacy, manage connections to Microsoft
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: siosulli
-ms.author: dansimp
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.technology: privacy
ms.date: 11/24/2021
ms.collection: highpri
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
index f12658e2d0..4cf92acefc 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md
@@ -1,16 +1,11 @@
---
title: Manage connections from Windows operating system components to Microsoft services using Microsoft Intune MDM Server
description: Use MDM CSPs to minimize connections from Windows to Microsoft services, or to configure particular privacy settings.
-ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
-keywords: privacy, manage connections to Microsoft, Windows 10
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: RyanHechtMSFT
-ms.author: dansimp
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.date: 11/29/2021
ms.technology: privacy
---
@@ -84,7 +79,7 @@ For Windows 10 and Windows 11, the following MDM policies are available in the [
1. MDM Policy: [Notifications/DisallowTileNotification](/windows/client-management/mdm/policy-csp-notifications). This policy setting turns off tile notifications. If you enable this policy setting applications and system features will not be able to update their tiles and tile badges in the Start screen. **Integer value 1**
1. **Mail synchronization**
- 1. MDM Policy: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection). Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. **Set to 0 (zero)**
+ 1. MDM Policy: [Accounts/AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountconnection). Specifies whether the user is allowed to use an Microsoft account for non-email related connection authentication and services. **Set to 0 (zero)**
1. **Microsoft Account**
1. MDM Policy: [Accounts/AllowMicrosoftAccountSignInAssistant](/windows/client-management/mdm/policy-csp-accounts#accounts-allowmicrosoftaccountsigninassistant). Disable the Microsoft Account Sign-In Assistant. **Set to 0 (zero)**
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 2d941eb5ee..7fcd6fb74b 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -1,17 +1,12 @@
---
title: Manage connections from Windows 10 and Windows 11 Server/Enterprise editions operating system components to Microsoft services
description: Learn how to minimize connections from Windows to Microsoft services, and configure particular privacy settings related to these connections.
-ms.assetid: ACCEB0DD-BC6F-41B1-B359-140B242183D9
ms.reviewer:
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: tomlayson
-ms.author: tomlayson
-manager: riche
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index 1370d95086..3e7ac5829b 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -1,15 +1,11 @@
---
title: Connection endpoints for Windows 11 Enterprise
description: Explains what Windows 11 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 11.
-keywords: privacy, manage connections to Microsoft, Windows 11
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: gental-giant
-ms.author: v-hakima
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/29/2021
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index f6b2a11c6d..eb95151983 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -1,15 +1,11 @@
---
title: Connection endpoints for Windows 10, version 1809
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1809.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/29/2021
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index 41d1c6b46b..40b10d7787 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -1,15 +1,11 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 1903
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1903.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: linque1
-ms.author: obezeajo
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/29/2021
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index b5dfff14b9..cfdf8bdd5d 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -1,15 +1,11 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 1909
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1909.
-keywords: privacy, manage connections to Microsoft, Windows 10
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: gental-giant
-ms.author: v-hakima
-manager: obezeajo
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/29/2021
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index 2b302dbf62..fbdb65cb57 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -1,15 +1,11 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 2004
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 2004.
-keywords: privacy, manage connections to Microsoft, Windows 10
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: linque1
-ms.author: siosulli
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/29/2021
diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md
index 9d1ec6d001..1aca2568d3 100644
--- a/windows/privacy/manage-windows-20H2-endpoints.md
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@@ -1,15 +1,11 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 20H2
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 20H2.
-keywords: privacy, manage connections to Microsoft, Windows 10
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: gental-giant
-ms.author: v-hakima
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/29/2021
diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md
index bd760cb5c0..844afb43a7 100644
--- a/windows/privacy/manage-windows-21H1-endpoints.md
+++ b/windows/privacy/manage-windows-21H1-endpoints.md
@@ -1,15 +1,11 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 21H1
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H1.
-keywords: privacy, manage connections to Microsoft, Windows 10
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: gental-giant
-ms.author: v-hakima
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/29/2021
diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md
index d8c926a1fc..23f5dcb20a 100644
--- a/windows/privacy/manage-windows-21h2-endpoints.md
+++ b/windows/privacy/manage-windows-21h2-endpoints.md
@@ -1,15 +1,11 @@
---
title: Connection endpoints for Windows 10 Enterprise, version 21H2
description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 21H2.
-keywords: privacy, manage connections to Microsoft, Windows 10
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: gental-giant
-ms.author: v-hakima
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/29/2021
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 084f8f8a9e..0d5c7f865c 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -1,20 +1,15 @@
---
description: Learn more about the Windows 11 diagnostic data gathered at the basic level.
title: Required Windows 11 diagnostic events and fields
-keywords: privacy, telemetry
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
localizationpriority: high
-author: brianlic-msft
-ms.author: brianlic
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection:
- M365-security-compliance
- highpri
ms.topic: article
-audience: ITPro
ms.date: 11/29/2021
ms.technology: privacy
---
@@ -79,7 +74,7 @@ The following fields are available:
- **PackageSpecifiers** The map of Intelligent Delivery region specifiers present in the installing package.
- **PlanId** The ID of the streaming plan being used to install the content.
- **ProductId** The product ID of the application associated with this event.
-- **RelatedCv** The related correlation vector. This optional value contains the correlation vector for this install if the Cv value is representing an actiuon tracked by a correlation vector.
+- **RelatedCv** The related correlation vector. This optional value contains the correlation vector for this install if the Cv value is representing an action tracked by a correlation vector.
- **RequestSpecifiers** The map of Intelligent Delivery region specifiers requested by the system/user/title as a part of the install activity.
- **SourceHardwareID** The hardware ID of the source device, if it is external storage. Empty if not an external storage device.
- **SourcePath** The source path we are installing from. May be a CDN (Content Delivery Network) or a local disk drive.
@@ -488,7 +483,7 @@ The following fields are available:
- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed.
- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade.
- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
-- **SoftBlock** The file is softblocked in the SDB and has a warning.
+- **SoftBlock** The file is soft blocked in the SDB and has a warning.
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
@@ -1775,7 +1770,7 @@ The following fields are available:
- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
-- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information.
- **RunResult** The hresult of the Appraiser diagnostic data run.
- **ScheduledUploadDay** The day scheduled for the upload.
- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run.
@@ -1861,7 +1856,7 @@ The following fields are available:
- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity to estimate the battery's wear.
- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh.
- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance.
-- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
+- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected. Boolean value.
### Census.Enterprise
@@ -1874,7 +1869,7 @@ The following fields are available:
- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
- **CDJType** Represents the type of cloud domain joined for the machine.
-- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
+- **CommercialId** Represents the GUID for the commercial entity that the device is a member of. Will be used to reflect insights back to customers.
- **ContainerType** The type of container, such as process or virtual machine hosted.
- **EnrollmentType** Defines the type of MDM enrollment on the device.
- **HashedDomain** The hashed representation of the user domain used for login.
@@ -1885,9 +1880,9 @@ The following fields are available:
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
-- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment.
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
-- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
+- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
### Census.Firmware
@@ -2292,10 +2287,10 @@ The following fields are available:
- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS).
- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates.
- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades.
-- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network.
- **WULCUVersion** Version of the LCU Installed on the machine.
- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier.
-- **WUPauseState** Retrieves WU setting to determine if updates are paused.
+- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused.
- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
@@ -4871,7 +4866,7 @@ The following fields are available:
- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
- **MSIError** The last error that was encountered during a scan for updates.
- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
@@ -4965,7 +4960,7 @@ The following fields are available:
- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content.
- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
- **PackageFullName** The package name of the content.
@@ -5075,7 +5070,7 @@ The following fields are available:
- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart.
- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device.
- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation.
- **MsiAction** The stage of MSI installation where it failed.
- **MsiProductCode** The unique identifier of the MSI installer.
@@ -5127,9 +5122,9 @@ The following fields are available:
- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
- **IsFirmware** Indicates whether an update was a firmware update.
- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot.
-- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
@@ -5192,9 +5187,9 @@ The following fields are available:
- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
- **IsFirmware** Indicates whether an update was a firmware update.
- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
-- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
@@ -6022,7 +6017,7 @@ This event sends data regarding OS Updates and Upgrades from Windows 7.X, Window
The following fields are available:
- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **HostOSBuildNumber** The build number of the previous operating system.
- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system).
- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
@@ -6789,7 +6784,7 @@ The following fields are available:
- **freeDiskSpaceInMB** Amount of free disk space.
- **interactive** Informs if this action is caused due to user interaction.
- **priority** The CPU and IO priority this action is being performed on.
-- **provider** The provider that is being invoked to perform this action (WU, Legacy UO Provider etc.).
+- **provider** The provider that is being invoked to perform this action (Windows Update , Legacy UO Provider etc.).
- **update** Update related metadata including UpdateId.
- **uptimeMinutes** Duration USO for up for in the current boot session.
- **wilActivity** Wil Activity related information.
@@ -6811,9 +6806,9 @@ The following fields are available:
- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6).
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag indicated is WU-For-Business target version is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business target version is enabled on the device.
- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked.
- **NumberOfLoop** Number of roundtrips the scan required.
@@ -6859,9 +6854,9 @@ The following fields are available:
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6).
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag indicated is WU-For-Business target version is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business target version is enabled on the device.
- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
- **MSIError** The last error encountered during a scan for updates.
- **NetworkConnectivityDetected** 0 when IPv4 is detected, 1 when IPv6 is detected.
@@ -6901,9 +6896,9 @@ The following fields are available:
- **ExtendedStatusCode** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
- **FeatureUpdatePause** Failed Parse actions.
- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6).
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device.
- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked.
- **NumberOfLoop** Number of roundtrips the scan required.
@@ -6962,10 +6957,10 @@ The following fields are available:
- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
- **EventInstanceID** A globally unique identifier for event instance.
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBFederatedScanDisabled** Flag indicated is WU-for-Business FederatedScan is disabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBFederatedScanDisabled** Flag indicated is Windows Update for Business FederatedScan is disabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device.
- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one.
@@ -6988,7 +6983,7 @@ The following fields are available:
- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
- **DeferredUpdates** UpdateIds which are currently being deferred until a later time.
-- **DriverExclusionPolicy** Indicates if policy for not including drivers with WU updates is enabled.
+- **DriverExclusionPolicy** Indicates if policy for not including drivers with Windows Update (WU) updates is enabled.
- **DriverSyncPassPerformed** A flag indicating whether the driver sync is performed in a update scan.
- **EventInstanceID** A globally unique identifier for event instance.
- **ExcludedUpdateClasses** Update classifications being excluded via policy.
@@ -6999,9 +6994,9 @@ The following fields are available:
- **FeatureUpdatePausePeriod** Pause duration configured for feature OS updates on the device, in days.
- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6).
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device.
- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce.
- **NumberOfApplicableUpdates** Number of updates which were ultimately deemed applicable to the system after detection process is complete.
- **NumberOfApplicationsCategoryScanEvaluated** Number of categories (apps) for which an app update scan checked.
@@ -7136,9 +7131,9 @@ The following fields are available:
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
- **HostName** Identifies the hostname.
- **IPVersion** Identifies the IP Connection Type version.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **NetworkCost** Identifies the network cost.
- **NetworkRestrictionStatus** When download is done, identifies whether network switch happened to restricted.
- **PackageFullName** Package name of the content.
@@ -7192,9 +7187,9 @@ The following fields are available:
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
- **HostName** Identifies the hostname.
- **IPVersion** Identifies the IP Connection Type version.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **NetworkCost** Identifies the network cost.
- **NetworkRestrictionStatus** When download is done, identifies whether network switch happened to restricted.
- **PackageFullName** The package name of the content.
@@ -7234,9 +7229,9 @@ The following fields are available:
- **FlightBuildNumber** Indicates the build number of that flight.
- **FlightId** The specific id of the flight the device is getting.
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device.
- **PackageFullName** The package name of the content.
- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
@@ -7269,9 +7264,9 @@ The following fields are available:
- **FlightBuildNumber** Indicates the build number of that flight.
- **FlightId** The specific id of the flight the device is getting.
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device.
- **PackageFullName** The package name of the content.
- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
@@ -7317,9 +7312,9 @@ The following fields are available:
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
- **HostName** The hostname URL the content is downloading from.
- **IPVersion** Indicates whether download took place on IPv4 or IPv6 (0-Unknown, 1-IPv4, 2-IPv6)
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag indicated is WU-for-Business targeted version is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag indicated is Windows Update for Business targeted version is enabled on the device.
- **NetworkCost** A flag indicating the cost of the network being used for downloading the update content. That could be one of the following values0x0 : Unkown0x1 : Network cost is unrestricted0x2 : Network cost is fixed0x4 : Network cost is variable0x10000 : Network cost over data limit0x20000 : Network cost congested0x40000 : Network cost roaming0x80000 : Network cost approaching data limit.
- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be “metered”.
- **PackageFullName** The package name of the content.
@@ -7360,9 +7355,9 @@ The following fields are available:
- **FlightBuildNumber** Indicates the build number of that flight.
- **FlightId** The specific id of the flight the device is getting.
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **PackageFullName** The package name of the content.
- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
@@ -7409,9 +7404,9 @@ The following fields are available:
- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
- **IsFirmware** Indicates whether an update was a firmware update.
- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
- **MsiAction** Stage of MSI installation where it failed.
- **MsiProductCode** Unique identifier of the MSI installer.
@@ -7465,9 +7460,9 @@ The following fields are available:
- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
- **IsFirmware** Indicates whether an update was a firmware update.
- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
- **MsiAction** Stage of MSI installation where it failed.
- **MsiProductCode** Unique identifier of the MSI installer.
@@ -7521,9 +7516,9 @@ The following fields are available:
- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
- **IsFirmware** Indicates whether an update was a firmware update.
- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
- **MsiAction** Stage of MSI installation where it failed.
- **MsiProductCode** Unique identifier of the MSI installer.
@@ -7577,9 +7572,9 @@ The following fields are available:
- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
- **IsFirmware** Indicates whether an update was a firmware update.
- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
- **MsiAction** Stage of MSI installation where it failed.
- **MsiProductCode** Unique identifier of the MSI installer.
@@ -7633,9 +7628,9 @@ The following fields are available:
- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
- **IsFirmware** Indicates whether an update was a firmware update.
- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
- **MsiAction** Stage of MSI installation where it failed.
- **MsiProductCode** Unique identifier of the MSI installer.
@@ -7686,9 +7681,9 @@ The following fields are available:
- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
- **IsFirmware** Indicates whether an update was a firmware update.
- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
@@ -7735,9 +7730,9 @@ The following fields are available:
- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
- **IsFirmware** Indicates whether an update was a firmware update.
- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
@@ -7784,9 +7779,9 @@ The following fields are available:
- **IsFinalOutcomeEvent** Indicates if this event signal the end of the update/upgrade process.
- **IsFirmware** Indicates whether an update was a firmware update.
- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
-- **IsWUfBDualScanEnabled** Flag indicated is WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicated is WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicated is Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicated is Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
@@ -8139,7 +8134,7 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O
The following fields are available:
-- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **FlightId** Unique identifier for each flight.
- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
- **MitigationScenario** The update scenario in which the mitigation was executed.
@@ -8161,7 +8156,7 @@ This event sends data specific to the FixupWimmountSysPath mitigation used for O
The following fields are available:
-- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId** In the Windows Update scenario, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **FlightId** Unique identifier for each flight.
- **ImagePathDefault** Default path to wimmount.sys driver defined in the system registry.
- **ImagePathFixedup** Boolean indicating whether the wimmount.sys driver path was fixed by this mitigation.
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index b37678708d..339c597a08 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -1,20 +1,15 @@
---
description: Learn more about the required Windows 10 diagnostic data gathered.
title: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10)
-keywords: privacy, telemetry
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
localizationpriority: high
-author: brianlic-msft
-ms.author: brianlic
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection:
- M365-security-compliance
- highpri
ms.topic: article
-audience: ITPro
ms.date:
ms.technology: privacy
---
@@ -1891,9 +1886,9 @@ The following fields are available:
- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
- **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
-- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise Configuration Manager environment.
- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
-- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
+- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
### Census.Firmware
@@ -2305,10 +2300,10 @@ The following fields are available:
- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS).
- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates.
- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades.
-- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded Windows Update (WU) updates to other devices on the same network.
- **WULCUVersion** Version of the LCU Installed on the machine.
- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier.
-- **WUPauseState** Retrieves WU setting to determine if updates are paused.
+- **WUPauseState** Retrieves Windows Update setting to determine if updates are paused.
- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
@@ -4854,7 +4849,7 @@ The following fields are available:
- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
- **MSIError** The last error that was encountered during a scan for updates.
- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
@@ -4971,7 +4966,7 @@ The following fields are available:
- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **NetworkCost** A flag indicating the cost of the network (congested, fixed, variable, over data limit, roaming, etc.) used for downloading the update content.
- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
@@ -5093,7 +5088,7 @@ The following fields are available:
- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart.
- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device.
- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation.
- **MsiAction** The stage of MSI installation where it failed.
- **MsiProductCode** The unique identifier of the MSI installer.
@@ -5145,9 +5140,9 @@ The following fields are available:
- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
- **IsFirmware** Indicates whether an update was a firmware update.
- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot.
-- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
@@ -5210,9 +5205,9 @@ The following fields are available:
- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
- **IsFirmware** Indicates whether an update was a firmware update.
- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
-- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device.
-- **IsWUfBTargetVersionEnabled** Flag that indicates if the WU-for-Business target version policy is enabled on the device.
+- **IsWUfBDualScanEnabled** Flag indicating whether Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicating whether Windows Update for Business is enabled on the device.
+- **IsWUfBTargetVersionEnabled** Flag that indicates if the Windows Update for Business target version policy is enabled on the device.
- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
@@ -5771,10 +5766,10 @@ The following fields are available:
- **CV** The correlation vector.
- **GlobalEventCounter** Counts the events at the global level for telemetry.
- **PackageVersion** The package version for currency tools.
-- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is AAD joined.
+- **UnifiedInstallerDeviceAADJoinedHresult** The result code after checking if device is Azure Active Directory-joined.
- **UnifiedInstallerDeviceInDssPolicy** Boolean indicating whether the device is found to be in a DSS policy.
- **UnifiedInstallerDeviceInDssPolicyHresult** The result code for checking whether the device is found to be in a DSS policy.
-- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is AADJ.
+- **UnifiedInstallerDeviceIsAADJoined** Boolean indicating whether a device is Azure Active Directory-joined.
- **UnifiedInstallerDeviceIsAdJoined** Boolean indicating whether a device is AD joined.
- **UnifiedInstallerDeviceIsAdJoinedHresult** The result code for checking whether a device is AD joined.
- **UnifiedInstallerDeviceIsEducationSku** Boolean indicating whether a device is Education SKU.
@@ -5787,8 +5782,8 @@ The following fields are available:
- **UnifiedInstallerDeviceIsMdmManagedHresult** The result code from checking whether a device is MDM managed.
- **UnifiedInstallerDeviceIsProSku** Boolean indicating whether a device is Pro SKU.
- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU.
-- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed.
-- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed.
+- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is managed by Configuration Manager.
+- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is managed by Configuration Manager.
- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed.
- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed.
- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is.
@@ -5829,7 +5824,7 @@ The following fields are available:
- **CV** Correlation vector.
- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
- **PackageVersion** Current package version of remediation.
-- **UpdateHealthToolsDeviceSccmManaged** Device is managed by SCCM.
+- **UpdateHealthToolsDeviceSccmManaged** Device is managed by Configuration Manager.
- **UpdateHealthToolsDeviceUbrChanged** 1 if the Ubr just changed, 0 otherwise.
- **UpdateHealthToolsDeviceUri** The URI to be used for push notifications on this device.
@@ -5901,7 +5896,7 @@ The following fields are available:
- **PackageVersion** The package version of the label.
- **UpdateHealthToolsDevicePolicyFileName** The default name of the policy blob file.
- **UpdateHealthToolsDssDeviceApiSegment** The URI segment for reading the DSS device pointer.
-- **UpdateHealthToolsDssDeviceId** The AAD ID of the device used to create the device ID hash.
+- **UpdateHealthToolsDssDeviceId** The Azure Active Directory ID of the device used to create the device ID hash.
- **UpdateHealthToolsDssDevicePolicyApiSegment** The segment of the device policy API pointer.
- **UpdateHealthToolsDssTenantId** The tenant id of the device used to create the tenant id hash.
- **UpdateHealthToolsHashedDeviceId** The SHA256 hash of the device id.
@@ -5910,7 +5905,7 @@ The following fields are available:
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin
-This event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure.
+This event is sent when the device is not joined to Azure Active Directory. The data collected with this event is used to help keep Windows up to date and secure.
The following fields are available:
diff --git a/windows/privacy/windows-10-and-privacy-compliance.md b/windows/privacy/windows-10-and-privacy-compliance.md
index 0e97842d03..e4e7e22ec9 100644
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@@ -1,16 +1,11 @@
---
title: Windows Privacy Compliance Guide
description: This article provides information to help IT and compliance professionals understand the personal data policies as related to Windows.
-keywords: privacy, GDPR, compliance
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: high
-audience: ITPro
-author: brianlic-msft
-ms.author: brianlic
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/01/2021
@@ -151,14 +146,17 @@ An administrator can disable a user’s ability to delete their device’s diagn
#### _2.3.7 Diagnostic data: Enabling the Windows diagnostic data processor configuration_
+> [!IMPORTANT]
+> There are some significant changes planned for the Windows diagnostic data processor configuration. To learn more, [review this information](changes-to-windows-diagnostic-data-collection.md#significant-changes-coming-to-the-windows-diagnostic-data-processor-configuration).
+
**Applies to:**
- Windows 11 Enterprise, Professional, and Education editions
- Windows 10 Enterprise, Professional, and Education, version 1809 with July 2021 update and newer
-The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD) joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities.
+The Windows diagnostic data processor configuration enables IT administrators to be the controller, as defined by the European Union General Data Protection Regulation (GDPR), for the Windows diagnostic data collected from Windows devices that are Azure Active Directory (AAD)-joined and meet the configuration requirements. For more information, see [Enable Windows diagnostic data processor configuration](configure-windows-diagnostic-data-in-your-organization.md#enable-windows-diagnostic-data-processor-configuration) in [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md). Windows diagnostic data does not include data processed by Microsoft in connection with providing service-based capabilities.
-The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific AAD User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific AAD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific AAD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer.
+The Windows diagnostic data collected from devices enabled with the Windows diagnostic data processor configuration may be associated with a specific Azure Active Directory User ID or device ID. The Windows diagnostic data processor configuration provides you with controls that help respond to data subject requests (DSRs) to delete diagnostic data, at user account closure, for a specific Azure AD User ID. Additionally, you’re able to execute an export DSR for diagnostic data related to a specific Azure AD User ID. For more information, see [The process for exercising data subject rights](#3-the-process-for-exercising-data-subject-rights). Microsoft also will accommodate a tenant account closure, either because you decide to close your Azure or Azure AD tenant account, or because you decide you no longer wish to be the data controller for Windows diagnostic data, but still wish to remain an Azure customer.
We recommend that IT administrators who have enabled the Windows diagnostic data processor configuration consider the following:
diff --git a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
index 6f9cf021c9..d24d978945 100644
--- a/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
+++ b/windows/privacy/windows-11-endpoints-non-enterprise-editions.md
@@ -1,15 +1,11 @@
---
title: Windows 11 connection endpoints for non-Enterprise editions
description: Explains what Windows 11 endpoints are used in non-Enterprise editions. Specific to Windows 11.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: gental-giant
-ms.author: v-hakima
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/01/2021
diff --git a/windows/privacy/windows-diagnostic-data-1703.md b/windows/privacy/windows-diagnostic-data-1703.md
index 8e0e2a5a2a..2651ae6d53 100644
--- a/windows/privacy/windows-diagnostic-data-1703.md
+++ b/windows/privacy/windows-diagnostic-data-1703.md
@@ -1,15 +1,11 @@
---
title: Windows 10 diagnostic data for the Full diagnostic data level (Windows 10)
description: Use this article to learn about the types of data that is collected the Full diagnostic data level.
-keywords: privacy,Windows 10
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/01/2021
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 88faf6a75d..12ab817b8c 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -1,15 +1,11 @@
---
title: Windows 10, version 1709 and Windows 11 and later optional diagnostic data (Windows 10)
description: Use this article to learn about the types of optional diagnostic data that is collected.
-keywords: privacy,Windows 10
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection:
- M365-security-compliance
- highpri
diff --git a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
index ff4d97cb72..94356eae38 100644
--- a/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1809-non-enterprise-editions.md
@@ -1,15 +1,11 @@
---
title: Windows 10, version 1809, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1809.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/01/2021
diff --git a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
index a383c259cf..d98d8fa989 100644
--- a/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1903-non-enterprise-editions.md
@@ -1,15 +1,11 @@
---
title: Windows 10, version 1903, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1903.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: mikeedgar
-ms.author: obezeajo
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/01/2021
diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
index 3520abedd7..3608b11804 100644
--- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
@@ -1,15 +1,11 @@
---
title: Windows 10, version 1909, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1909.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: gental-giant
-ms.author: v-hakima
-manager: obezeajo
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/01/2021
diff --git a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
index d756be9937..4b4f07c78f 100644
--- a/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-2004-non-enterprise-editions.md
@@ -1,15 +1,11 @@
---
title: Windows 10, version 2004, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 2004.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: linque1
-ms.author: obezeajo
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/01/2021
diff --git a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
index 63ddea60f9..ec38d80ece 100644
--- a/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-20H2-non-enterprise-editions.md
@@ -1,15 +1,11 @@
---
title: Windows 10, version 20H2, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 20H2.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: gental-giant
-ms.author: v-hakima
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/01/2021
diff --git a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
index 609bb9e605..2923d95d74 100644
--- a/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
+++ b/windows/privacy/windows-endpoints-21H1-non-enterprise-editions.md
@@ -1,15 +1,11 @@
---
title: Windows 10, version 21H1, connection endpoints for non-Enterprise editions
description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 21H1.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
ms.localizationpriority: high
-audience: ITPro
-author: gental-giant
-ms.author: v-hakima
-manager: dansimp
+author: DHB-MSFT
+ms.author: danbrown
+manager: dougeby
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 12/01/2021
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 2ba26987bb..2dfc4dc841 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -2,10 +2,6 @@
title: Access Control Overview (Windows 10)
description: Access Control Overview
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index f2d6c64736..404f1abb50 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -2,10 +2,6 @@
title: Active Directory Accounts (Windows 10)
description: Active Directory Accounts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 2ec117c8b9..7a469d0fc0 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -2,10 +2,6 @@
title: Active Directory Security Groups
description: Active Directory Security Groups
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md
index c68a4e721f..b19feb4975 100644
--- a/windows/security/identity-protection/access-control/dynamic-access-control.md
+++ b/windows/security/identity-protection/access-control/dynamic-access-control.md
@@ -2,10 +2,6 @@
title: Dynamic Access Control Overview (Windows 10)
description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 655ef0f5b4..654b12daed 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -2,10 +2,6 @@
title: Local Accounts (Windows 10)
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md
index 992afda9d6..7d9575a8f4 100644
--- a/windows/security/identity-protection/access-control/microsoft-accounts.md
+++ b/windows/security/identity-protection/access-control/microsoft-accounts.md
@@ -2,10 +2,6 @@
title: Microsoft Accounts (Windows 10)
description: Microsoft Accounts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index 8564378d9c..eebc241c56 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -2,10 +2,6 @@
title: Security identifiers (Windows 10)
description: Security identifiers
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
index d6bdc4569e..3120899040 100644
--- a/windows/security/identity-protection/access-control/security-principals.md
+++ b/windows/security/identity-protection/access-control/security-principals.md
@@ -2,10 +2,6 @@
title: Security Principals (Windows 10)
description: Security Principals
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md
index 2614ab30e4..cd6db0f4f7 100644
--- a/windows/security/identity-protection/access-control/service-accounts.md
+++ b/windows/security/identity-protection/access-control/service-accounts.md
@@ -2,10 +2,6 @@
title: Service Accounts (Windows 10)
description: Service Accounts
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index db7379ba1f..82f5cbbcda 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -3,10 +3,6 @@ title: Special Identities (Windows 10)
description: Special Identities
ms.prod: m365-security
ms.technology: windows-sec
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index c6922f3901..9184e9a43d 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -1,14 +1,8 @@
---
title: Configure S/MIME for Windows
description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them.
-ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05
ms.reviewer:
-keywords: encrypt, digital signature
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 9ca5657e1d..5be4c34c1e 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -2,11 +2,7 @@
title: Additional mitigations
description: Advice and sample code for making your domain environment more secure and robust with Windows Defender Credential Guard.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
index f9dce14935..7b1cc141be 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-considerations.md
@@ -2,11 +2,7 @@
title: Advice while using Windows Defender Credential Guard (Windows)
description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
@@ -26,27 +22,27 @@ ms.reviewer:
Passwords are still weak. We recommend that in addition to deploying Windows Defender Credential Guard, organizations move away from passwords to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
-Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported.
+Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, aren't supported.
## Wi-fi and VPN Considerations
-When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You will be forced to enter your credentials to use these protocols and cannot save the credentials for future use. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
+When you enable Windows Defender Credential Guard, you can no longer use NTLM classic authentication for Single Sign-On. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use. If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
## Kerberos Considerations
When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead.
## 3rd Party Security Support Providers Considerations
-Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN.
+Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it doesn't allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported. We recommend that custom implementations of SSPs/APs are tested with Windows Defender Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package) on MSDN.
## Upgrade Considerations
As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Test scenarios required for operations in an organization before upgrading a device using Windows Defender Credential Guard.
### Saved Windows Credentials Protected
-Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites are not protected since the applications require your cleartext password. If the application does not need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
-* Windows credentials saved by Remote Desktop Client cannot be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
+Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store three types of credentials: Windows credentials, certificate-based credentials, and generic credentials. Generic credentials such as user names and passwords that you use to log on to websites aren't protected since the applications require your cleartext password. If the application doesn't need a copy of the password, they can save domain credentials as Windows credentials that are protected. Windows credentials are used to connect to other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
+* Windows credentials saved by Remote Desktop Client can't be sent to a remote host. Attempts to use saved Windows credentials fail, displaying the error message "Logon attempt failed."
* Applications that extract Windows credentials fail.
-* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials cannot be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you cannot restore those credentials.
+* When credentials are backed up from a PC that has Windows Defender Credential Guard enabled, the Windows credentials can't be restored. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you can't restore those credentials.
## Clearing TPM Considerations
Virtualization-based Security (VBS) uses the TPM to protect its key. So when the TPM is cleared then the TPM protected key used to encrypt VBS secrets is lost.
@@ -61,17 +57,17 @@ As a result Credential Guard can no longer decrypt protected data. VBS creates a
> Credential Guard obtains the key during initialization. So the data loss will only impact persistent data and occur after the next system startup.
### Windows credentials saved to Credential Manager
-Since Credential Manager cannot decrypt saved Windows Credentials, they are deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
+Since Credential Manager can't decrypt saved Windows Credentials, they're deleted. Applications should prompt for credentials that were previously saved. If saved again, then Windows credentials are protected Credential Guard.
### Domain-joined device’s automatically provisioned public key
Beginning with Windows 10 and Windows Server 2016, domain-devices automatically provision a bound public key, for more information about automatic public key provisioning, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
-Since Credential Guard cannot decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it cannot authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
+Since Credential Guard can't decrypt the protected private key, Windows uses the domain-joined computer's password for authentication to the domain. Unless additional policies are deployed, there should not be a loss of functionality. If a device is configured to only use public key, then it can't authenticate with password until that policy is disabled. For more information on Configuring devices to only use public key, see [Domain-joined Device Public Key Authentication](/windows-server/security/kerberos/domain-joined-device-public-key-authentication).
Also if any access control checks including authentication policies require devices to have either the KEY TRUST IDENTITY (S-1-18-4) or FRESH PUBLIC KEY IDENTITY (S-1-18-3) well-known SIDs, then those access checks fail. For more information about authentication policies, see [Authentication Policies and Authentication Policy Silos](/windows-server/security/credentials-protection-and-management/authentication-policies-and-authentication-policy-silos). For more information about well-known SIDs, see [[MS-DTYP] Section 2.4.2.4 Well-known SID Structures](/openspecs/windows_protocols/ms-dtyp/81d92bba-d22b-4a8c-908a-554ab29148ab).
### Breaking DPAPI on domain-joined devices
-On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery is not possible.
+On domain-joined devices, DPAPI can recover user keys using a domain controller from the user's domain. If a domain-joined device has no connectivity to a domain controller, then recovery isn't possible.
>[!IMPORTANT]
> Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
@@ -79,11 +75,11 @@ Auto VPN configuration is protected with user DPAPI. User may not be able to use
If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
-Domain user sign-in on a domain-joined device after clearing a TPM for as long as there is no connectivity to a domain controller:
+Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller:
|Credential Type | Windows version | Behavior
|---|---|---|
-| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI does not work at all. |
+| Certificate (smart card or Windows Hello for Business) | All | All data protected with user DPAPI is unusable and user DPAPI doesn't work at all. |
| Password | Windows 10 v1709 or later | If the user signed-in with a certificate or password prior to clearing the TPM, then they can sign-in with password and user DPAPI is unaffected.
| Password | Windows 10 v1703 | If the user signed-in with a password prior to clearing the TPM, then they can sign-in with that password and are unaffected.
| Password | Windows 10 v1607 or earlier | Existing user DPAPI protected data is unusable. User DPAPI is able to protect new data.
@@ -91,7 +87,7 @@ Domain user sign-in on a domain-joined device after clearing a TPM for as long a
Once the device has connectivity to the domain controllers, DPAPI recovers the user's key and data protected prior to clearing the TPM can be decrypted.
#### Impact of DPAPI failures on Windows Information Protection
-When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents cannot be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
+When data protected with user DPAPI is unusable, then the user loses access to all work data protected by Windows Information Protection. The impact includes: Outlook 2016 is unable to start and work protected documents can't be opened. If DPAPI is working, then newly created work data is protected and can be accessed.
**Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 0d09f98a43..787063e450 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -2,11 +2,7 @@
title: How Windows Defender Credential Guard works
description: Learn how Windows Defender Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
@@ -25,13 +21,13 @@ ms.reviewer:
- Windows Server 2019
-Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
+Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using Virtualization-based security and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
-When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which are not protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, are not to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
+When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Windows Defender Credential Guard with any of these protocols. It is recommended that valuable credentials, such as the sign-in credentials, aren't to be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
-When Windows Defender Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
+When Windows Defender Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
Here's a high-level overview on how the LSA is isolated by using Virtualization-based security:
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 7d71cc00ce..0d96d6c124 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard - Known issues (Windows)
description: Windows Defender Credential Guard - Known issues in Windows Enterprise
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index b63bf80703..a2392e3e3c 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -2,11 +2,7 @@
title: Manage Windows Defender Credential Guard (Windows)
description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: v-tappelgate
manager: dansimp
@@ -53,19 +49,21 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
To enforce processing of the group policy, you can run `gpupdate /force`.
-### Enable Windows Defender Credential Guard by using Intune
+### Enable Windows Defender Credential Guard by using Microsoft Endpoint Manager
-1. From **Home**, select **Microsoft Intune**.
+1. From **Microsoft Endpoint Manager admin center**, select **Devices**.
-1. Select **Device configuration**.
+1. Select **Configuration Profiles**.
-1. Select **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
+1. Select **Create Profile** > **Windows 10 and later** > **Settings catalog** > **Create**.
- > [!NOTE]
- > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
+ 1. Configuration settings: In the settings picker select **Device Guard** as category and add the needed settings.
+
+> [!NOTE]
+> Enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
> [!TIP]
-> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
+> You can also configure Credential Guard by using an account protection profile in endpoint security. For more information, see [Account protection policy settings for endpoint security in Microsoft Endpoint Manager](/mem/intune/protect/endpoint-security-account-protection-profile-settings).
### Enable Windows Defender Credential Guard by using the registry
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index 170018c2c2..fba979bcbb 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard protection limits & mitigations (Windows)
description: Scenarios not protected by Windows Defender Credential Guard in Windows, and additional mitigations you can use.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index 9cab64d757..1b47f91c82 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard protection limits (Windows)
description: Some ways to store credentials are not protected by Windows Defender Credential Guard in Windows. Learn more with this guide.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
@@ -28,18 +24,18 @@ Some ways to store credentials are not protected by Windows Defender Credential
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
-- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
+- Windows Defender Credential Guard doesn't protect the Active Directory database running on Windows Server 2016 domain controllers. It also doesn't protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Key loggers
- Physical attacks
-- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
+- Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
-- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
-- Kerberos service tickets are not protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
-- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
+- Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well.-
+- Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
+- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it doesn't provide additional protection from privileged system attacks originating from the host.
- Windows logon cached password verifiers (commonly called "cached credentials")
-do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
+don't qualify as credentials because they can't be presented to another computer for authentication, and can only be used locally to verify credentials. They're stored in the registry on the local computer and provide validation for credentials when a domain-joined computer can't connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller isn't available.
## See also
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
index 4762a25d8b..cd0217dffe 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md
@@ -2,11 +2,7 @@
title: Windows Defender Credential Guard Requirements (Windows)
description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
index 709bc9de64..ac96f2cc37 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md
@@ -2,11 +2,7 @@
title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows)
description: Obtain issuance policies from the certificate authority for Windows Defender Credential Guard on Windows.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dulcemontemayor
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md
index 4153f5223b..1541b47dfd 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard.md
@@ -1,14 +1,9 @@
---
title: Protect derived domain credentials with Windows Defender Credential Guard (Windows)
description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
-ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index a3c6d35840..1128ef5604 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -2,11 +2,7 @@
title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: SteveSyfuhs
ms.author: stsyfuhs
manager: dansimp
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index b41236db4a..bba1605784 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -1,9 +1,6 @@
---
title: Enterprise Certificate Pinning
-ms.mktglfcycl: manage
-ms.sitesec: library
description: Enterprise certificate pinning is a Windows feature for remembering; or pinning a root issuing certificate authority, or end entity certificate to a given domain name.
-audience: ITPro
author: dulcemontemayor
ms.author: dansimp
manager: dansimp
@@ -11,7 +8,6 @@ ms.collection: M365-identity-device-management
ms.topic: article
ms.prod: m365-security
ms.technology: windows-sec
-ms.pagetype: security
ms.localizationpriority: medium
ms.date: 07/27/2017
ms.reviewer:
diff --git a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
index 9b8365686e..af4b0207cd 100644
--- a/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
+++ b/windows/security/identity-protection/hello-for-business/WebAuthnAPIs.md
@@ -2,10 +2,6 @@
title: WebAuthn APIs
description: Learn how to use WebAuthn APIs to enable password-less authentication for your sites and apps.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index bb8984236d..46c5ce15d2 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,12 +1,7 @@
---
title: Multi-factor Unlock
description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
index 9afeccfdbd..a22fdc4c4b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
@@ -1,12 +1,7 @@
---
title: Azure Active Directory join cloud only deployment
description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device.
-keywords: identity, Hello, Active Directory, cloud,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -91,9 +86,9 @@ If there's a conflicting Device policy and User policy, the User policy would ta
## Related reference documents for Azure AD join scenarios
-- [Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join)
+- [Azure AD-joined devices](/azure/active-directory/devices/concept-azure-ad-join)
- [Plan your Azure Active Directory device deployment](/azure/active-directory/devices/plan-device-deployment)
- [How to: Plan your Azure AD join implementation](/azure/active-directory/devices/azureadjoin-plan)
-- [How to manage the local administrators group on Azure AD joined devices](/azure/active-directory/devices/assign-local-admin)
+- [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin)
- [Manage device identities using the Azure portal](/azure/active-directory/devices/device-management-azure-portal)
- [Azure AD Join Single Sign-on Deployment](hello-hybrid-aadj-sso.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index fae8060193..201f155223 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -1,12 +1,7 @@
---
title: Having enough Domain Controllers for Windows Hello for Business deployments
description: Guide for planning to have an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -48,7 +43,7 @@ The Windows Server 2016 or later domain controller is handling 100 percent of al
-Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of WHFB clients remains the same.
+Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of Windows Hello for Business clients remains the same.
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index ce4fee62d1..409d7ad594 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -1,13 +1,8 @@
---
title: Windows Hello and password changes (Windows)
description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello.
-ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index fb5244ee95..1b7fc74348 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -1,13 +1,7 @@
---
title: Windows Hello biometrics in the enterprise (Windows)
description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition.
-ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
-keywords: Windows Hello, enterprise biometrics
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index c9023f3eab..7c1152e8bf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -1,12 +1,7 @@
---
title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business)
description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 18e5489911..d1a9db8854 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Windows Hello for Business Policy settings - certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business. Certificate-based deployments need three group policy settings.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 53a69d9ca8..13a1157148 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -1,12 +1,7 @@
---
title: Update Active Directory schema for cert-trust deployment (Windows Hello for Business)
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the certificate trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index baa09b6712..865759bf10 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -1,12 +1,7 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with certificate trust
description: How to Validate and Deploy Multi-factor Authentication (MFA) Services for Windows Hello for Business with certificate trust
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 1972c3d210..d6356353aa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -1,12 +1,7 @@
---
title: Validate Public Key Infrastructure - certificate trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a certificate trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index ca84dfc5d4..278560bbc5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Deployment Guide - On Premises Certificate Trust Deployment
description: A guide to on premises, certificate trust Windows Hello for Business deployment.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 1a167b69c6..afe7fdf157 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Deployment Overview
description: Use this deployment guide to successfully deploy Windows Hello for Business in an existing environment.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
index b8c2e0c3b8..47d8b38c53 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md
@@ -1,13 +1,8 @@
---
title: Windows Hello for Business Deployment Known Issues
description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues
-keywords: identity, PIN, biometric, Hello, passport
params: siblings_only
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -29,7 +24,7 @@ Applies to:
- Windows 10, version 1803 and later
- Windows 11
-PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now".
+PIN reset on Azure AD-joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now".
### Identifying Azure AD joined PIN Reset Allowed Domains Issue
@@ -124,7 +119,7 @@ Domain controllers running early versions of Windows Server 2019 have an issue t
On the client, authentication with Windows Hello for Business will fail with the error message, *"That option is temporarily unavailable. For now, please use a different method to sign in."*
-This error is usually presented on hybrid Azure AD joined devices in key trust deployments after Windows Hello for Business has been provisioned but before a user's key has synced from Azure AD to AD. If a user's key has been synced from Azure AD and the msDS-keycredentiallink attribute on the user object in AD has been populated for NGC, then it is possible that this error case is occurring.
+This error is usually presented on hybrid Azure AD-joined devices in key trust deployments after Windows Hello for Business has been provisioned but before a user's key has synced from Azure AD to AD. If a user's key has been synced from Azure AD and the msDS-keycredentiallink attribute on the user object in AD has been populated for NGC, then it is possible that this error case is occurring.
The other indicator of this failure case can be identified using network traces. If network traces are captured for a key trust sign-in event, the traces will show kerberos failing with the error KDC_ERR_CLIENT_NAME_MISMATCH.
@@ -158,8 +153,8 @@ User:
-or-
Token was not found in the Authorization header.
-or-
Failed to read one or more objects.
-or-
The request sent to the server was invalid.
-or-
User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin.
Allow user(s) to join to Azure AD under Azure AD Device settings.
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
-| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in AAD and the Primary SMTP address are the same in the proxy address.
+| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in Azure Active Directory and the Primary SMTP address are the same in the proxy address.
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. |
| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |
@@ -104,7 +98,7 @@ For errors listed in this table, contact Microsoft Support for assistance.
| 0x801C03F0 | There is no key registered for the user. |
| 0x801C03F1 | There is no UPN in the token. |
| 0x801C044C | There is no core window for the current thread. |
-| 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request AAD token for provisioning. Unable to enroll a device to use a PIN for login. |
+| 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request Azure Active Directory token for provisioning. Unable to enroll a device to use a PIN for login. |
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md
index c5e10be931..3e481d0f4d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-event-300.md
+++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md
@@ -1,14 +1,8 @@
---
title: Event ID 300 - Windows Hello successfully created (Windows)
description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD).
-ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04
ms.reviewer:
-keywords: ngc
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index 8135aa6650..12d4f1203e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -29,7 +29,7 @@ sections:
- question: What is Windows Hello for Business cloud trust?
answer: |
- Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust).
+ Windows Hello for Business cloud trust is a new trust model that is currently in preview. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios. For more information, see [Hybrid Cloud Trust Deployment (Preview)](/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust).
- question: What about virtual smart cards?
answer: |
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
index ac9768add5..5dac00754e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md
@@ -1,12 +1,7 @@
---
title: Conditional Access
description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
index 066da6e651..445df8f5a8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md
@@ -1,12 +1,7 @@
---
title: Dual Enrollment
description: Learn how to configure Windows Hello for Business dual enrollment. Also, learn how to configure Active Directory to support Domain Administrator enrollment.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, dual enrollment,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
index 7025fb4173..93301a4171 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md
@@ -1,12 +1,7 @@
---
title: Dynamic lock
description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 3ab6494347..2ee149c236 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,12 +1,7 @@
---
title: Pin Reset
description: Learn how Microsoft PIN reset services enables you to help users recover who have forgotten their PIN.
-keywords: identity, PIN, Hello, passport, WHFB, hybrid, cert-trust, device, reset
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -39,7 +34,7 @@ There are two forms of PIN reset called destructive and non-destructive. Destruc
Destructive and non-destructive PIN reset use the same entry points for initiating a PIN reset. If a user has forgotten their PIN, but has an alternate logon method, they can navigate to Sign-in options in Settings and initiate a PIN reset from the PIN options. If they do not have an alternate way to sign into their device, PIN reset can also be initiated from above the lock screen in the PIN credential provider.
>[!IMPORTANT]
->For hybrid Azure AD joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
+>For hybrid Azure AD-joined devices, users must have corporate network connectivity to domain controllers to complete destructive PIN reset. If AD FS is being used for certificate trust or for on-premises only deployments, users must also have corporate network connectivity to federation services to reset their PIN.
### Reset PIN from Settings
@@ -49,7 +44,7 @@ Destructive and non-destructive PIN reset use the same entry points for initiati
### Reset PIN above the Lock Screen
-For Azure AD joined devices:
+For Azure AD-joined devices:
1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
1. Click **I forgot my PIN** from the PIN credential provider.
@@ -57,7 +52,7 @@ For Azure AD joined devices:
1. Follow the instructions provided by the provisioning process.
1. When finished, unlock your desktop using your newly created PIN.
-For Hybrid Azure AD joined devices:
+For Hybrid Azure AD-joined devices:
1. If the PIN credential provider is not selected, expand the **Sign-in options** link, and select the PIN pad icon.
1. Click **I forgot my PIN** from the PIN credential provider.
@@ -66,7 +61,7 @@ For Hybrid Azure AD joined devices:
1. When finished, unlock your desktop using your newly created PIN.
> [!NOTE]
-> Key trust on hybrid Azure AD joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
+> Key trust on hybrid Azure AD-joined devices does not support destructive PIN reset from above the Lock Screen. This is due to the sync delay between when a user provisions their Windows Hello for Business credential and being able to use it for sign-in. For this deployment model, you must deploy non-destructive PIN reset for above lock PIN reset to work.
You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - General ](/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
@@ -193,7 +188,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta
- Windows 11
- Azure AD joined
-The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
+The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD-joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset.
### Configuring Policy Using Intune
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index fc797a8b6e..b622e6277f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -1,12 +1,7 @@
---
title: Remote Desktop
description: Learn how Windows Hello for Business supports using biometrics with remote desktop
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 69d3ba639e..76b94b5ddb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works - Authentication
description: Learn about the authentication flow for Windows Hello for Business.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -24,7 +20,7 @@ ms.reviewer:
Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
-Azure Active Directory joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
+Azure Active Directory-joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory-joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
- [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)
- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-trust-preview)
@@ -39,7 +35,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
> [!NOTE]
-> All Azure AD joined devices authenticate with Windows Hello for Business to Azure AD the same way. The Windows Hello for Business trust type only impacts how the device authenticates to on-premises AD.
+> All Azure AD-joined devices authenticate with Windows Hello for Business to Azure AD the same way. The Windows Hello for Business trust type only impacts how the device authenticates to on-premises AD.
| Phase | Description |
| :----: | :----------- |
@@ -51,7 +47,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)
-
+
| Phase | Description |
| :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 91e6db25cf..c81ed991e1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works - Provisioning
description: Explore the provisioning flows for Windows Hello for Business, from within a variety of environments.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -80,7 +76,7 @@ List of provisioning flows:
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. |
> [!NOTE]
-> Windows Hello for Business Cloud Trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to AAD and AD after provisioning their credential.
+> Windows Hello for Business Cloud Trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to Azure Active Directory and AD after provisioning their credential.
[Return to top](#windows-hello-for-business-provisioning)
@@ -94,7 +90,7 @@ List of provisioning flows:
| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. |
-| D | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory. |
+| D | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. Azure Active Directory Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory. |
> [!IMPORTANT]
> The newly provisioned user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 86edd45c86..bd667aac11 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works - Technology and Terms
description: Explore technology and terms associated with Windows Hello for Business. Learn how Windows Hello for Business works.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -166,7 +162,7 @@ For more than a decade, many organizations have used the domain join to their on
- Users to sign in to their devices with their Active Directory work or school accounts.
Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use or group policy (GP) to manage them.
-If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.
+If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD-joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.
### Related topics
[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Deployment](#hybrid-deployment)
@@ -252,7 +248,7 @@ The simplest way to enable authentication for on-premises directory objects in A
## Primary Refresh Token
SSO relies on special tokens obtained for each of the types of applications above. These are in turn used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications we call this a Primary Refresh Token (PRT). This is a [JSON Web Token](http://openid.net/specs/draft-jones-json-web-token-07.html) containing claims about both the user and the device.
-The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and hybrid Azure AD joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.).
+The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and hybrid Azure AD-joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.).
The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 0b25b65df8..768b3a0e02 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -2,10 +2,6 @@
title: How Windows Hello for Business works
description: Learn how Windows Hello for Business works, and how it can help your users authenticate to services.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -22,7 +18,7 @@ ms.reviewer:
- Windows 10
- Windows 11
-Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
+Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices.
Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 9496bd8da6..51f303b2ba 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -1,12 +1,7 @@
---
-title: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+title: Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
description: Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support them.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -17,19 +12,19 @@ ms.topic: article
localizationpriority: medium
ms.date: 01/14/2021
---
-# Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+# Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business
**Applies to**
- Windows 10
- Windows 11
-- Azure Active Directory joined
+- Azure Active Directory-joined
- Hybrid Deployment
- Key trust model
## Prerequisites
-Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD joined devices. Unlike hybrid Azure AD joined devices, Azure AD joined devices do not have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD joined devices.
+Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD-joined devices. Unlike hybrid Azure AD-joined devices, Azure AD-joined devices do not have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD-joined devices.
- Azure Active Directory Connect synchronization
- Device Registration
@@ -56,9 +51,9 @@ Certificates issued by a certificate authority can be revoked. When a certifica
-The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. You can determine this because the value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory joined devices and users on Azure Active Directory joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list. This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated.
+The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. You can determine this because the value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory-joined devices and users on Azure Active Directory-joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list. This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated.
-To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory joined devices that does not require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
+To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory-joined devices that does not require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points.
@@ -73,7 +68,7 @@ If you are interested in configuring your environment to use the Windows Hello f
### Domain Controller Certificates
-Certificate authorities write CRL distribution points in certificates as they are issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD joined devices authenticating to Active Directory
+Certificate authorities write CRL distribution points in certificates as they are issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD-joined devices authenticating to Active Directory
#### Why does Windows need to validate the domain controller certificate?
@@ -87,7 +82,7 @@ Windows Hello for Business enforces the strict KDC validation security feature w
- The domain controller's certificate's signature hash algorithm is **sha256**.
- The domain controller's certificate's public key is **RSA (2048 Bits)**.
-Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business does not enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you are adding Azure AD joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md)
+Authenticating from a Hybrid Azure AD joined device to a domain using Windows Hello for Business does not enforce that the domain controller certificate includes the **KDC Authentication** EKU. If you are adding Azure AD-joined devices to an existing domain environment, make sure to verify that your domain controller certificate has been updated to include the **KDC Authentication** EKU. If you need to update your domain controller certificate to include the **KDC Authentication** EKU, follow the instructions in [Configure Hybrid Windows Hello for Business: Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md)
> [!Tip]
> If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate.
@@ -107,7 +102,7 @@ Steps you will perform include:
### Configure Internet Information Services to host CRL distribution point
-You need to host your new certificate revocation list of a web server so Azure AD joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps is just one and may be useful for those unfamiliar with adding a new CRL distribution point.
+You need to host your new certificate revocation list of a web server so Azure AD-joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps is just one and may be useful for those unfamiliar with adding a new CRL distribution point.
> [!IMPORTANT]
> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http.
@@ -265,7 +260,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
## Configure and Assign a Trusted Certificate Device Configuration Profile
-Your domain controllers have new certificate that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD joined devices. Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD joined devices do not trust domain controller certificates and authentication fails.
+Your domain controllers have new certificate that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD-joined devices. Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD-joined devices do not trust domain controller certificates and authentication fails.
Steps you will perform include:
- [Export Enterprise Root certificate](#export-enterprise-root-certificate)
@@ -288,7 +283,7 @@ Steps you will perform include:
### Create and Assign a Trust Certificate Device Configuration Profile
-A **Trusted Certificate** device configuration profile is how you deploy trusted certificates to Azure AD joined devices.
+A **Trusted Certificate** device configuration profile is how you deploy trusted certificates to Azure AD-joined devices.
1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**.
2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index ebad63fce7..65b35c88d1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -1,12 +1,7 @@
---
title: Using Certificates for AADJ On-premises Single-sign On single sign-on
-description: If you want to use certificates for on-premises single-sign on for Azure Active Directory joined devices, then follow these additional steps.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
+description: If you want to use certificates for on-premises single-sign on for Azure Active Directory-joined devices, then follow these additional steps.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -23,14 +18,14 @@ ms.reviewer:
- Windows 10
- Windows 11
-- Azure Active Directory joined
+- Azure Active Directory-joined
- Hybrid Deployment
- Certificate trust
-If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD joined devices.
+If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD-joined devices.
> [!IMPORTANT]
-> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.
+> Ensure you have performed the configurations in [Azure AD-joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.
Steps you will perform include:
@@ -44,7 +39,7 @@ Steps you will perform include:
## Requirements
-You need to install and configure additional infrastructure to provide Azure AD joined devices with on-premises single-sign on.
+You need to install and configure additional infrastructure to provide Azure AD-joined devices with on-premises single-sign on.
- An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
- A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
@@ -75,7 +70,7 @@ Most environments change the user principal name suffix to match the organizatio
To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
-### Verify AAD Connect version
+### Verify Azure Active Directory Connect version
Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
@@ -471,13 +466,13 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
5. Click **Add**.
-6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **HOST**. Click **OK**.
+6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD-joined devices. From the **Available services** list, select **HOST**. Click **OK**.
7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
-8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**.
+8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD-joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**.
9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
@@ -550,7 +545,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
1. Open an elevated command prompt.
-2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices.
+2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD-joined devices.
3. Type the following command:
@@ -558,7 +553,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
```
- where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example:
+ where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD-joined devices. Example:
```console
reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
@@ -573,7 +568,7 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
### Create a Web Application Proxy for the internal NDES URL.
-Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
+Certificate enrollment for Azure AD-joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies.
@@ -697,7 +692,7 @@ Sign-in the NDES server with access equivalent to _local administrators_.
10. Click **Enroll**
-11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices.
+11. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD-joined devices.
### Configure the Web Server Role
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
index ddff708e26..1acba0f5b3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -1,12 +1,7 @@
---
title: Azure AD Join Single Sign-on Deployment
-description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory joined devices, using Windows Hello for Business.
-keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
+description: Learn how to provide single sign-on to your on-premises resources for Azure Active Directory-joined devices, using Windows Hello for Business.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -22,10 +17,10 @@ ms.reviewer:
- Windows 10
- Windows 11
-- Azure Active Directory joined
+- Azure Active Directory-joined
- Hybrid deployment
-Windows Hello for Business combined with Azure Active Directory joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory joined devices using Windows Hello for Business, using a key or a certificate.
+Windows Hello for Business combined with Azure Active Directory-joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD-joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory-joined devices using Windows Hello for Business, using a key or a certificate.
## Key vs. Certificate
@@ -33,10 +28,10 @@ Enterprises can use either a key or a certificate to provide single-sign on for
When using a key, the on-premises environment needs an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
-When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a certificate requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector.
+When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a certificate requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD-joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector.
-To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md).
-To deploy single sign-on for Azure AD joined devices using certificates, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).
+To deploy single sign-on for Azure AD-joined devices using keys, read and follow [Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md).
+To deploy single sign-on for Azure AD-joined devices using certificates, read and follow [Configure Azure AD-joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for Azure Active Directory-joined On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index 6de21388aa..546fe98a8e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Trust New Installation (Windows Hello for Business)
description: Learn about new installations for Windows Hello for Business certificate trust and the various technologies hybrid certificate trust deployments rely on.
-keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index e1fac8d907..2d15af954c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -1,12 +1,7 @@
---
title: Configure Device Registration for Hybrid Azure AD joined Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Trust Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -43,8 +38,8 @@ Use this three-phased approach for configuring device registration.
> Before proceeding, you should familiarize yourself with device registration concepts such as:
>
> - Azure AD registered devices
-> - Azure AD joined devices
-> - Hybrid Azure AD joined devices
+> - Azure AD-joined devices
+> - Hybrid Azure AD-joined devices
>
> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction)
@@ -55,7 +50,7 @@ Use this three-phased approach for configuring device registration.
To support hybrid Windows Hello for Business, configure hybrid Azure AD join.
-Follow the guidance on [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment.
+Follow the guidance on [How to configure hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment.
If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps:
@@ -69,11 +64,11 @@ You can learn more about this scenario by reading [Review on-premises UPN suppor
## Configure Active Directory to support Azure device synchronization
-Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD joined devices. Begin with upgrading the Active Directory Schema
+Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD-joined devices. Begin with upgrading the Active Directory Schema
### Upgrading Active Directory to the Windows Server 2016 or later Schema
-To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later.
+To use Windows Hello for Business with Hybrid Azure AD-joined devices, you must first upgrade your Active Directory schema to Windows Server 2016 or later.
> [!IMPORTANT]
> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 or later Schema** (this section).
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 6432ef517b..edba57fd05 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Prerequisites
description: Learn these prerequisites for hybrid Windows Hello for Business deployments using certificate trust.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index bec180c498..f9c3cf3feb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -1,12 +1,7 @@
---
title: Hybrid Certificate Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 04926dd580..f6e69dad32 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business)
description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -31,7 +26,7 @@ The Windows Hello for Business provisioning begins immediately after the user ha
-The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
+The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is Azure Active Directory-joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**.
@@ -52,7 +47,7 @@ The provisioning flow has all the information it needs to complete the Windows H
- A fresh, successful multi-factor authentication
- A validated PIN that meets the PIN complexity requirements
-The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect synchronizes the user's key to the on-premises Active Directory.
+The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. Azure Active Directory Connect synchronizes the user's key to the on-premises Active Directory.
> [!IMPORTANT]
> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/help/4088889).
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index 94462ebe1d..f8b0c788c1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Active Directory (AD)
description: Discussing the configuration of Active Directory (AD) in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, ad
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 93dcb39b92..ed13229f6a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS)
description: Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, adfs
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 7ef3176f22..3dea044165 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business Directory Synch
description: Discussing Directory Synchronization in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index bc3b32a38e..0a7da03055 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure (PKI)
description: Discussing the configuration of the Public Key Infrastructure (PKI) in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -38,7 +33,7 @@ This section has you configure certificate templates on your Windows Server 2012
Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority.
-Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD joined devices. The steps below to *Create a Domain Controller Authentication (Kerberos) Certificate Template* and *Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template* to include the **KDC Authentication** OID in the domain controller certificate may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD joined devices to your environment in the future.
+Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD-joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD-joined devices. The steps below to *Create a Domain Controller Authentication (Kerberos) Certificate Template* and *Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template* to include the **KDC Authentication** OID in the domain controller certificate may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD-joined devices to your environment in the future.
By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template as a baseline to create an updated domain controller certificate template.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index a7bc32dc4c..bba12adf27 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Discussing the configuration of Group Policy in a Hybrid deployment of Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index dcffcfc154..ec22d31a65 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Windows Hello for Business Settings (Windows Hello for Business)
description: Learn how to configure Windows Hello for Business settings in hybrid certificate trust deployment.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
index a86fb2633a..11fa549fa2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
@@ -1,12 +1,7 @@
---
title: Hybrid Cloud Trust Deployment (Windows Hello for Business)
description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -40,7 +35,7 @@ Windows Hello for Business cloud trust uses Azure Active Directory (AD) Kerberos
## Azure Active Directory Kerberos and Cloud Trust Authentication
-Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT.
+Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD-joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT.
With Azure AD Kerberos, Azure AD can issue TGTs for one or more of your AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs.
@@ -53,7 +48,7 @@ More details on how Azure AD Kerberos enables access to on-premises resources ar
| Requirement | Notes |
| --- | --- |
| Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. |
-| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD joined devices. |
+| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD-joined devices. |
| Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. |
| Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).|
| Device management | Windows Hello for Business cloud trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
@@ -83,7 +78,7 @@ If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enabl
### Configure Windows Hello for Business Policy
-After setting up the Azure AD Kerberos Object, Windows Hello for business cloud trust must be enabled using policy. By default, cloud trust won't be used by Hybrid Azure AD joined or Azure AD joined devices.
+After setting up the Azure AD Kerberos Object, Windows Hello for business cloud trust must be enabled using policy. By default, cloud trust won't be used by Hybrid Azure AD joined or Azure AD-joined devices.
#### Configure Using Group Policy
@@ -189,7 +184,7 @@ To configure the cloud trust policy, follow the steps below:
- Data type: Boolean
- Value: True
- [](./images/hello-cloud-trust-intune-large.png#lightbox)
+ [](./images/hello-cloud-trust-intune-large.png#lightbox)
1. Select Next to navigate to **Assignments**.
1. Under Included groups, select **Add groups**.
@@ -202,7 +197,7 @@ To configure the cloud trust policy, follow the steps below:
## Provisioning
-The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud trust adds a prerequisite check for Hybrid Azure AD joined devices when cloud trust is enabled by policy.
+The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud trust adds a prerequisite check for Hybrid Azure AD-joined devices when cloud trust is enabled by policy.
You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs\Microsoft\Windows**. This information is also available using the [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command from a console.
@@ -210,7 +205,7 @@ You can determine the status of the prerequisite check by viewing the **User Dev
The cloud trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud trust is not being enforced by policy or if the device is Azure AD joined.
-This prerequisite check isn't done for provisioning on Azure AD joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in.
+This prerequisite check isn't done for provisioning on Azure AD-joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in.
### PIN Setup
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index ea3e5ae8d1..66a720d026 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Hybrid Azure AD joined Key Trust New Installation
description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business for systems with no previous installations.
-keywords: identity, PIN, biometric, Hello, passport, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -85,7 +80,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
-> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based URL.
+> * Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based URL.
### Section Review
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index 04d4d3b8b1..4d064c210c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -1,12 +1,7 @@
---
title: Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Device Registration for Hybrid Certificate Key Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, device, registration
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -31,8 +26,8 @@ You're ready to configure device registration for your hybrid environment. Hybri
> [!NOTE]
> Before proceeding, you should familiarize yourself with device registration concepts such as:
> * Azure AD registered devices
-> * Azure AD joined devices
-> * Hybrid Azure AD joined devices
+> * Azure AD-joined devices
+> * Hybrid Azure AD-joined devices
>
> You can learn about this and more by reading [What is a device identity](/azure/active-directory/devices/overview)
@@ -40,7 +35,7 @@ You're ready to configure device registration for your hybrid environment. Hybri
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
-Follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment.
+Follow the guidance on the [How to configure hybrid Azure Active Directory-joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment.
If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps:
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index 705b84df66..299e93c00c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -1,12 +1,7 @@
---
title: Configure Directory Synchronization for Hybrid Azure AD joined key trust Windows Hello for Business
description: Azure Directory Synchronization for Hybrid Certificate Key Deployment (Windows Hello for Business)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, directory, synchronization, AADConnect
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index f32954e088..0850fae7f7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Key trust Windows Hello for Business Prerequisites (Windows Hello for Business)
description: Learn about the prerequisites for hybrid Windows Hello for Business deployments using key trust and what the next steps are in the deployment process.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: mapalko
ms.author: prsriva
manager: dansimp
@@ -83,7 +78,7 @@ The minimum required Enterprise certificate authority that can be used with Wind
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
-> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url.
+> * Publish your certificate revocation list to a location that is available to Azure AD-joined devices, such as a web-based url.
### Section Review
> [!div class="checklist"]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index db6d3e0a33..833968247b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -1,12 +1,7 @@
---
title: Hybrid Key Trust Deployment (Windows Hello for Business)
description: Review this deployment guide to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index d2c8eb0585..925d6d12e8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business key trust Provisioning (Windows Hello for Business)
description: Learn about provisioning for hybrid key trust deployments of Windows Hello for Business and learn where to find the hybrid key trust deployment guide.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -31,7 +26,7 @@ The Windows Hello for Business provisioning begins immediately after the user ha
-The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
+The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is Azure Active Directory-joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index 46ba983c83..bbdde28351 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -1,12 +1,7 @@
---
title: Configuring Hybrid Azure AD joined key trust Windows Hello for Business - Active Directory (AD)
description: Configuring Hybrid key trust Windows Hello for Business - Active Directory (AD)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, ad, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index b964f460e9..0ed4142f70 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -1,12 +1,7 @@
---
title: Hybrid Azure AD joined Windows Hello for Business - Directory Synchronization
description: How to configure Hybrid key trust Windows Hello for Business - Directory Synchronization
-keywords: identity, PIN, biometric, Hello, passport, WHFB, dirsync, connect, Windows Hello, AD Connect, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index de67cd6dd3..a43a8e5673 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined key trust Windows Hello for Business
description: Configuring Hybrid key trust Windows Hello for Business - Public Key Infrastructure (PKI)
-keywords: identity, PIN, biometric, Hello, passport, WHFB, PKI, Windows Hello, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -38,7 +33,7 @@ This section has you configure certificate templates on your Windows Server 2012
Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain - namely the enterprise certificate authority.
-Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD joined devices. The steps below to update the domain controller certificate to include the **KDC Authentication** OID may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD joined devices to your environment in the future.
+Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the *Domain Controller* and *Domain Controller Authentication* certificate templates do not include the **KDC Authentication** object identifier (OID), which was later added to the Kerberos RFC. Inclusion of the **KDC Authentication** OID in domain controller certificate is not required for key trust authentication from Hybrid Azure AD-joined devices. The OID is required for enabling authentication with Windows Hello for Business to on-premises resources by Azure AD-joined devices. The steps below to update the domain controller certificate to include the **KDC Authentication** OID may be skipped if you only have Hybrid Azure AD Joined devices in your environment, but we recommend completing these steps if you are considering adding Azure AD-joined devices to your environment in the future.
By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the **Kerberos Authentication** certificate template a baseline to create an updated domain controller certificate template.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 6ea84e8f0d..26b31e209b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
description: Configuring Hybrid key trust Windows Hello for Business - Group Policy
-keywords: identity, PIN, biometric, Hello, passport, WHFB, Windows Hello, key trust, key-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -34,7 +29,7 @@ Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 C
Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate.
-Hybrid Azure AD joined devices needs one Group Policy setting:
+Hybrid Azure AD-joined devices needs one Group Policy setting:
* Enable Windows Hello for Business
### Configure Domain Controllers for Automatic Certificate Enrollment
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 38b7194d9c..29c29de56f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Hybrid Azure AD joined Windows Hello for Business key trust Settings
description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration.
-keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 4135615f1c..185768fe63 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -1,13 +1,7 @@
---
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
-ms.assetid: 5BF09642-8CF5-4FBC-AC9A-5CA51E19387E
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index d608421337..d2c141ca3a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -1,12 +1,7 @@
---
title: Prepare & Deploy Windows Active Directory Federation Services with key trust (Windows Hello for Business)
description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business using key trust.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 187d42ad0f..5baf31a055 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -1,12 +1,7 @@
---
title: Configure Windows Hello for Business Policy settings - key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -125,7 +120,7 @@ Before you continue with the deployment, validate your deployment progress by re
## Add users to the Windows Hello for Business Users group
-Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business.
## Follow the Windows Hello for Business on premises certificate trust deployment guide
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index 2ba08c716b..c8227d9536 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -1,13 +1,8 @@
---
title: Key registration for on-premises deployment of Windows Hello for Business
description: How to Validate Active Directory prerequisites for Windows Hello for Business when deploying with the key trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
author: GitPrakhar13
-audience: ITPro
ms.author: prsriva
manager: dansimp
ms.collection: M365-identity-device-management
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index e0d299b2df..968ae0d5b0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -1,12 +1,7 @@
---
title: Validate and Deploy MFA for Windows Hello for Business with key trust
description: How to Validate and Deploy Multifactor Authentication (MFA) Services for Windows Hello for Business with key trust
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index debf3022c5..809720fdba 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -1,12 +1,7 @@
---
title: Validate Public Key Infrastructure - key trust model (Windows Hello for Business)
description: How to Validate Public Key Infrastructure for Windows Hello for Business, under a key trust model.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 4b44e661ec..c38b18d8a2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -1,13 +1,7 @@
---
title: Manage Windows Hello in your organization (Windows)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
-ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
-keywords: identity, PIN, biometric, Hello
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 86a2a82c99..12ccee58a9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -2,12 +2,7 @@
title: Windows Hello for Business Overview (Windows)
ms.reviewer: An overview of Windows Hello for Business
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 65b58ef1a0..3212485067 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -1,12 +1,7 @@
---
title: Planning a Windows Hello for Business Deployment
description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure.
-keywords: identity, PIN, biometric, Hello, passport
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
@@ -99,7 +94,7 @@ It's fundamentally important to understand which deployment model to use for a s
A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust.
> [!NOTE]
-> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
+> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD-joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
@@ -191,7 +186,7 @@ If your organization does not have cloud resources, write **On-Premises** in box
### Trust type
-Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
+Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD-joined devices and Azure AD-joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers.
@@ -259,10 +254,10 @@ If you choose to use AD FS with the Azure MFA server adapter, write **AD FS with
Windows Hello for Business provides organizations with many policy settings and granular control on how these settings may be applied to both computers and users. The type of policy management you can use depends on your selected deployment and trust models.
-If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet. You have the option to manage non-domain joined devices. If you choose to manage Azure Active Directory joined devices, write **modern management** in box **2b** on your planning worksheet. Otherwise, write** N/A** in box **2b**.
+If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **2a** on your planning worksheet. You have the option to manage non-domain joined devices. If you choose to manage Azure Active Directory-joined devices, write **modern management** in box **2b** on your planning worksheet. Otherwise, write** N/A** in box **2b**.
> [!NOTE]
-> Azure Active Directory joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization.
+> Azure Active Directory-joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization.
If box **1a** on your planning worksheet reads **on-prem**, write **GP** in box **2a** on your planning worksheet. Write **N/A** in box **2b** on your worksheet.
@@ -278,7 +273,7 @@ Windows Hello for Business is a feature exclusive to Windows 10 and Windows 11.
If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet. Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
> [!NOTE]
-> Azure Active Directory joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization.
+> Azure Active Directory-joined devices without modern management automatically enroll in Windows Hello for Business using the default policy settings. Use modern management to adjust policy settings to match the business needs of your organization.
Write **1511 or later** in box **3a** on your planning worksheet if any of the following are true.
* Box **2a** on your planning worksheet read **modern management**.
@@ -306,7 +301,7 @@ If box **1a** on your planning worksheet reads **cloud only**, ignore the public
If box **1b** on your planning worksheet reads **key trust**, write **N/A** in box **5b** on your planning worksheet. Key trust doesn't require any change in public key infrastructure, skip this part and go to **Cloud** section.
-The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
+The registration authority only relates to certificate trust deployments and the management used for domain and non-domain joined devices. Hybrid Azure AD-joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD-joined devices and Azure AD-joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
If box **2a** reads **GP** and box **2b** reads **modern management**, write **AD FS RA and NDES** in box **5b** on your planning worksheet. In box **5c**, write the following certificate templates names and issuances:
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 8ab37765f1..6b57daee9c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -1,14 +1,8 @@
---
title: Prepare people to use Windows Hello (Windows)
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
-ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
ms.reviewer:
-keywords: identity, PIN, biometric, Hello
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index 013f236742..ab3bdc0500 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,12 +1,7 @@
---
title: Windows Hello for Business Videos
description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
-keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index 6c4c54aee9..ef30d59ed1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -1,13 +1,7 @@
---
title: Why a PIN is better than an online password (Windows)
description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) an online password .
-ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
-keywords: pin, security, password, hello
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
index 556f49c888..75645f288d 100644
--- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
@@ -1,12 +1,7 @@
---
title: Microsoft-compatible security key
description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key.
-keywords: FIDO2, security key, CTAP, Hello, WHFB
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md
index 99df1a799a..e2f9b9e978 100644
--- a/windows/security/identity-protection/hello-for-business/reset-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md
@@ -1,12 +1,7 @@
---
title: Reset-security-key
description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key
-keywords: FIDO2, security key, CTAP, Microsoft-compatible security key
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, mobile
-audience: ITPro
author: GitPrakhar13
ms.author: prsriva
manager: dansimp
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 7a06722124..29e42655ab 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -2,9 +2,6 @@
title: How Windows Hello for Business works (Windows)
description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: mapalko
ms.localizationpriority: high
ms.author: mapalko
@@ -99,7 +96,7 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ
- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello.
- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required.
-- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.
+- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.
## Related topics
diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md
index 7883dbd5b9..330cc0041d 100644
--- a/windows/security/identity-protection/index.md
+++ b/windows/security/identity-protection/index.md
@@ -2,10 +2,6 @@
title: Identity and access management (Windows 10)
description: Learn more about identity and access protection technologies in Windows.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/password-support-policy.md b/windows/security/identity-protection/password-support-policy.md
index 88d73b87aa..5cc29b63a0 100644
--- a/windows/security/identity-protection/password-support-policy.md
+++ b/windows/security/identity-protection/password-support-policy.md
@@ -8,18 +8,15 @@ ms.custom:
- CSSTroubleshoot
ms.author: v-tappelgate
ms.prod: m365-security
-ms.sitesec: library
-ms.pagetype: security
author: Teresa-Motiv
ms.topic: article
ms.localizationpriority: medium
ms.date: 11/20/2019
-audience: ITPro
---
# Technical support policy for lost or forgotten passwords
-Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. Be aware that, if these options don’t work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
+Microsoft takes security seriously. This is for your protection. Microsoft accounts, the Windows operating system, and other Microsoft products include passwords to help secure your information. This article provides some options that you can use to reset or recover your password if you forget it. If these options don’t work, Microsoft support engineers can't help you retrieve or circumvent a lost or forgotten password.
If you lose or forget a password, you can use the links in this article to find published support information that will help you reset the password.
@@ -31,7 +28,7 @@ If you lose or forget the password for a domain account, contact your IT adminis
If you lose or forget the password for your Microsoft Account, use the [Recover your account](https://account.live.com/ResetPassword.aspx) wizard.
-This wizard requests your security proofs. If you have forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you are the account holder. This decision is final. Microsoft does not influence the team's choice of action.
+This wizard requests your security proofs. If you've forgotten your security proofs, or no longer have access to them, select **I no longer have these anymore**. After you select this option, fill out a form for the Microsoft Account team. Provide as much information as you can on this form. The Microsoft Account team reviews the information that you provide to determine whether you're the account holder. This decision is final. Microsoft doesn't influence the team's choice of action.
## How to reset a password for a local account on a Windows device
@@ -51,8 +48,8 @@ If you lose or forget the password for the hardware BIOS of a device, contact th
## How to reset a password for an individual file
-Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers cannot help you reset, retrieve, or circumvent such passwords.
+Some applications let you password-protect individual files. If you lose or forget such a password, you can rely on that application only to reset or recover it. Microsoft support engineers can't help you reset, retrieve, or circumvent such passwords.
## Using third-party password tools
-Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we cannot recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.
+Some third-party companies claim to be able to circumvent passwords that have been applied to files and features that Microsoft programs use. For legal reasons, we can't recommend or endorse any one of these companies. If you want help to circumvent or reset a password, you can locate and contact a third party for this help. However, you use such third-party products and services at your own risk.
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index e919cee245..a477d48218 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -2,10 +2,6 @@
title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 99de6899d4..101b50087d 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -2,10 +2,6 @@
title: Smart Card and Remote Desktop Services (Windows)
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 3ce6180ae9..ddc63b2e02 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -2,10 +2,6 @@
title: Smart Card Architecture (Windows)
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 1ad9d49a24..ad0699cf6a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -2,10 +2,6 @@
title: Certificate Propagation Service (Windows)
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index eea206d53d..701f3dccd8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -2,10 +2,6 @@
title: Certificate Requirements and Enumeration (Windows)
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index f557a5a713..50881d1ef8 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -2,10 +2,6 @@
title: Smart Card Troubleshooting (Windows)
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md
index 0d7a79fdac..9585fdfb5e 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-events.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-events.md
@@ -2,10 +2,6 @@
title: Smart Card Events (Windows)
description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index a74dfed7b2..897140b630 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -2,10 +2,6 @@
title: Smart Card Group Policy and Registry Settings (Windows)
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index d6656c1427..9fb023c25f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -2,10 +2,6 @@
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 77c8c9d18b..5757f75aa1 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -2,10 +2,6 @@
title: Smart Card Removal Policy Service (Windows)
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index 0d26cf1289..0345ccac67 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -2,10 +2,6 @@
title: Smart Cards for Windows Service (Windows)
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index 935f57edf3..a7c1c2bfa4 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -2,10 +2,6 @@
title: Smart Card Tools and Settings (Windows)
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index 377f4811d2..7f577b80dd 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -2,10 +2,6 @@
title: Smart Card Technical Reference (Windows)
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index bbc7256c6d..ded2f140d2 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -1,13 +1,8 @@
---
title: How User Account Control works (Windows)
description: User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware.
-ms.assetid: 9f921779-0fd3-4206-b0e4-05a19883ee59
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: operate
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index 98cfc580cb..eb97277ed7 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -2,10 +2,6 @@
title: User Account Control Group Policy and registry key settings (Windows)
description: Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-overview.md b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
index 3d91177ca0..2e12c5d66e 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-overview.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-overview.md
@@ -1,14 +1,9 @@
---
title: User Account Control (Windows)
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
-ms.assetid: 43ac4926-076f-4df2-84af-471ee7d20c38
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: operate
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
index 4b29de5fe4..d5a71d6a7b 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-security-policy-settings.md
@@ -1,13 +1,8 @@
---
title: User Account Control security policy settings (Windows)
description: You can use security policies to configure how User Account Control works in your organization.
-ms.assetid: 3D75A9AC-69BB-4EF2-ACB3-1769791E1B98
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index 7b01e6dec2..a6b311b8f1 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -2,10 +2,6 @@
title: Deploy Virtual Smart Cards (Windows 10)
description: This topic for the IT professional discusses the factors to consider when you deploy a virtual smart card authentication solution.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index 852c4af6d4..cb90ff6746 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -2,10 +2,6 @@
title: Evaluate Virtual Smart Card Security (Windows 10)
description: This topic for the IT professional describes security characteristics and considerations when deploying TPM virtual smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index 799487b7f9..a1371cb4aa 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -2,10 +2,6 @@
title: Get Started with Virtual Smart Cards - Walkthrough Guide (Windows 10)
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index cfdee83c74..f81458d9ea 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -2,10 +2,6 @@
title: Virtual Smart Card Overview (Windows 10)
description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index 48cbc570a2..e6674037f9 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -2,10 +2,6 @@
title: Tpmvscmgr (Windows 10)
description: This topic for the IT professional describes the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index f64d08cdbe..49bd1fbfff 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -2,10 +2,6 @@
title: Understanding and Evaluating Virtual Smart Cards (Windows 10)
description: Learn how smart card technology can fit into your authentication design. Find links to additional topics about virtual smart cards.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index da45445e1a..3d09432ada 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -2,10 +2,6 @@
title: Use Virtual Smart Cards (Windows 10)
description: This topic for the IT professional describes requirements for virtual smart cards and provides information about how to use and manage them.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index 9e47da731c..647e58e84b 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -2,9 +2,6 @@
title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11)
description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.author: dansimp
ms.localizationpriority: medium
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index f4e8cb2358..317751d40d 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -2,9 +2,6 @@
title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11)
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.date: 03/22/2022
ms.reviewer:
@@ -80,7 +77,7 @@ If the credentials are certificate-based, then the elements in the following tab
| SubjectName | The user’s distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller. This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. |
| SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace. This requirement is relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. |
| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. |
-| EnhancedKeyUsage | One or more of the following EKUs is required: - Client Authentication (for the VPN) - EAP Filtering OID (for Windows Hello for Business)- SmartCardLogon (for Azure AD joined devices) If the domain controllers require smart card EKU either:- SmartCardLogon- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
Otherwise:- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) |
+| EnhancedKeyUsage | One or more of the following EKUs is required: - Client Authentication (for the VPN) - EAP Filtering OID (for Windows Hello for Business)- SmartCardLogon (for Azure AD-joined devices) If the domain controllers require smart card EKU either:- SmartCardLogon- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
Otherwise:- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) |
## NDES server configuration
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 70d6af4858..65de4f3780 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -2,9 +2,6 @@
title: VPN authentication options (Windows 10 and Windows 11)
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 441d05936f..8b3e2dbebd 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -2,9 +2,6 @@
title: VPN auto-triggered profile options (Windows 10 and Windows 11)
description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index ec2a6bed29..0912af9374 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -2,9 +2,6 @@
title: VPN and conditional access (Windows 10 and Windows 11)
description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index 75cbde62de..75b93889b6 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -2,9 +2,6 @@
title: VPN connection types (Windows 10 and Windows 11)
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 08/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md
index 58f9b162de..58fa8e9068 100644
--- a/windows/security/identity-protection/vpn/vpn-guide.md
+++ b/windows/security/identity-protection/vpn/vpn-guide.md
@@ -2,8 +2,6 @@
title: Windows VPN technical guide (Windows 10 and Windows 11)
description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
ms.date: 02/21/2022
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index a07cf8e0c7..fe3269e28b 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -2,9 +2,6 @@
title: VPN name resolution (Windows 10 and Windows 11)
description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
index a0a8aecf5e..2022a4e863 100644
--- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
+++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md
@@ -2,10 +2,6 @@
title: Optimizing Office 365 traffic for remote workers with the native Windows 10 or Windows 11 VPN client
description: tbd
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
-audience: ITPro
ms.topic: article
author: kelleyvice-msft
ms.localizationpriority: medium
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index cca873649e..b0cd4195ee 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -1,13 +1,9 @@
---
title: VPN profile options (Windows 10 and Windows 11)
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
-ms.assetid: E3F99DF9-863D-4E28-BAED-5C1B1B913523
ms.reviewer:
manager: dansimp
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.author: dansimp
ms.localizationpriority: medium
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index 3ba700ab9e..291f5adaf9 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -2,9 +2,6 @@
title: VPN routing decisions (Windows 10 and Windows 10)
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/23/2021
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index 31f424f860..2efb2617f3 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -2,9 +2,6 @@
title: VPN security features (Windows 10 and Windows 11)
description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
ms.date: 09/03/2021
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index 0465f35ec4..abe5fd0462 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -1,13 +1,8 @@
---
title: Windows Credential Theft Mitigation Guide Abstract
description: Provides a summary of the Windows credential theft mitigation guide.
-ms.assetid: 821ddc1a-f401-4732-82a7-40d1fff5a78a
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
diff --git a/windows/security/includes/improve-request-performance.md b/windows/security/includes/improve-request-performance.md
index 2048d9f516..89b07558ea 100644
--- a/windows/security/includes/improve-request-performance.md
+++ b/windows/security/includes/improve-request-performance.md
@@ -1,17 +1,12 @@
---
title: Improve request performance
description: Improve request performance
-keywords: server, request, performance
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
diff --git a/windows/security/includes/microsoft-defender-api-usgov.md b/windows/security/includes/microsoft-defender-api-usgov.md
index 536dab4a74..288e5a9769 100644
--- a/windows/security/includes/microsoft-defender-api-usgov.md
+++ b/windows/security/includes/microsoft-defender-api-usgov.md
@@ -1,17 +1,12 @@
---
title: Microsoft Defender for Endpoint API URIs for US Government
description: Microsoft Defender for Endpoint API URIs for US Government
-keywords: defender, endpoint, api, government, gov
search.product: eADQiWindows 10XVcnh
ms.prod: m365-security
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: article
---
diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
index 0a0b518012..6c6d9669a2 100644
--- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -1,17 +1,12 @@
---
title: BCD settings and BitLocker (Windows 10)
description: This topic for IT professionals describes the BCD settings that are used by BitLocker.
-ms.assetid: c4ab7ac9-16dc-4c7e-b061-c0b0deb2c4fa
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/28/2019
@@ -22,62 +17,59 @@ ms.custom: bitlocker
**Applies to**
-- Windows 10
-- Windows 11
-- Windows Server 2016 and above
-
This topic for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings have not changed since BitLocker was last enabled, resumed, or recovered.
## BitLocker and BCD Settings
-In Windows 7 and Windows Server 2008 R2, BitLocker validated nearly all BCD settings with the winload, winresume, and memtest prefixes. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack BitLocker would enter recovery.
+In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode.
-In Windows 8, Windows Server 2012, and later operating systems BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, you can increase BCD validation coverage to suit your validation preferences. Alternatively, if a default BCD setting is persistently triggering recovery for benign changes, then you can exclude that BCD setting from the validation profile.
+In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If you believe that there is a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit your validation preferences.
+If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage.
### When secure boot is enabled
-Computers with UEFI firmware can use Secure Boot to provide enhanced boot security. When BitLocker is able to use Secure Boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored.
+Computers with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored.
-One of the benefits of using Secure Boot is that it can correct BCD settings during boot without triggering recovery events. Secure Boot enforces the same BCD settings as BitLocker. Secure Boot BCD enforcement is not configurable from within the operating system.
+One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement is not configurable from within the operating system.
## Customizing BCD validation settings
-To modify the BCD settings BitLocker validates the IT Pro will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** Group Policy setting.
+To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** group policy setting.
-For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. BCD settings are either associated with a specific boot application or can apply to all boot applications by associating a prefix to the BCD setting entered in the Group Policy setting. Prefix values include:
+For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that are not part of the set to which the BCD settings are already applicable to. This can be done by attaching any of the following prefixes to the BCD settings which are being entered in the group policy settings dialog:
- winload
- winresume
- memtest
-- all
+- all of the above
All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a “friendly name.”
-The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies which BCD setting caused the recovery event.
+The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event.
You can quickly obtain the friendly name for the BCD settings on your computer by using the command “`bcdedit.exe /enum all`”.
-Not all BCD settings have friendly names, for those settings the hex value is the only way to configure an exclusion policy.
+Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy.
-When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** Group Policy setting, use the following syntax:
+When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** group policy setting, use the following syntax:
- Prefix the setting with the boot application prefix
- Append a colon ‘:’
- Append either the hex value or the friendly name
- If entering more than one BCD setting, you will need to enter each BCD setting on a new line
-For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yield the same value.
+For example, either “`winload:hypervisordebugport`” or “`winload:0x250000f4`” yields the same value.
-Setting that applies to all boot applications may be applied only to an individual application, however the reverse is not true. For example, one can specify either: “`all:locale`” or “`winresume:locale`”, but as the bcd setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.
+A setting that applies to all boot applications may be applied only to an individual application; however, the reverse is not true. For example, one can specify either “`all:locale`” or “`winresume:locale`”, but as the BCD setting “`win-pe`” does not apply to all boot applications, “`winload:winpe`” is valid, but “`all:winpe`” is not valid. The setting that controls boot debugging (“`bootdebug`” or 0x16000010) will always be validated and will have no effect if it is included in the provided fields.
> [!NOTE]
> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
### Default BCD validation profile
-The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and later operating systems:
+The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and subsequent versions:
| Hex Value | Prefix | Friendly Name |
| - | - | - |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
index 1e29149153..f5a1fecb16 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
@@ -1,17 +1,12 @@
---
title: BitLocker basic deployment
description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
-ms.assetid: 97c646cb-9e53-4236-9678-354af41151c4
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
@@ -49,6 +44,7 @@ BitLocker encryption can be done using the following methods:
### Encrypting volumes using the BitLocker control panel
Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
+
To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
### Operating system volume
@@ -69,8 +65,6 @@ Once a strong password has been created for the volume, a recovery key will be g
You should store the recovery key by printing it, saving it on removable media, or saving it as a file in a network folder or on your OneDrive, or on another drive of your computer that you aren't encrypting. You can't save the recovery key to the root directory of a non-removable drive and can't be stored on the encrypted volume. You can't save the recovery key for a removable data drive (such as a USB flash drive) on removable media. Ideally, you should store the recovery key separate from your computer. After you create a recovery key, you can use the BitLocker control panel to make additional copies.
-When the recovery key has been properly stored, the BitLocker Drive Encryption Wizard will prompt the user to choose how to encrypt the drive. There are two options:
-
- Encrypt used disk space only - Encrypts only disk space that contains data
- Encrypt entire drive - Encrypts the entire volume including free space
@@ -81,7 +75,8 @@ It's recommended that drives with little to no data use the **used disk space on
Selecting an encryption type and choosing **Next** will give the user the option of running a BitLocker system check (selected by default) which will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. We recommend running this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
-After completing the system check (if selected), the BitLocker Drive Encryption Wizard will restart the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
+
+After completing the system check (if selected), the BitLocker Drive Encryption Wizard restarts the computer to begin encryption. Upon reboot, users are required to enter the password chosen to boot into the operating system volume. Users can check encryption status by checking the system notification area or the BitLocker control panel.
Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
@@ -93,16 +88,15 @@ Unlike for operating system volumes, data volumes aren't required to pass any co
After selecting the desired authentication method and choosing **Next**, the wizard presents options for storage of the recovery key. These options are the same as for operating system volumes.
With the recovery key saved, selecting **Next** in the wizard will show available options for encryption. These options are the same as for operating system volumes; **used disk space only** and **full drive encryption**. If the volume being encrypted is new or empty, it's recommended that used space only encryption is selected.
-With an encryption method chosen, a final confirmation screen displays before beginning the encryption process. Selecting **Start encrypting** will begin encryption.
+With an encryption method chosen, a final confirmation screen is displayed before the encryption process begins. Selecting **Start encrypting** begins encryption.
Encryption status displays in the notification area or within the BitLocker control panel.
### OneDrive option
-There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain.
+There's a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain.
-Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
-they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
+Users can verify whether the recovery key was saved properly by checking their OneDrive for the BitLocker folder which is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
### Using BitLocker within Windows Explorer
@@ -110,7 +104,7 @@ Windows Explorer allows users to launch the BitLocker Drive Encryption wizard by
## Down-level compatibility
-The following table shows the compatibility matrix for systems that have been BitLocker enabled then presented to a different version of Windows.
+The following table shows the compatibility matrix for systems that have been BitLocker-enabled and then presented to a different version of Windows.
Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
@@ -131,7 +125,7 @@ Command-line users need to determine the appropriate syntax for a given situatio
### Operating system volume
-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde -on
|
+|LogType |String |Includes:
|
|TimeStamp |Int |Uses the [FILETIME structure](/windows/win32/api/minwinbase/ns-minwinbase-filetime) to represent the time that the event happened. |
|Policy |String |How the work data was shared to the personal location:
|
|Justification |String |Not implemented. This will always be either blank or NULL.
**Note**
Reserved for future use to collect the user justification for changing from **Work** to **Personal**. |
@@ -160,7 +156,7 @@ Here are a few examples of responses from the Reporting CSP.
## Collect WIP audit logs by using Windows Event Forwarding (for Windows desktop domain-joined devices only)
-Use Windows Event Forwarding to collect and aggregate your WIP audit events. You can view your audit events in the Event Viewer.
+Use Windows Event Forwarding to collect and aggregate your Windows Information Protection audit events. You can view your audit events in the Event Viewer.
**To view the WIP events in the Event Viewer**
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 1b4ece02db..3f1a5747a9 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -1,16 +1,11 @@
---
title: Make & verify an EFS Data Recovery Agent certificate (Windows 10)
description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
-keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/05/2019
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 3c7680cf51..de0d27d47c 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -1,16 +1,11 @@
---
title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10)
description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy
-keywords: WIP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index 8a0ecac521..0c4214d344 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -1,18 +1,12 @@
---
title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10)
description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data.
-ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager, MEMCM, Microsoft Endpoint Configuration Manager
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 01/09/2020
@@ -65,12 +59,12 @@ The **Configure Windows Information Protection settings** page appears, where yo
## Add app rules to your policy
-During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through Windows Information Protection. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
>[!IMPORTANT]
->Enlightened apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
**Product Name:** Microsoft.Office.PowerPoint
**App Type:** Universal app |
| OneNote | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.OneNote
**App Type:** Universal app |
| Outlook Mail and Calendar | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app |
-| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for WIP.
We don't recommend setting up Office by using individual paths or publisher rules. |
+| Microsoft 365 Apps for enterprise and Office 2019 Professional Plus | Microsoft 365 Apps for enterprise and Office 2019 Professional Plus apps are set up as a suite. You must use the [O365 ProPlus - Allow and Exempt AppLocker policy files (.zip files)](https://download.microsoft.com/download/7/0/D/70D72459-D72D-4673-B309-F480E3BEBCC9/O365%20ProPlus%20-%20WIP%20Enterprise%20AppLocker%20Policy%20Files.zip) to turn the suite on for Windows Information Protection.
We don't recommend setting up Office by using individual paths or publisher rules. |
| Microsoft Photos | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app |
| Groove Music | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app |
| Microsoft Movies & TV | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app |
diff --git a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
index 1f6aaa6f4e..df344aface 100644
--- a/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+++ b/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md
@@ -1,18 +1,12 @@
---
title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
description: Find resources about apps that can work with Windows Information Protection (WIP) to protect data. Enlightened apps can tell corporate and personal data apart.
-ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
ms.reviewer:
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 5462ca7f17..d984b38ce8 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -1,15 +1,10 @@
---
title: Limitations while using Windows Information Protection (WIP) (Windows 10)
description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP).
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/05/2019
@@ -22,7 +17,7 @@ ms.localizationpriority: medium
**Applies to:**
- Windows 10, version 1607 and later
-This following list provides info about the most common problems you might encounter while running WIP in your organization.
+This following list provides info about the most common problems you might encounter while running Windows Information Protection in your organization.
- **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
- **How it appears**:
@@ -33,12 +28,12 @@ This following list provides info about the most common problems you might encou
We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
-- **Limitation**: Direct Access is incompatible with WIP.
- - **How it appears**: Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.
+- **Limitation**: Direct Access is incompatible with Windows Information Protection.
+ - **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.
- **Workaround**: We recommend that you use VPN for client access to your intranet resources.
> [!NOTE]
- > VPN is optional and isn’t required by WIP.
+ > VPN is optional and isn’t required by Windows Information Protection.
- **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.
- **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.
@@ -48,7 +43,7 @@ This following list provides info about the most common problems you might encou
- **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.
- **Workaround**: We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.
-- **Limitation**: WIP is designed for use by a single user per device.
+- **Limitation**: Windows Information Protection is designed for use by a single user per device.
- **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.
- **Workaround**: We recommend only having one user per managed device.
@@ -67,14 +62,14 @@ This following list provides info about the most common problems you might encou
- **Limitation**: Changing your primary Corporate Identity isn’t supported.
- **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.
- - **Workaround**: Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
+ - **Workaround**: Turn off Windows Information Protection for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
-- **Limitation**: Redirected folders with Client-Side Caching are not compatible with WIP.
+- **Limitation**: Redirected folders with Client-Side Caching are not compatible with Windows Information Protection.
- **How it appears**: Apps might encounter access errors while attempting to read a cached, offline file.
- **Workaround**: Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
> [!NOTE]
- > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
+ > For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and Windows Information Protection, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
- **Limitation**: An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.
- **How it appears**:
@@ -83,23 +78,23 @@ This following list provides info about the most common problems you might encou
- Local **Work** data copied to the WIP-managed device remains **Work** data.
- **Work** data that is copied between two apps in the same session remains ** data.
- - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.
+ - **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by Windows Information Protection. RDP is disabled by default.
- **Limitation**: You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
- **How it appears**: A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.
- **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload.
- **Limitation**: ActiveX controls should be used with caution.
- - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.
+ - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using Windows Information Protection.
- **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
-- **Limitation**: Resilient File System (ReFS) isn't currently supported with WIP.
- - **How it appears**:Trying to save or transfer WIP files to ReFS will fail.
+- **Limitation**: Resilient File System (ReFS) isn't currently supported with Windows Information Protection.
+ - **How it appears**:Trying to save or transfer Windows Information Protection files to ReFS will fail.
- **Workaround**: Format drive for NTFS, or use a different drive.
-- **Limitation**: WIP isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
+- **Limitation**: Windows Information Protection isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
- AppDataRoaming
- Desktop
- StartMenu
@@ -116,10 +111,10 @@ This following list provides info about the most common problems you might encou
- - **How it appears**: WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.
+ - **How it appears**: Windows Information Protection isn’t turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Endpoint Configuration Manager.
- **Workaround**: Don’t set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders).
- If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline.
+ If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports Windows Information Protection, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after Windows Information Protection is already in place, you might be unable to open your files offline.
For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
@@ -134,7 +129,7 @@ This following list provides info about the most common problems you might encou
- **How it appears**: Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
- **Workaround**: If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
-- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.
+- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with Windows Information Protection.
- **How it appears**: OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.
- **Workaround**: OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:
@@ -150,6 +145,6 @@ This following list provides info about the most common problems you might encou
> [!NOTE]
>
-> - When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files.
+> - When corporate data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files.
>
> - Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index daf5a9fac0..26beadd011 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -1,16 +1,11 @@
---
title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10)
description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise.
-keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Protected apps list
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 05/25/2022
@@ -27,7 +22,7 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app of each type (Store and Desktop) to the **Protected apps** list in your WIP policy.|You must have at least one Store app and one Desktop app added to your **Protected apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Protected apps list** section of the policy creation topics. |
-|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage the WIP protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
+|Choose your Windows Information Protection protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the [Manage Windows Information Protection mode for your enterprise data](./create-wip-policy-using-configmgr.md#manage-the-wip-protection-level-for-your-enterprise-data) section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.
Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
index c017a7e4f6..f60db36a4f 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
@@ -1,17 +1,12 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10)
description: Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
-ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 02/26/2019
diff --git a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
index 348af05f36..9c4593f028 100644
--- a/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
+++ b/windows/security/information-protection/windows-information-protection/overview-create-wip-policy.md
@@ -1,17 +1,12 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
description: Microsoft Intune and Microsoft Endpoint Manager helps you create and deploy your enterprise data protection (WIP) policy.
-ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.reviewer:
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 03/11/2019
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index aabc6b7080..f5e201aa75 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -1,17 +1,11 @@
---
title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10)
description: Learn how to prevent accidental enterprise data leaks through apps and services, such as email, social media, and the public cloud.
-ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
-keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, DLP, data loss prevention, data leakage protection
ms.prod: m365-security
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
-audience: ITPro
ms.collection:
- M365-security-compliance
- highpri
@@ -31,14 +25,14 @@ With the increase of employee-owned devices in the enterprise, there’s also an
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
>[!IMPORTANT]
->While WIP can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic.
+>While Windows Information Protection can stop accidental data leaks from honest employees, it is not intended to stop malicious insiders from removing enterprise data. For more details about the benefits WIP provides, see [Why use WIP?](#why-use-wip) later in this topic.
## Video: Protect enterprise data from being accidentally copied to the wrong place
> [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh]
## Prerequisites
-You’ll need this software to run WIP in your enterprise:
+You’ll need this software to run Windows Information Protection in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
@@ -70,7 +64,7 @@ After the type of protection is set, the creating app encrypts the document so t
Finally, there’s the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device.
## Benefits of WIP
-WIP provides:
+Windows Information Protection provides:
- Obvious separation between personal and corporate data, without requiring employees to switch environments or apps.
- Additional data protection for existing line-of-business apps without a need to update the apps.
@@ -79,12 +73,12 @@ WIP provides:
- Use of audit reports for tracking issues and remedial actions.
-- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage WIP for your company.
+- Integration with your existing management system (Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management (MDM) system) to configure, deploy, and manage Windows Information Protection for your company.
## Why use WIP?
-WIP is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
+Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
+- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
- **Manage your enterprise documents, apps, and encryption modes.**
@@ -99,21 +93,21 @@ WIP is the mobile application management (MAM) mechanism on Windows 10. WIP give
- **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
- - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
+ - **Data encryption at rest.** Windows Information Protection helps protect enterprise data on local files and on removable media.
- Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
+ Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies Windows Information Protection to the new document.
- - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
+ - **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
- - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
+ - **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
-- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
+- **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
>[!NOTE]
>For management of Surface devices it is recommended that you use the Current Branch of Microsoft Endpoint Configuration Manager.
Microsoft Endpoint Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## How WIP works
-WIP helps address your everyday challenges in the enterprise. Including:
+Windows Information Protection helps address your everyday challenges in the enterprise. Including:
- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
@@ -124,7 +118,7 @@ WIP helps address your everyday challenges in the enterprise. Including:
- Helping control the network and data access and data sharing for apps that aren’t enterprise aware
### Enterprise scenarios
-WIP currently addresses these enterprise scenarios:
+Windows Information Protection currently addresses these enterprise scenarios:
- You can encrypt enterprise data on employee-owned and corporate-owned devices.
- You can remotely wipe enterprise data off managed computers, including employee-owned computers, without affecting the personal data.
@@ -134,21 +128,21 @@ WIP currently addresses these enterprise scenarios:
- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
### WIP-protection modes
-Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
+Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
-Your WIP policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
+Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
-You can set your WIP policy to use 1 of 4 protection and management modes:
+You can set your Windows Information Protection policy to use 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|
-|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
-|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
-|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
-|Off |WIP is turned off and doesn't help to protect or audit your data.
+Multiple Windows Defender Application Control policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). The CSP also provides support for rebootless policy deployment.
However, when policies are un-enrolled from an MDM server, the CSP will attempt to remove every policy from devices, not just the policies added by the CSP. The reason for this is that the ApplicationControl CSP doesn't track enrollment sources for individual policies, even though it will query all policies on a device, regardless if they were deployed by the CSP.
-See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using MEM Intune's Custom OMA-URI capability.
+See [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp) for more information on deploying multiple policies, optionally using Microsoft Endpoint Manager Intune's Custom OMA-URI capability.
> [!NOTE]
-> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format WDAC policies.
+> WMI and GP do not currently support multiple policies. Instead, customers who cannot directly access the MDM stack should use the [ApplicationControl CSP via the MDM Bridge WMI Provider](/windows/client-management/mdm/applicationcontrol-csp#powershell-and-wmi-bridge-usage-guidance) to manage Multiple Policy Format Windows Defender Application Control policies.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
index 73098a0cc4..23f551bee1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -27,14 +27,14 @@ ms.technology: windows-sec
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
> [!NOTE]
-> Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
+> Group Policy-based deployment of Windows Defender Application Control policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
-Single-policy format WDAC policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
+Single-policy format Windows Defender Application Control policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
-To deploy and manage a WDAC policy with Group Policy:
+To deploy and manage a Windows Defender Application Control policy with Group Policy:
1. On a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC**
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 3572e0f5f3..143fbdcc2e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -27,13 +27,13 @@ ms.technology: windows-sec
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager (MEM) Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
+You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
## Use Intune's built-in policies
-Intune's built-in WDAC support allows you to configure Windows client computers to only run:
+Intune's built-in Windows Defender Application Control support allows you to configure Windows client computers to only run:
- Windows components
- 3rd party hardware and software kernel drivers
@@ -51,7 +51,7 @@ To use Intune's built-in WDAC policies, configure [Endpoint Protection for Windo
## Deploy WDAC policies with custom OMA-URI
> [!NOTE]
-> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create WDAC policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
+> Policies deployed through Intune custom OMA-URI are subject to a 350,000 byte limit. Customers should create Windows Defender Application Control policies that use signature-based rules, the Intelligent Security Graph, and managed installers where practical. Customers whose devices are running 1903+ builds of Windows are also encouraged to use [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) which allow more granular policy.
### Deploy custom WDAC policies on Windows 10 1903+
@@ -78,7 +78,7 @@ The steps to use Intune's custom OMA-URI functionality are:
### Remove WDAC policies on Windows 10 1903+
-Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable WDAC enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This will prevent anything from being blocked and fully remove the WDAC policy on the next reboot.
+Upon deletion, policies deployed through Intune via the ApplicationControl CSP are removed from the system but stay in effect until the next reboot. In order to disable Windows Defender Application Control enforcement, first replace the existing policy with a new version of the policy that will "Allow *", like the rules in the example policy at %windir%\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml. Once the updated policy is deployed, you can then delete the policy from the Intune portal. This will prevent anything from being blocked and fully remove the WDAC policy on the next reboot.
### For pre-1903 systems
@@ -100,4 +100,4 @@ The steps to use Intune's Custom OMA-URI functionality to leverage the [AppLocke
#### Removing policies
-Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable WDAC policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy.
+Policies deployed through Intune via the AppLocker CSP cannot be deleted through the Intune console. In order to disable Windows Defender Application Control policy enforcement, either deploy an audit-mode policy or use a script to delete the existing policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
index 1ac9e541d2..b8f3362555 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md
@@ -25,24 +25,24 @@ ms.localizationpriority: medium
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC) on client machines.
+You can use Microsoft Endpoint Configuration Manager to configure Windows Defender Application Control (WDAC) on client machines.
## Use MEMCM's built-in policies
-MEMCM includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
+Microsoft Endpoint Configuration Manager includes native support for WDAC, which allows you to configure Windows 10 and Windows 11 client computers with a policy that will only allow:
- Windows components
- Microsoft Store apps
-- Apps installed by MEMCM (MEMCM self-configured as a managed installer)
+- Apps installed by Configuration Manager (Configuration Manager self-configured as a managed installer)
- [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
-- [Optional] Apps and executables already installed in admin-definable folder locations that MEMCM will allow through a one-time scan during policy creation on managed endpoints.
+- [Optional] Apps and executables already installed in admin-definable folder locations that Configuration Manager will allow through a one-time scan during policy creation on managed endpoints.
-Note that MEMCM does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable WDAC altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
+Note that Configuration Manager does not remove policies once deployed. To stop enforcement, you should switch the policy to audit mode, which will produce the same effect. If you want to disable Windows Defender Application Control (WDAC) altogether (including audit mode), you can deploy a script to delete the policy file from disk, and either trigger a reboot or wait for the next reboot.
-For more information on using MEMCM's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
+For more information on using Configuration Manager's native WDAC policies, see [Windows Defender Application Control management with Configuration Manager](/mem/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager).
## Deploy custom WDAC policies using Packages/Programs or Task Sequences
-Using MEMCM's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in MEMCM too limiting. To define your own circle-of-trust, you can use MEMCM to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.
+Using Configuration Manager's built-in policies can be a helpful starting point, but customers may find the circle-of-trust options available in Configuration Manager too limiting. To define your own circle-of-trust, you can use Configuration Manager to deploy custom WDAC policies using [script-based deployment](deploy-wdac-policies-with-script.md) via Software Distribution Packages and Programs or Operating System Deployment Task Sequences.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
index 43ecea1845..28a74c5e9f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md
@@ -25,7 +25,7 @@ ms.localizationpriority: medium
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host.
@@ -43,7 +43,7 @@ This topic describes how to deploy Windows Defender Application Control (WDAC) p
$RefreshPolicyTool = "
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. |
-| Management solutions |
| |
+| Management solutions |
| |
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
| Kernel mode policies | Available on all Windows 10 versions and Windows 11 | Not available |
| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
index 8a26cf9a33..71bcec1a37 100644
--- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
@@ -27,27 +27,27 @@ ms.technology: windows-sec
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This topic for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy.
## Understanding Packaged Apps and Packaged App Installers
Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity.
-With packaged apps, it is possible to control the entire app by using a single WDAC rule.
+With packaged apps, it is possible to control the entire app by using a single Windows Defender Application Control rule.
-Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, these components don't always share common attributes such as the software’s publisher name, product name, and product version. Therefore, WDAC controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule.
+Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, these components don't always share common attributes such as the software’s publisher name, product name, and product version. Therefore, Windows Defender Application Control controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule.
### Comparing classic Windows Apps and Packaged Apps
-WDAC policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server
+Windows Defender Application Control policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server
2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include:
- **Installing the apps** All packaged apps can be installed by a standard user, whereas a number of classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps.
-- **Changing the system state** Classic Windows apps can be written to change the system state if they are run with administrative privileges. Most packaged apps cannot change the system state because they run with limited privileges. When you design your WDAC policies, it is important to understand whether an app that you are allowing can make system-wide changes.
+- **Changing the system state** Classic Windows apps can be written to change the system state if they are run with administrative privileges. Most packaged apps cannot change the system state because they run with limited privileges. When you design your Windows Defender Application Control policies, it is important to understand whether an app that you are allowing can make system-wide changes.
- **Acquiring the apps** Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means.
-WDAC uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both.
+Windows Defender Application Control uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both.
## Using WDAC to Manage Packaged Apps
@@ -55,7 +55,7 @@ Just as there are differences in managing each rule collection, you need to mana
1. Gather information about which packaged apps are running in your environment.
-2. Create WDAC rules for specific packaged apps based on your policy strategies. For more information, see [Deploy WDAC policy rules and file rules](select-types-of-rules-to-create.md).
+2. Create WDAC rules for specific packaged apps based on your policy strategies. For more information, see [Deploy Windows Defender Application Control policy (WDAC) rules and file rules](select-types-of-rules-to-create.md).
3. Continue to update the WDAC policies as new package apps are introduced into your environment. To do this, see [Merge WDAC policies](merge-windows-defender-application-control-policies.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
index 4bb130103f..3c6789e089 100644
--- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
@@ -25,16 +25,16 @@ ms.localizationpriority: medium
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. WDAC deployments often include a few base policies and optional supplemental policies for specific use cases.
+This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. Windows Defender Application Control deployments often include a few base policies and optional supplemental policies for specific use cases.
> [!NOTE]
-> Prior to Windows version 1903, including Windows Server 2019 and earlier, only one WDAC policy can be active on a system at a time. If you need to use WDAC on systems running these earlier versions of Windows, you must merge all policies before deploying.
+> Prior to Windows version 1903, including Windows Server 2019 and earlier, only one Windows Defender Application Control policy can be active on a system at a time. If you need to use WDAC on systems running these earlier versions of Windows, you must merge all policies before deploying.
## Merge multiple WDAC policy XML files together
-There are many scenarios where you may want to merge two or more policy files together. For example, if you [use audit events to create WDAC policy rules](audit-windows-defender-application-control-policies.md), you can merge those rules with your existing WDAC base policy. To merge the two WDAC policies referenced in that article, complete the following steps in an elevated Windows PowerShell session.
+There are many scenarios where you may want to merge two or more policy files together. For example, if you [use audit events to create Windows Defender Application Control policy rules](audit-windows-defender-application-control-policies.md), you can merge those rules with your existing WDAC base policy. To merge the two WDAC policies referenced in that article, complete the following steps in an elevated Windows PowerShell session.
1. Initialize the variables that will be used:
@@ -45,7 +45,7 @@ There are many scenarios where you may want to merge two or more policy files to
$MergedPolicy=$env:userprofile+"\Desktop\"+$PolicyName+"_Merged.xml"
```
-2. Use [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) to merge two policies and create a new WDAC policy:
+2. Use [Merge-CIPolicy](/powershell/module/configci/merge-cipolicy) to merge two policies and create a new Windows Defender Application Control policy:
```powershell
Merge-CIPolicy -PolicyPaths $LamnaPolicy,$EventsPolicy -OutputFilePath $MergedPolicy
@@ -93,6 +93,6 @@ Now that you have your new, merged policy, you can convert and deploy the policy
> [!NOTE]
> In the sample commands above, for policies targeting Windows 10 version 1903+ or Windows 11, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. For Windows 10 versions prior to 1903, use the name SiPolicy.p7b for the binary file name.
-2. Upload your merged policy XML and the associated binary to the source control solution you are using for your WDAC policies. such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
+2. Upload your merged policy XML and the associated binary to the source control solution you are using for your Windows Defender Application Control policies. such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
3. Deploy the merged policy using your preferred deployment solution. See [Deploying Windows Defender Application Control (WDAC) policies](windows-defender-application-control-deployment-guide.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
index a54661c0b2..dfddeebe3f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
+++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md
@@ -10,7 +10,7 @@ ms.reviewer: jogeurte
ms.author: jogeurte
ms.manager: jsuther
manager: dansimp
-ms.date: 04/14/2021
+ms.date: 07/01/2022
ms.technology: windows-sec
ms.topic: article
ms.localizationpriority: medium
@@ -25,20 +25,23 @@ ms.localizationpriority: medium
- Windows 11
- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability).
-This topic covers tips and tricks for admins as well as known issues with WDAC.
-Test this configuration in your lab before enabling it in production.
+This topic covers tips and tricks for admins and known issues with Windows Defender Application Control (WDAC). Test this configuration in your lab before enabling it in production.
+
+## Managed Installer and ISG will cause garrulous events
+
+When Managed Installer and ISG are enabled, 3091 and 3092 events will be logged when a file didn't have Managed Installer or ISG authorization, regardless of whether the file was allowed. Beginning with the September 2022 C release, these events will be moved to the verbose channel since the events don't indicate an issue with the policy.
## .NET native images may generate false positive block events
-In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fallback to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
+In some cases, the code integrity logs where Windows Defender Application Control errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, native image blocks are functionally benign as a blocked native image will fall back to its corresponding assembly and .NET will regenerate the native image at its next scheduled maintenance window.
## MSI Installations launched directly from the internet are blocked by WDAC
Installing .msi files directly from the internet to a computer protected by WDAC will fail.
-For example, this command will not work:
+For example, this command won't work:
```console
msiexec –i https://download.microsoft.com/download/2/E/3/2E3A1E42-8F50-4396-9E7E-76209EA4F429/Windows10_Version_1511_ADMX.msi
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 22ff2acf4f..7e7c459ff7 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -27,15 +27,15 @@ ms.technology: windows-sec
- Windows Server 2016 and above
>[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
## Policy XML lifecycle management
-The first step in implementing application control is to consider how your policies will be managed and maintained over time. Developing a process for managing WDAC policies helps ensure that WDAC continues to effectively control how applications are allowed to run in your organization.
+The first step in implementing application control is to consider how your policies will be managed and maintained over time. Developing a process for managing Windows Defender Application Control policies helps ensure that WDAC continues to effectively control how applications are allowed to run in your organization.
-Most WDAC policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include:
+Most Windows Defender Application Control policies will evolve over time and proceed through a set of identifiable phases during their lifetime. Typically, these phases include:
1. [Define (or refine) the "circle-of-trust"](understand-windows-defender-application-control-policy-design-decisions.md) for the policy and build an audit mode version of the policy XML. In audit mode, block events are generated but files are not prevented from executing.
2. Deploy the audit mode policy to intended devices.
@@ -49,11 +49,11 @@ Most WDAC policies will evolve over time and proceed through a set of identifiab
### Keep WDAC policies in a source control or document management solution
-To effectively manage WDAC policies, you should store and maintain your policy XML documents in a central repository that is accessible to everyone responsible for WDAC policy management. We recommend a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration), which provide version control and allow you to specify metadata about the XML documents.
+To effectively manage Windows Defender Application Control policies, you should store and maintain your policy XML documents in a central repository that is accessible to everyone responsible for WDAC policy management. We recommend a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration), which provide version control and allow you to specify metadata about the XML documents.
### Set PolicyName, PolicyID, and Version metadata for each policy
-Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing WDAC events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
+Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing Windows Defender Application Control events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
> [!NOTE]
> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-windows-defender-application-control-policies.md) on computers running Windows 10, version 1903 and above, or Windows 11. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10.
@@ -67,11 +67,11 @@ As new apps are deployed or existing apps are updated by the software publisher,
## WDAC event management
-Each time that a process is blocked by WDAC, events will be written to either the CodeIntegrity\Operational or the AppLocker\MSI and Script Windows event logs. The event details which file tried to run, the attributes of that file and its signatures, and the process that attempted to run the blocked file.
+Each time that a process is blocked by Windows Defender Application Control, events will be written to either the CodeIntegrity\Operational or the AppLocker\MSI and Script Windows event logs. The event details which file tried to run, the attributes of that file and its signatures, and the process that attempted to run the blocked file.
-Collecting these events in a central location can help you maintain your WDAC policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)).
+Collecting these events in a central location can help you maintain your Windows Defender Application Control policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc748890(v=ws.11)).
-Additionally, WDAC events are collected by [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature.
+Additionally, Windows Defender Application Control events are collected by [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) and can be queried using the [advanced hunting](querying-application-control-events-centrally-using-advanced-hunting.md) feature.
## Application and user support policy
@@ -84,24 +84,24 @@ Considerations include:
### Help desk support
-If your organization has an established help desk support department in place, consider the following when deploying WDAC policies:
+If your organization has an established help desk support department in place, consider the following when deploying Windows Defender Application Control policies:
- What documentation does your support department require for new policy deployments?
- What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload?
- Who are the contacts in the support department?
-- How will the support department resolve application control issues between the end user and those who maintain the WDAC rules?
+- How will the support department resolve application control issues between the end user and those who maintain the Windows Defender Application Control rules?
### End-user support
-Because WDAC is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include:
+Because Windows Defender Application Control is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include:
- Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app?
- How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app?
## Document your plan
-After deciding how your organization will manage your WDAC policy, record your findings.
+After deciding how your organization will manage your Windows Defender Application Control policy, record your findings.
-- **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the WDAC policy, if necessary.
+- **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the Windows Defender Application Control policy, if necessary.
- **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis.
- **Policy management.** Detail what policies are planned, how they will be managed, and how rules will be maintained over time.
diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
index 9406a7c464..fcf1dd7a24 100644
--- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
+++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md
@@ -34,8 +34,8 @@ This capability is supported beginning with Windows version 1607.
| - | - | - |
| AppControlCodeIntegrityDriverRevoked | 3023 | The driver file under validation didn't meet the requirements to pass the application control policy. |
| AppControlCodeIntegrityImageRevoked | 3036 | The signed file under validation is signed by a code signing certificate that has been revoked by Microsoft or the certificate issuing authority. |
-| AppControlCodeIntegrityPolicyAudited | 3076 | This event is the main WDAC block event for audit mode policies. It indicates the file would have been blocked if the WDAC policy was enforced. |
-| AppControlCodeIntegrityPolicyBlocked | 3077 | This event is the main WDAC block event for enforced policies. It indicates the file didn't pass your WDAC policy and was blocked. |
+| AppControlCodeIntegrityPolicyAudited | 3076 | This event is the main Windows Defender Application Control block event for audit mode policies. It indicates the file would have been blocked if the WDAC policy was enforced. |
+| AppControlCodeIntegrityPolicyBlocked | 3077 | This event is the main Windows Defender Application Control block event for enforced policies. It indicates the file didn't pass your WDAC policy and was blocked. |
| AppControlExecutableAudited | 8003 | Applied only when the Audit only enforcement mode is enabled. Specifies the .exe or .dll file would be blocked if the Enforce rules enforcement mode were enabled. |
| AppControlExecutableBlocked | 8004 | The .exe or .dll file can't run. |
| AppControlPackagedAppAudited | 8021 | Applied only when the Audit only enforcement mode is enabled. Specifies the packaged app would be blocked if the Enforce rules enforcement mode were enabled. |
@@ -57,7 +57,7 @@ Learn more about the [Understanding Application Control event IDs (Windows)](eve
Query Example 1: Query the application control action types summarized by type for past seven days
-Here's a simple example query that shows all the WDAC events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint:
+Here's a simple example query that shows all the Windows Defender Application Control events generated in the last seven days from machines being monitored by Microsoft Defender for Endpoint:
```
DeviceEvents
@@ -67,7 +67,7 @@ ActionType startswith "AppControl"
| order by Machines desc
```
-The query results can be used for several important functions related to managing WDAC including:
+The query results can be used for several important functions related to managing Windows Defender Application Control including:
- Assessing the impact of deploying policies in audit mode
Since applications still run in audit mode, it's an ideal way to see the impact and correctness of the rules included in the policy. Integrating the generated events with Advanced Hunting makes it much easier to have broad deployments of audit mode policies and see how the included rules would influence those systems in real world usage. This audit mode data will help streamline the transition to using policies in enforced mode.
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 94be9da4e5..1b68313de8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -14,7 +14,7 @@ author: dansimp
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 01/26/2022
+ms.date: 06/28/2022
ms.technology: windows-sec
---
@@ -26,16 +26,16 @@ ms.technology: windows-sec
- Windows 11
- Windows Server 2016 and above
->[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> [!NOTE]
+> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11, by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
-WDAC is used to restrict devices to run only approved apps, while the operating system is hardened against kernel memory attacks using [hypervisor-protected code integrity (HVCI)](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).
+Windows Defender Application Control is used to restrict devices to run only approved apps, while the operating system is hardened against kernel memory attacks using [hypervisor-protected code integrity (HVCI)](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control).
## Windows Defender Application Control policy rules
-To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleOption](/powershell/module/configci/set-ruleoption). The following examples show how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
+To modify the policy rule options of an existing Windows Defender Application Control policy XML, use [Set-RuleOption](/powershell/module/configci/set-ruleoption). The following examples show how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
- To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy, by running the following command:
@@ -50,7 +50,7 @@ To modify the policy rule options of an existing WDAC policy XML, use [Set-RuleO
You can set several rule options within a WDAC policy. Table 1 describes each rule option, and whether they have supplemental policies. However, option 5 isn't implemented as it's reserved for future work, and option 7 isn't supported.
> [!NOTE]
-> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
+> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new Windows Defender Application Control policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
### Table 1. Windows Defender Application Control policy - policy rule options
@@ -88,13 +88,13 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| Rule level | Description |
|----------- | ----------- |
-| **Hash** | Specifies individual hash values for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
+| **Hash** | Specifies individual [Authenticode/PE image hash values](#more-information-about-hashes) for each discovered binary. This is the most specific level, and requires more effort to maintain the current product versions’ hash values. Each time a binary is updated, the hash value changes, therefore requiring a policy update. |
| **FileName** | Specifies the original filename for each binary. Although the hash values for an application are modified when updated, the file names are typically not. This level offers less specific security than the hash level, but it doesn't typically require a policy update when any binary is modified. |
| **FilePath** | Beginning with Windows 10 version 1903, this level allows binaries to run from specific file path locations. More information about FilePath level rules can be found below. |
| **SignedVersion** | This level combines the publisher rule with a version number. It allows anything to run from the specified publisher with a version at or above the specified version number. |
| **Publisher** | This level combines the PcaCertificate level (typically one certificate below the root) and the common name (CN) of the leaf certificate. You can use this rule level to trust a certificate issued by a particular CA and issued to a specific company you trust (such as Intel, for device drivers). |
| **FilePublisher** | This level combines the “FileName” attribute of the signed file, plus “Publisher” (PCA certificate with CN of leaf), plus a minimum version number. This option trusts specific files from the specified publisher, with a version at or above the specified version number. |
-| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the WDAC policy must be updated whenever these certificates change. |
+| **LeafCertificate** | Adds trusted signers at the individual signing certificate level. The benefit of using this level versus the individual hash level is that new versions of the product will have different hash values but typically the same signing certificate. Using this level, no policy update would be needed to run the new version of the application. However, leaf certificates have much shorter validity periods than other certificate levels, so the Windows Defender Application Control policy must be updated whenever these certificates change. |
| **PcaCertificate** | Adds the highest available certificate in the provided certificate chain to signers. This level is typically one certificate below the root certificate because the scan doesn't validate anything beyond the certificates included in the provided signature (it doesn't go online or check local root stores). |
| **RootCertificate** | Currently unsupported. |
| **WHQL** | Trusts binaries if they've been validated and signed by WHQL. This level is primarily for kernel binaries. |
@@ -102,7 +102,7 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
| **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This level is primarily for kernel binaries. |
> [!NOTE]
-> When you create WDAC policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level, by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate, but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
+> When you create Windows Defender Application Control policies with [New-CIPolicy](/powershell/module/configci/new-cipolicy), you can specify a primary file rule level, by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate, but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
> [!NOTE]
> - WDAC only supports signer rules for RSA certificate signing keys with a maximum of 4096 bits.
@@ -112,19 +112,19 @@ Each file rule level has its benefit and disadvantage. Use Table 2 to select the
For example, consider an IT professional in a department that runs many servers. They only want to run software signed by the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
-To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](/powershell/module/configci/new-cipolicy) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They deploy the policy in auditing mode to determine the potential impact from enforcing the policy. Using the audit data, they update their WDAC policies to include any additional software they want to run. Then they enable the WDAC policy in enforced mode for their servers.
+To create the Windows Defender Application Control policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](/powershell/module/configci/new-cipolicy) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They deploy the policy in auditing mode to determine the potential impact from enforcing the policy. Using the audit data, they update their WDAC policies to include any additional software they want to run. Then they enable the WDAC policy in enforced mode for their servers.
As part of normal operations, they'll eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they won't need to update their WDAC policy. If the unsigned, internal application is updated, they must also update the WDAC policy to allow the new version.
## File rule precedence order
-WDAC has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these exist, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md).
+Windows Defender Application Control has a built-in file rule conflict logic that translates to precedence order. It will first process all explicit deny rules it finds. Then, it will process all explicit allow rules. If no deny or allow rule exists, WDAC will check for [Managed Installer EA](deployment/deploy-wdac-policies-with-memcm.md). Lastly, if none of these exist, WDAC will fall back on [ISG](use-windows-defender-application-control-with-intelligent-security-graph.md).
## More information about filepath rules
Filepath rules don't provide the same security guarantees that explicit signer rules do, since they're based on mutable access permissions. Filepath rules are best suited for environments where most users are running as standard rather than admin. Path rules are best suited to allow paths that you expect will remain admin-writeable only. You may want to avoid path rules for directories where standard users can modify ACLs on the folder.
-By default, WDAC performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath and its parent directories (recursively) don't allow standard users write access.
+By default, Windows Defender Application Control performs a user-writeability check at runtime that ensures that the current permissions on the specified filepath and its parent directories (recursively) don't allow standard users write access.
There's a defined list of SIDs that WDAC recognizes as admins. If a filepath allows write permissions for any SID not in this list, the filepath is considered to be user-writeable, even if the SID is associated to a custom admin user. To handle these special cases, you can override WDAC's runtime admin-writeable check with the **Disabled:Runtime FilePath Rule Protection** option described above.
@@ -146,6 +146,10 @@ You can also use the following macros when the exact volume may vary: `%OSDRIVE%
## More information about hashes
+WDAC uses the [Authenticode/PE image hash algorithm](https://download.microsoft.com/download/9/c/5/9c5b2167-8017-4bae-9fde-d599bac8184a/Authenticode_PE.docx) when calculating the hash of a file. Unlike the more popular, but less secure, [flat file hash](/powershell/module/microsoft.powershell.utility/get-filehash), the Authenticode hash calculation omits the file's checksum and the Certificate Table and the Attribute Certificate Table. Therefore, the Authenticode hash of a file does not change when the file is re-signed or timestamped, or the digital signature is removed from the file. By using the Authenticode hash, WDAC provides added security and less management overhead so customers do not need to revise the policy hash rules when the digital signature on the file is updated.
+
+The Authenticode/PE image hash can be calculated for digitally-signed and unsigned files.
+
### Why does scan create four hash rules per XML file?
The PowerShell cmdlet will produce an Authenticode Sha1 Hash, Sha256 Hash, Sha1 Page Hash, Sha256 Page Hash.
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
index da525f4cf5..6ff71e34a5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -27,7 +27,7 @@ ms.technology: windows-sec
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is common for organizations to have device use cases across each of the categories described.
@@ -35,10 +35,10 @@ Typically, deployment of Windows Defender Application Control (WDAC) happens bes
| **Type of device** | **How WDAC relates to this type of device** |
|------------------------------------|------------------------------------------------------|
-| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. |
-| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
WDAC policies are supported by the HVCI service. |
-| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. |
-| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. |
+| **Lightly managed devices**: Company-owned, but users are free to install software.
Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Application Control can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. |
+| **Fully managed devices**: Allowed software is restricted by IT department.
Users can request additional software, or install from a list of applications provided by IT department.
Examples: locked-down, company-owned desktops and laptops. | An initial baseline Windows Defender Application Control policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.
WDAC policies are supported by the HVCI service. |
+| **Fixed-workload devices**: Perform same tasks every day.
Lists of approved applications rarely change.
Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Application Control can be deployed fully, and deployment and ongoing administration are relatively straightforward.
After Windows Defender Application Control deployment, only approved applications can run. This is because of protections offered by WDAC. |
+| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, Windows Defender Application Control does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. |
## An introduction to Lamna Healthcare Company
@@ -46,13 +46,10 @@ In the next set of topics, we will explore each of the above scenarios using a f
Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff.
-Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
-
-> [!NOTE]
-> Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager.
+Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) in hybrid mode with both Configuration Manager and Intune. Although they use Microsoft Endpoint Manager to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
Recently, Lamna experienced a ransomware event that required an expensive recovery process and may have included data exfiltration by the unknown attacker. Part of the attack included installing and running malicious binaries that evaded detection by Lamna's antivirus solution but would have been blocked by an application control policy. In response, Lamna's executive board has authorized a number of new security IT responses, including tightening policies for application use and introducing application control.
## Up next
-- [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md)
+- [Create a Windows Defender Application Control policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md)
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
index 4ea10512bd..9729e7515d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -27,13 +27,13 @@ ms.technology: windows-sec
- Windows Server 2016 and above
> [!NOTE]
-> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
+> Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
This topic is for the IT professional. It lists the design questions, possible answers, and ramifications for decisions made, when planning application control policies deployment using Windows Defender Application Control (WDAC), within a Windows operating system environment.
When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance.
-You should consider using WDAC as part of your organization's application control policies if the following are true:
+You should consider using Windows Defender Application Control as part of your organization's application control policies if the following are true:
- You have deployed or plan to deploy the supported versions of Windows in your organization.
- You need improved control over the access to your organization's applications and the data your users access.
@@ -44,28 +44,28 @@ You should consider using WDAC as part of your organization's application contro
## Decide what policies to create
-Beginning with Windows 10, version 1903, WDAC allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. This opens up many new use cases for organizations, but your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create.
+Beginning with Windows 10, version 1903, Windows Defender Application Control allows [multiple simultaneous policies](deploy-multiple-windows-defender-application-control-policies.md) to be applied to each device. This opens up many new use cases for organizations, but your policy management can easily become unwieldy without a well-thought-out plan for the number and types of policies to create.
The first step is to define the desired "circle-of-trust" for your WDAC policies. By "circle-of-trust," we mean a description of the business intent of the policy expressed in natural language. This "circle-of-trust" definition will guide you as you create the actual policy rules for your policy XML.
For example, the DefaultWindows policy, which can be found under %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies, establishes a "circle-of-trust" that allows Windows, 3rd-party hardware and software kernel drivers, and applications from the Microsoft Store.
-Microsoft Endpoint Configuration Manager, previously known as System Center Configuration Manager, uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator, which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration.
+Configuration Manager uses the DefaultWindows policy as the basis for its policy but then modifies the policy rules to allow Configuration Manager and its dependencies, sets the managed installer policy rule, and additionally configures Configuration Manager as a managed installer. It also can optionally authorize apps with positive reputation and perform a one-time scan of folder paths specified by the Configuration Manager administrator, which adds rules for any apps found in the specified paths on the managed endpoint. This establishes the "circle-of-trust" for Configuration Manager's native WDAC integration.
-The following questions can help you plan your WDAC deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order, and are not meant to be an exhaustive set of design considerations.
+The following questions can help you plan your Windows Defender Application Control deployment and determine the right "circle-of-trust" for your policies. They are not in priority or sequential order, and are not meant to be an exhaustive set of design considerations.
## WDAC design considerations
### How are apps managed and deployed in your organization?
-Organizations with well-defined, centrally managed app management and deployment processes can create more restrictive, more secure policies. Other organizations may be able to deploy WDAC with more relaxed rules, or may choose to deploy WDAC in audit mode to gain better visibility to the apps being used in their organization.
+Organizations with well-defined, centrally managed app management and deployment processes can create more restrictive, more secure policies. Other organizations may be able to deploy Windows Defender Application Control with more relaxed rules, or may choose to deploy WDAC in audit mode to gain better visibility to the apps being used in their organization.
| Possible answers | Design considerations|
| - | - |
-| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. WDAC options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
-| Some apps are centrally managed and deployed, but teams can install other apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide WDAC policy. Alternatively, teams can use managed installers to install their team-specific apps, or admin-only file path rules can be used to allow apps installed by admin users. |
-| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | WDAC can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
-| Users and teams are free to download and install apps without restriction. | WDAC policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
+| All apps are centrally managed and deployed using endpoint management tools like [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager). | Organizations that centrally manage all apps are best-suited for application control. Windows Defender Application Control options like [managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) can make it easy to authorize apps that are deployed by the organization's app distribution management solution. |
+| Some apps are centrally managed and deployed, but teams can install other apps for their members. | [Supplemental policies](deploy-multiple-windows-defender-application-control-policies.md) can be used to allow team-specific exceptions to your core organization-wide Windows Defender Application Control policy. Alternatively, teams can use managed installers to install their team-specific apps, or admin-only file path rules can be used to allow apps installed by admin users. |
+| Users and teams are free to download and install apps but the organization wants to restrict that right to prevalent and reputable apps only. | Windows Defender Application Control can integrate with Microsoft's [Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md) (the same source of intelligence that powers Microsoft Defender Antivirus and Windows Defender SmartScreen) to allow only apps and binaries that have positive reputation. |
+| Users and teams are free to download and install apps without restriction. | Windows Defender Application Control policies can be deployed in audit mode to gain insight into the apps and binaries running in your organization without impacting user and team productivity.|
### Are internally developed line-of-business (LOB) apps and apps developed by third-party companies digitally signed?
@@ -73,7 +73,7 @@ Traditional Win32 apps on Windows can run without being digitally signed. This p
| Possible answers | Design considerations |
| - | - |
-| All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. WDAC rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). |
+| All apps used in your organization must be signed. | Organizations that enforce [codesigning](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) for all executable code are best-positioned to protect their Windows computers from malicious code execution. Windows Defender Application Control rules can be created to authorize apps and binaries from the organization's internal development teams and from trusted independent software vendors (ISV). |
| Apps used in your organization do not need to meet any codesigning requirements. | Organizations can [use built-in Windows tools](deploy-catalog-files-to-support-windows-defender-application-control.md) to add organization-specific App Catalog signatures to existing apps as a part of the app deployment process, which can be used to authorize code execution. Solutions like Microsoft Endpoint Manager offer multiple ways to distribute signed App Catalogs. |
### Are there specific groups in your organization that need customized application control policies?
diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
index fd7b1f528e..c731e404ee 100644
--- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
+++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md
@@ -21,7 +21,7 @@ ms.technology: mde
# Understanding WDAC Policy Settings
Windows Defender Application Control (WDAC) Policies expose a Settings section where policy authors can define arbitrary secure settings. Secure Settings provide local admin tamper-free settings for secure boot enabled systems, with policy signing enabled. Settings consist of a Provider, Key, and ValueName, as well as a setting value. Setting values can be of type boolean, ulong, binary, and string. Applications can query for policy settings using WldpQuerySecurityPolicy.
-An example settings section of a WDAC Policy:
+An example settings section of a Windows Defender Application Control Policy:
```xml
+An application that may want to restrict its capabilities, when used on a system with an active Windows Defender Application Control policy. Application authors can define a WDAC policy, setting their application queries, in order to disable certain features. For example, if Contoso’s Foo Application wants to disable a risky feature, such as macro execution, they can define a WDAC policy setting, and query for it at runtime. Contoso can then instruct IT administrators to configure the setting in their WDAC policy, if they don’t want Foo Application to execute macros on a system with a WDAC policy.
### WldpQuerySecurityPolicy
-API that queries the secure settings of a WDAC policy.
+API that queries the secure settings of a Windows Defender Application Control policy.
### Syntax
``` C++
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
index 2f34416393..fcb3a32077 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
@@ -33,9 +33,9 @@ This topic covers guidelines for using code signing control classic Windows apps
## Reviewing your applications: application signing and catalog files
-Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
+Typically, Windows Defender Application Control (WDAC) policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a "catalog file" from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
-Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your WDAC policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing).
+Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your Windows Defender Application Control policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing).
To obtain signed applications or embed signatures in your in-house applications, you can choose from a variety of methods:
@@ -53,7 +53,7 @@ To use catalog signing, you can choose from the following options:
### Catalog files
-Catalog files (which you can create in Windows 10 and Windows 11 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application.
+Catalog files (which you can create in Windows 10 and Windows 11 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by Windows Defender Application Control in the same way as any other signed application.
Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries' hash values are updated each time an application is updated, which requires the catalog file to be updated also.
@@ -66,8 +66,8 @@ For procedures for working with catalog files, see [Deploy catalog files to supp
## Windows Defender Application Control policy formats and signing
-When you generate a WDAC policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 and Windows 11 Enterprise, along with restrictions on Windows 10 and Windows 11 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file.
+When you generate a Windows Defender Application Control policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 and Windows 11 Enterprise, along with restrictions on Windows 10 and Windows 11 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **<Rules>** section of the file.
We recommend that you keep the original XML file for use when you need to merge the WDAC policy with another policy or update its rule options. For deployment purposes, the file is converted to a binary format, which can be done using a simple Windows PowerShell command.
-When the WDAC policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add additional protection against administrative users changing or removing the policy.
+When the Windows Defender Application Control policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add additional protection against administrative users changing or removing the policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
index f99d35706c..1b87884a5e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 05/03/2018
+ms.date: 06/27/2022
ms.technology: windows-sec
---
@@ -29,7 +29,7 @@ ms.technology: windows-sec
> [!NOTE]
> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md).
-Signed WDAC policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
+Signed Windows Defender Application Control (WDAC) policies give organizations the highest level of malware protection available in Windows—must be signed with [PKCS #7](https://datatracker.ietf.org/doc/html/rfc5652). In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies.
Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run.
@@ -38,7 +38,7 @@ If you do not currently have a code signing certificate exported in .pfx format
Before PKCS #7-signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath
|
|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+|For AMD® processors starting with Zen2 or later silicon|Description|
+|--------|-----------|
+|64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more information about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more information about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
+|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0 OR Microsoft Pluton TPM.|
+|Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).|
+|SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData, EfiRuntimeServicesCode, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
+|SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (for example no OS/VMM owned memory).
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
+|Modern/Connected Standby|Platforms must support Modern/Connected Standby.|
+|TPM NV Index|Platform firmware must set up a TPM NV index for use by the OS with:
|
+|Platform firmware|Platform firmware must carry all code required to execute Secure Launch:
Platform must have AMD® Secure Processor Firmware Anti-Rollback protection enabled
Platform must have AMD® Memory Guard enabled.|
+|Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
+
|For Qualcomm® processors with SD850 or later chipsets|Description|
|--------|-----------|
|Monitor Mode Communication|All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types|
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
index aa02076a04..20bc578f08 100644
--- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -141,9 +141,10 @@ See also [Checklist: Creating Inbound Firewall Rules](./checklist-creating-inbou
## Establish local policy merge and application rules
Firewall rules can be deployed:
+
1. Locally using the Firewall snap-in (**WF.msc**)
2. Locally using PowerShell
-3. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager (SCCM), or Intune (using workplace join)
+3. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager, or Intune (using workplace join)
Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles.
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index 52c3d0d811..42b2cb57a7 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -76,7 +76,7 @@ Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-fo
| Name | Details | Security Tools |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
-| Microsoft 365 Apps for enterprise, version 2112 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2112/ba-p/3038172) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft 365 Apps for enterprise, version 2206 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2206/ba-p/3502714) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Microsoft Edge, version 98 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 3fd0c07c67..f1ca17ad61 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -42,7 +42,7 @@ The Security Compliance Toolkit consists of:
- Microsoft Office security baseline
- Office 2016
- - Microsoft 365 Apps for Enterprise Version 2112
+ - Microsoft 365 Apps for Enterprise Version 2206
- Microsoft Edge security baseline
- Edge version 98
diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md
index 6953ab042b..f042c1d12b 100644
--- a/windows/security/zero-trust-windows-device-health.md
+++ b/windows/security/zero-trust-windows-device-health.md
@@ -50,7 +50,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side
3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation).
-4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
+4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Azure Active Directory conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
5. The attestation service does the following:
@@ -60,7 +60,7 @@ A summary of the steps involved in attestation and Zero Trust on the device side
6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service.
-7. The device then sends the report to the MEM cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules.
+7. The device then sends the report to the Microsoft Endpoint Manager cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules.
8. Conditional access, along with device-compliance state then decides to allow or deny access.
diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md
index 04888d2873..5d691021f8 100644
--- a/windows/whats-new/ltsc/index.md
+++ b/windows/whats-new/ltsc/index.md
@@ -26,9 +26,9 @@ This topic provides links to articles with information about what's new in each
## The Long-Term Servicing Channel (LTSC)
-The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (SAC) releases.
+The following table summarizes equivalent feature update versions of Windows 10 LTSC and General Availability Channel (GA Channel) releases.
-| LTSC release | Equivalent SAC release | Availability date |
+| LTSC release | Equivalent GA Channel release | Availability date |
| --- | --- | --- |
| Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 |
| Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 |
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index b9b20a8fd0..a5e9788ba1 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -95,8 +95,6 @@ We've [invested heavily in helping to protect against ransomware](https://blogs.
**Endpoint detection and response** is also enhanced. New **detection** capabilities include:
-- [Use the threat intelligence API to create custom alerts](/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intelligence application, and create custom threat intelligence alerts for your organization.
-
- [Custom detection](/microsoft-365/security/defender-endpoint/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. You can use advanced hunting through the creation of custom detection rules.
- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks.
@@ -193,7 +191,7 @@ New features in [Windows Hello for Business](/windows/security/identity-protecti
- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more information, see [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset).
-[Windows Hello for Business](/windows/security/identity-protection/hello-for-business/index) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
+Windows Hello for Business now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in [Kiosk configuration](#kiosk-configuration).
- Windows Hello is now password-less on S-mode.
@@ -201,7 +199,7 @@ New features in [Windows Hello for Business](/windows/security/identity-protecti
- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign-in, and will notify Dynamic lock users if Dynamic lock has stopped working because their device Bluetooth is off.
-- You can set up Windows Hello from lock screen for MSA accounts. We've made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync) for secondary account SSO for a particular identity provider.
@@ -213,7 +211,7 @@ For more information, see: [Windows Hello and FIDO2 Security Keys enable secure
Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It's designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
+Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns on this functionality by default when the machine has been Azure Active Directory-joined. This feature provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode.
> [!NOTE]
> Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions.
@@ -471,7 +469,7 @@ Some of the other new CSPs are:
For more information, see [What's new in mobile device enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management).
-MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
+MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group policy can be used with Active Directory-joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management).
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2021.md b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
index ccde2ab561..e91667cc1a 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2021.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2021.md
@@ -125,11 +125,12 @@ Application Guard performance is improved with optimized document opening times:
### Application Control
-[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC added a number of new features that light up key scenarios and provide feature parity with AppLocker.
- - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+[Application Control for Windows](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control (WDAC) added a number of new features that light up key scenarios and provide feature parity with AppLocker.
+
+ - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side by side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
- [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
- This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
- - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+ This brings Windows Defender Application Control (WDAC) to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
+ - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
## Identity and privacy
@@ -139,7 +140,7 @@ Windows Hello enhancements include:
- Windows Hello is now supported as Fast Identity Online 2 (FIDO2) authenticator across all major browsers including Chrome and Firefox.
- You can now enable passwordless sign-in for Microsoft accounts on your Windows 10 device by going to **Settings > Accounts > Sign-in options**, and selecting **On** under **Make your device passwordless**. Enabling passwordless sign in will switch all Microsoft accounts on your Windows 10 device to modern authentication with Windows Hello Face, Fingerprint, or PIN.
- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
-- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
- With specialized hardware and software components available on devices shipping with Windows 10, version 20H2 configured out of factory, Windows Hello now offers added support for virtualization-based security with supporting fingerprint and face sensors. This feature isolates and secures a user's biometric authentication data.
- Windows Hello multi-camera support is added, allowing users to choose an external camera priority when both external and internal Windows Hello-capable cameras are present.
- [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
@@ -187,7 +188,7 @@ Windows Management Instrumentation (WMI) Group Policy Service (GPSVC) has a perf
#### Key-rolling and Key-rotation
-This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+This release also includes two new features called Key-rolling and Key-rotation enables secure rolling of Recovery passwords on MDM-managed Azure Active Directory devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
## Deployment
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index df0bb338ac..5a1f162a4f 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -95,7 +95,6 @@ For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt).
New features in Microsoft Defender for Endpoint for Windows 10, version 1703 include:
- **Detection**: Enhancements to the detection capabilities include:
- - [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
- Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks
- Upgraded detections of ransomware and other advanced attacks
- Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed
@@ -181,11 +180,11 @@ Windows Update for Business managed devices are now able to defer feature update
### Windows Insider for Business
-We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows-insider/business/register).
+We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (Azure AD). By enrolling devices in Azure AD, you increase the visibility of feedback submitted by users in your organization, especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows-insider/business/register).
### Optimize update delivery
-With changes delivered in Windows 10, version 1703, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
+With changes delivered in Windows 10, version 1703, [express updates](/windows/deployment/do/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with Microsoft Endpoint Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](/windows-server/administration/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
>[!NOTE]
> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update.
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index ad9ebb3782..0585c1b9ab 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -57,7 +57,7 @@ You can now register your Azure AD domains to the Windows Insider Program. For m
### Mobile Device Management (MDM)
-MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
+MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory-joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy).
Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709).
@@ -93,7 +93,7 @@ Windows Defender Application Guard hardens a favorite attacker entry-point by is
### Windows Defender Exploit Guard
-Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](/microsoft-365/security/defender-endpoint/enable-exploit-protection), [Attack surface reduction protection](/microsoft-365/security/defender-endpoint/evaluate-attack-surface-reduction), [Controlled folder access](/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access), and [Network protection](/microsoft-365/security/defender-endpoint/enable-network-protection).
+Window Defender Exploit Guard provides intrusion prevention capabilities to reduce the attack and exploit surface of applications. Exploit Guard has many of the threat mitigations that were available in Enhanced Mitigation Experience Toolkit (EMET) toolkit, a deprecated security download. These mitigations are now built into Windows and configurable with Exploit Guard. These mitigations include [Exploit protection](/microsoft-365/security/defender-endpoint/enable-exploit-protection), [Attack surface reduction protection](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction), [Controlled folder access](/microsoft-365/security/defender-endpoint/evaluate-controlled-folder-access), and [Network protection](/microsoft-365/security/defender-endpoint/enable-network-protection).
### Windows Defender Device Guard
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index a2c91e76ed..d8903b9bbb 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -145,7 +145,7 @@ The OS uninstall period is a length of time that users are given when they can o
- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/).
- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions.
- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off.
-- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
+- You can set up Windows Hello from lock screen for Microsoft accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options.
- New [public API](/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider.
- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off).
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index d14888637d..d587dd6af5 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -31,7 +31,7 @@ Windows Autopilot self-deploying mode enables a zero touch device provisioning e
This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
-You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
+You can utilize Windows Autopilot self-deploying mode to register the device to an Azure Active Directory tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required.
To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](/windows/deployment/windows-autopilot/self-deploying).
@@ -60,7 +60,7 @@ This also means you’ll see more links to other security apps within **Windows
#### Silent enforcement on fixed drives
-Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI.
+Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD)-joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard Azure AD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI.
This is an update to the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others.
@@ -138,11 +138,11 @@ You can add specific rules for a WSL process in Windows Defender Firewall, just
We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](/microsoft-edge/deploy/change-history-for-microsoft-edge).
-### Windows Defender Credential Guard is supported by default on 10S devices that are AAD Joined
+### Windows Defender Credential Guard is supported by default on 10S devices that are Azure Active Directory-joined
Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
-Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on 10-S devices. Please note that Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions.
+Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns this functionality on by default when the machine has been Azure Active Directory-joined. This provides an added level of security when connecting to domain resources not normally present on 10-S devices. Please note that Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions.
### Windows 10 Pro S Mode requires a network connection
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 30dde72ade..d29e02749d 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -102,11 +102,11 @@ The draft release of the [security configuration baseline settings](/archive/blo
- WDAG allows dynamic navigation: Application Guard now allows users to navigate back to their default host browser from the WDAG Microsoft Edge. Previously, users browsing in WDAG Edge would see an error page when they try to go to a trusted site within the container browser. With this new feature, users will automatically be redirected to their host default browser when they enter or click on a trusted site in WDAG Edge. This feature is also available in Windows 10, version 1803 or later with the latest updates.
-- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903 WDAC has a number of new features that light up key scenarios and provide feature parity with AppLocker.
- - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): WDAC now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
- - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, WDAC has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
- This brings WDAC to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
- - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, WDAC enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+- [Windows Defender Application Control (WDAC)](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control): In Windows 10, version 1903, Windows Defender Application Control has a number of new features that light up key scenarios and provide feature parity with AppLocker.
+ - [Multiple Policies](/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies): Windows Defender Application Control now supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: 1) enforce and audit side-by-side, 2) simpler targeting for policies with different scope/intent, 3) expanding a policy using a new ‘supplemental’ policy.
+ - [Path-Based Rules](/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules): The path condition identifies an app by its location in the file system of the computer or on the network instead of a signer or hash identifier. Additionally, Windows Defender Application Control has an option that allows admins to enforce at runtime that only code from paths that are not user-writeable is executed. When code tries to execute at runtime, the directory is scanned and files will be checked for write permissions for non-known admins. If a file is found to be user writeable, the executable is blocked from running unless it is authorized by something other than a path rule like a signer or hash rule.
+ This brings Windows Defender Application Control (WDAC) to functionality parity with AppLocker in terms of support for file path rules. WDAC improves upon the security of policies based on file path rules with the availability of the user-writability permission checks at runtime time, which is a capability that is not available with AppLocker.
+ - [Allow COM Object Registration](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy): Previously, Windows Defender Application Control enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
#### System Guard
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 7f89949678..8f1b6a4c3c 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -49,7 +49,7 @@ BitLocker and Mobile Device Management (MDM) with Azure Active Directory work to
### Key-rolling and Key-rotation
-Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed AAD devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
+Windows 10, version 1909 also includes two new features called **Key-rolling** and **Key-rotation** enables secure rolling of Recovery passwords on MDM managed Azure Active Directory devices on demand from Microsoft Intune/MDM tools or when a recovery password is used to unlock the BitLocker protected drive. This feature will help prevent accidental recovery password disclosure as part of manual BitLocker drive unlock by users.
### Transport Layer Security (TLS)
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index 82a86f30ef..a00b411668 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -32,7 +32,7 @@ To download and install Windows 10, version 2004, use Windows Update (**Settings
- Windows Hello PIN sign-in support is [added to Safe mode](/windows-insider/archive/new-in-20H1#windows-hello-pin-in-safe-mode-build-18995).
-- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (MSA). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
+- Windows Hello for Business now has Hybrid Azure Active Directory support and phone number sign-in (Microsoft account). FIDO2 security key support is expanded to Azure Active Directory hybrid environments, enabling enterprises with hybrid environments to take advantage of [passwordless authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). For more information, see [Expanding Azure Active Directory support for FIDO2 preview to hybrid environments](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/expanding-azure-active-directory-support-for-fido2-preview-to/ba-p/981894).
### Windows Defender System Guard