diff --git a/bcs/docfx.json b/bcs/docfx.json
index 8bb25b9c4c..f1384ac71a 100644
--- a/bcs/docfx.json
+++ b/bcs/docfx.json
@@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json",
"extendBreadcrumb": true,
"contributors_to_exclude": [
diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json
index d77b68f7fb..bc99fd3bd8 100644
--- a/browsers/edge/docfx.json
+++ b/browsers/edge/docfx.json
@@ -27,6 +27,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "microsoft-edge",
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 927e4c51ac..9a7a5d7e4a 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -23,6 +23,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/internet-explorer/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"audience": "ITPro",
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
index 9b7317309d..464a472b2f 100644
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@@ -30,6 +30,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/hololens/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json
index 8eba3c49b1..2e2fb12b63 100644
--- a/devices/surface-hub/docfx.json
+++ b/devices/surface-hub/docfx.json
@@ -24,6 +24,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json
index 42faacbcac..eba515451e 100644
--- a/devices/surface/docfx.json
+++ b/devices/surface/docfx.json
@@ -22,6 +22,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/surface/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
diff --git a/education/docfx.json b/education/docfx.json
index 8ba1394c6d..7cac8a75b9 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -26,6 +26,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"ROBOTS": "INDEX, FOLLOW",
"audience": "windows-education",
"ms.topic": "article",
diff --git a/gdpr/docfx.json b/gdpr/docfx.json
index 1d092a902e..eaa6eba4eb 100644
--- a/gdpr/docfx.json
+++ b/gdpr/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"author": "eross-msft",
"ms.author": "lizross",
"feedback_system": "GitHub",
diff --git a/mdop/docfx.json b/mdop/docfx.json
index abcead924c..dfa58fa007 100644
--- a/mdop/docfx.json
+++ b/mdop/docfx.json
@@ -22,6 +22,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
diff --git a/smb/docfx.json b/smb/docfx.json
index 379f9d6f3e..9b63f81cad 100644
--- a/smb/docfx.json
+++ b/smb/docfx.json
@@ -29,6 +29,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/smb/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"feedback_system": "None",
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index c6c8eeb5e5..3c5210990f 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -17,6 +17,11 @@ ms.date: 07/21/2021
# Device Guard signing
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@@ -37,13 +42,7 @@ ms.date: 07/21/2021
>
> For any questions, please contact us at DGSSMigration@microsoft.com.
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
-Device Guard signing is a Device Guard feature that is available in Microsoft Store for Business and Education. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
+Device Guard signing is a Device Guard feature that gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
@@ -54,6 +53,132 @@ Device Guard is a feature set that consists of both hardware and software system
| [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) | When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. |
| [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) | Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. |
+## Device Guard Signing Service (v2) PowerShell Commands
+
+> [!NOTE]
+> [.. common ..] are parameters common across all commands that are documented below the command definitions.
+
+**Get-DefaultPolicy** Gets the default .xml policy file associated with the current tenant.
+
+- Usage:
+
+ ```powershell
+ Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
+ ```
+
+- Parameters:
+
+ **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first).
+
+ **PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file.
+
+- Command running time:
+
+ The average running time is under 20 seconds but may be up to 3 minutes.
+
+**Get-RootCertificate** Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate.
+
+- Usage:
+
+ ```powershell
+ Get-RootCertificate -OutFile filename [-PassThru] [.. common ..]
+ ```
+
+- Parameters:
+
+ **OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten (note: create the folder first).
+
+ **PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default policy file.
+
+- Command running time:
+
+ The average running time is under 20 seconds but may be up to 3 minutes.
+
+**Get-SigningHistory** Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent).
+
+- Usage:
+
+ ```powershell
+ Get-SigningHistory -OutFile filename [-PassThru] [.. common ..]
+ ```
+
+- Parameters:
+
+ **OutFile** - string, mandatory - The filename where the signing history file should be persisted to disk. The file name should be a .xml file. If the file already exists, it will be overwritten (note: create the folder first).
+
+ **PassThru** - switch, optional - If present, returns XML objects returning the XML file.
+
+- Command running time:
+
+ The average running time is under 10 seconds.
+
+**Submit-SigningJob** Submits a file to the service for signing and timestamping. The module supports valid file type for Authenticode signing is Catalog file (.cat). Valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the ConvertFrom-CiPolicy cmdlet. Otherwise, binary policy file may not be deployed properly.
+
+- Usage:
+
+ ```powershell
+ Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
+ ```
+
+- Parameters:
+
+ **InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.cat or .bin).
+
+ **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. (note: create the folder first)
+
+ **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
+
+ **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
+
+ **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
+
+**Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy
+signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
+
+- Usage:
+
+ ```powershell
+ Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
+ ```
+
+- Parameters:
+
+ **InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.bin).
+
+ **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten.
+
+ > [!NOTE]
+ > Create the folder first.
+
+ **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
+
+ **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
+
+ **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
+
+- Command running time:
+
+ The average running time is under 20 seconds but may be up to 3 minutes.
+
+**Common parameters [.. common ..]**
+
+In addition to cmdlet-specific parameters, each cmdlet understands the following common parameters.
+
+- Usage:
+
+ ```powershell
+ ... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose]
+ ```
+
+- Parameters:
+
+ **NoPrompt** - switch, optional - If present, indicates that the script is running in a headless
+ environment and that all UI should be suppressed. If UI must be displayed (e.g., for
+ authentication) when the switch is set, the operation will instead fail.
+
+ **Credential + AppId** - PSCredential - A login credential (username and password) and AppId.
+
+
## File and size limits
When you're uploading files for Device Guard signing, there are a few limits for files and file size:
@@ -63,7 +188,7 @@ When you're uploading files for Device Guard signing, there are a few limits for
| Maximum size for multiple files (uploaded in a group) | 4 MB |
| Maximum number of files per upload | 15 files |
- ## File types
+## File types
Catalog and policy files have required files types.
| File | Required file type |
@@ -71,7 +196,7 @@ Catalog and policy files have required files types.
| catalog files | .cat |
| policy files | .bin |
- ## Store for Business roles and permissions
+## Store for Business roles and permissions
Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role.
## Device Guard signing certificates
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
index 2a30faf3ef..bf0a63a161 100644
--- a/store-for-business/docfx.json
+++ b/store-for-business/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
"ms.author": "trudyha",
"audience": "ITPro",
diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json
index fff71782f2..35b82f4d89 100644
--- a/windows/access-protection/docfx.json
+++ b/windows/access-protection/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"audience": "ITPro",
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index 4d3e15e0a7..b5298397b7 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index eb3917a794..450357dfba 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml
index 3731f3f13d..e5ae09ccb3 100644
--- a/windows/client-management/index.yml
+++ b/windows/client-management/index.yml
@@ -1,11 +1,11 @@
### YamlMime:Landing
title: Client management # < 60 chars
-summary: Find out how to apply custom configurations to Windows client devices. Windows provides a number of features and methods to help you configure or lock down specific parts of the Windows interface. # < 160 chars
+summary: Find out how to apply custom configurations to Windows client devices. Windows provides many features and methods to help you configure or lock down specific parts of the Windows interface. # < 160 chars
metadata:
- title: Configure Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars.
- description: Learn about the administrative tools, tasks and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars.
+ title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
@@ -13,7 +13,7 @@ metadata:
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
- ms.date: 04/30/2021 #Required; mm/dd/yyyy format.
+ ms.date: 08/05/2021 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index b9f88dc916..4fabdbc971 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -1,6 +1,6 @@
---
title: Bulk enrollment
-description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10.
+description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and Windows 11.
MS-HAID:
- 'p\_phdevicemgmt.bulk\_enrollment'
- 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
@@ -18,7 +18,7 @@ ms.date: 06/26/2017
# Bulk enrollment
-Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 desktop and mobile devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
+Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
## Typical use cases
@@ -37,27 +37,29 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
> - Bulk enrollment does not work in Intune standalone environment.
> - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console.
> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
+> - Bulk Token creation is not supported with federated accounts.
## What you need
-- Windows 10 devices
-- Windows Imaging and Configuration Designer (ICD) tool
- To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows ICD](/windows/configuration/provisioning-packages/provisioning-install-icd).
-- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.)
+- Windows 10 devices.
+- Windows Configuration Designer (WCD) tool.
+
+ To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd).
+- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).
- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
## Create and apply a provisioning package for on-premises authentication
-Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
+Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
-1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+1. Open the WCD tool.
2. Click **Advanced Provisioning**.
3. Enter a project name and click **Next**.
-4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**.
+4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Expand **Runtime settings** > **Workplace**.
7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
@@ -70,8 +72,9 @@ Using the ICD, create a provisioning package using the enrollment information re
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
- Here is the screenshot of the ICD at this point.
- 
+ Here is the screenshot of the WCD at this point.
+
+ 
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
10. When you are done adding all the settings, on the **File** menu, click **Save**.
11. On the main menu click **Export** > **Provisioning package**.
@@ -90,12 +93,12 @@ Using the ICD, create a provisioning package using the enrollment information re
## Create and apply a provisioning package for certificate authentication
-Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
+Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
-1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+1. Open the WCD tool.
2. Click **Advanced Provisioning**.
3. Enter a project name and click **Next**.
-4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions.
+4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Specify the certificate.
1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**.
@@ -129,8 +132,7 @@ Using the ICD, create a provisioning package using the enrollment information re
Here's the list of topics about applying a provisioning package:
- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) - topic in Technet.
-- [Apply a package to a Windows 10 desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
-- [Apply a package to a Windows 10 Mobile image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN.
+- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below
## Apply a package from the Settings menu
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 1e66232f8b..ffb8f4fa5d 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 02/28/2020
+ms.date: 07/30/2021
---
# ClientCertificateInstall CSP
@@ -205,11 +205,8 @@ Supported operations are Add, Get, Delete, and Replace.
Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus +. For example, OID1+OID2+OID3.
Data type is string.
-Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail.
-Data type is int.
-
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Get, Add, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
Required. Specifies the subject name.
@@ -242,7 +239,9 @@ Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
- Supported operations are Add, Get, Delete, and Replace. Value type is integer.
+Data type is int.
+
+Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
@@ -700,4 +699,4 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c
## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index ae2739b076..73237ce6c0 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 07/23/2021
+ms.date: 08/05/2021
---
# Defender CSP
@@ -35,6 +35,18 @@ Defender
------------InitialDetectionTime
------------LastThreatStatusChangeTime
------------NumberOfDetections
+----EnableNetworkProtection
+--------AllowNetworkProtectionDownLevel
+--------AllowNetworkProtectionOnWinServer
+--------DisableNetworkProtectionPerfTelemetry
+--------DisableDatagramProcessing
+--------DisableInboundConnectionFiltering
+--------EnableDnsSinkhole
+--------DisableDnsOverTcpParsing
+--------DisableHttpParsing
+--------DisableRdpParsing
+--------DisableSshParsing
+--------DisableTlsParsing
----Health
--------ProductStatus (Added in Windows 10 version 1809)
--------ComputerState
@@ -125,7 +137,7 @@ The following table describes the supported values:
| 7 | Remote access Trojan |
| 8 | Trojan |
| 9 | Email flooder |
-| 10 | Keylogger |
+| 10 | Key logger |
| 11 | Dialer |
| 12 | Monitoring software |
| 13 | Browser modifier |
@@ -185,7 +197,28 @@ The following list shows the supported values:
- 7 = Removed
- 8 = Cleaned
- 9 = Allowed
-- 10 = No Status ( Cleared)
+- 10 = No Status (Cleared)
+
+Supported operation is Get.
+
+**Detections/*ThreatId*/CurrentStatus**
+Information about the current status of the threat.
+
+The data type is integer.
+
+The following list shows the supported values:
+
+- 0 = Active
+- 1 = Action failed
+- 2 = Manual steps required
+- 3 = Full scan required
+- 4 = Reboot required
+- 5 = Remediated with noncritical failures
+- 6 = Quarantined
+- 7 = Removed
+- 8 = Cleaned
+- 9 = Allowed
+- 10 = No Status (Cleared)
Supported operation is Get.
@@ -217,6 +250,139 @@ The data type is integer.
Supported operation is Get.
+**EnableNetworkProtection**
+
+The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources.
+The acceptable values for this parameter are:
+- 0: Disabled. The Network Protection service will not block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
+- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service.
+- 2: AuditMode. As above, but the Network Protection service will not block connections to malicious websites, but will instead log the access to the event log.
+
+Accepted values: Disabled, Enabled, and AuditMode
+Position: Named
+Default value: Disabled
+Accept pipeline input: False
+Accept wildcard characters: False
+
+**EnableNetworkProtection/AllowNetworkProtectionDownLevel**
+
+By default, network protection is not allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/AllowNetworkProtectionOnWinServer**
+
+By default, network protection is not allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableNetworkProtectionPerfTelemetry**
+
+Network Protection sends up anonymized performance statistics about its connection monitoring to improve our product and help to find bugs. You can disable this behavior by setting this configuration to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableDatagramProcessing**
+
+Network Protection inspects UDP connections allowing us to find malicious DNS or other UDP Traffic. To disable this functionality, set this configuration to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableInboundConnectionFiltering**
+
+Network Protection inspects and can block both connections that originate from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/EnableDnsSinkhole**
+
+Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature.
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableDnsOverTcpParsing**
+
+Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableDnsParsing**
+
+Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableHttpParsing**
+
+Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableRdpParsing**
+
+Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableSshParsing**
+
+Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableTlsParsing**
+
+Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
**Health**
An interior node to group information about Windows Defender health status.
@@ -248,7 +414,7 @@ Supported product status values:
- Service is shutting down as part of system shutdown = 1 << 16
- Threat remediation failed critically = 1 << 17
- Threat remediation failed non-critically = 1 << 18
-- No status flags set (well initialized state) = 1 << 19
+- No status flags set (well-initialized state) = 1 << 19
- Platform is out of date = 1 << 20
- Platform update is in progress = 1 << 21
- Platform is about to be outdated = 1 << 22
@@ -453,6 +619,26 @@ Valid values are:
- 1 – Enable.
- 0 (default) – Disable.
+**Configuration/HideExclusionsFromLocalAdmins**
+This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled.
+
+If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App and via PowerShell.
+
+If you enable this setting, Local Admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
+
+> [!NOTE]
+> Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
+
+Supported OS versions: Windows 10
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 1 – Enable.
+- 0 (default) – Disable.
+
**Configuration/DisableCpuThrottleOnIdleScans**
Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
@@ -532,7 +718,7 @@ Beta Channel: Devices set to this channel will be the first to receive new updat
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
@@ -561,7 +747,7 @@ Beta Channel: Devices set to this channel will be the first to receive new updat
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
@@ -617,8 +803,8 @@ The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
-• 1 – Enabled.
-• 0 (default) – Not Configured.
+- 1 – Enabled.
+- 0 (default) – Not Configured.
More details:
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index 4339466ef0..a7236eea80 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -28,8 +28,6 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bu
With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices.
-> [!NOTE]
->Intune support for the MDM security baseline is coming soon.
The MDM security baseline includes policies that cover the following areas:
@@ -48,7 +46,7 @@ For more details about the MDM policies defined in the MDM security baseline and
- [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip)
-For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](/intune/security-baseline-settings-windows).
+For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index 763534dad3..13c000e4f5 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -66,6 +66,9 @@ ms.date: 07/22/2020
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md)
+- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
+- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
+- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel)
@@ -95,4 +98,4 @@ ms.date: 07/22/2020
## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy CSP](policy-configuration-service-provider.md)
diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml
index 633a032f7c..faba5b0483 100644
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@@ -36,7 +36,7 @@ items:
items:
- name: CSP reference
href: mdm/configuration-service-provider-reference.md
- - name: Troubleshoot Windows 10 clients
+ - name: Troubleshoot Windows clients
items:
- name: Windows 10 support solutions
href: windows-10-support-solutions.md
@@ -55,6 +55,12 @@ items:
items:
- name: Collect data using Network Monitor
href: troubleshoot-tcpip-netmon.md
+ - name: "Part 1: TCP/IP performance overview"
+ href: /troubleshoot/windows-server/networking/overview-of-tcpip-performance
+ - name: "Part 2: TCP/IP performance underlying network issues"
+ href: /troubleshoot/windows-server/networking/troubleshooting-tcpip-performance-underlying-network
+ - name: "Part 3: TCP/IP performance known issues"
+ href: /troubleshoot/windows-server/networking/tcpip-performance-known-issues
- name: Troubleshoot TCP/IP connectivity
href: troubleshoot-tcpip-connectivity.md
- name: Troubleshoot port exhaustion
diff --git a/windows/client-management/troubleshoot-tcpip.md b/windows/client-management/troubleshoot-tcpip.md
index 48a95cd4e0..1ffd3f1dc2 100644
--- a/windows/client-management/troubleshoot-tcpip.md
+++ b/windows/client-management/troubleshoot-tcpip.md
@@ -17,6 +17,9 @@ manager: dansimp
In these topics, you will learn how to troubleshoot common problems in a TCP/IP network environment.
- [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
+- [Part 1: TCP/IP performance overview](/troubleshoot/windows-server/networking/overview-of-tcpip-performance)
+- [Part 2: TCP/IP performance underlying network issues](/troubleshoot/windows-server/networking/troubleshooting-tcpip-performance-underlying-network)
+- [Part 3: TCP/IP performance known issues](/troubleshoot/windows-server/networking/tcpip-performance-known-issues)
- [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
- [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
- [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index 867a205b26..f44d4cea07 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -1,24 +1,26 @@
-- name: Configure Windows 10
+- name: Configure Windows client
href: index.yml
-- name: Configure appearance settings
+- name: Customize the appearance
items:
- name: Windows 10 Start and taskbar
items:
- - name: Manage Windows 10 Start and taskbar layout
+ - name: Start layout and taskbar
href: windows-10-start-layout-options-and-policies.md
- - name: Configure Windows 10 taskbar
- href: configure-windows-10-taskbar.md
- - name: Customize and export Start layout
- href: customize-and-export-start-layout.md
- - name: Add image for secondary tiles
- href: start-secondary-tiles.md
- - name: Start layout XML for desktop editions of Windows 10 (reference)
- href: start-layout-xml-desktop.md
- - name: Customize Windows 10 Start and taskbar with Group Policy
+ - name: Use XML
+ items:
+ - name: Customize and export Start layout
+ href: customize-and-export-start-layout.md
+ - name: Customize the taskbar
+ href: configure-windows-10-taskbar.md
+ - name: Add image for secondary Microsoft Edge tiles
+ href: start-secondary-tiles.md
+ - name: Start layout XML for Windows 10 desktop editions (reference)
+ href: start-layout-xml-desktop.md
+ - name: Use group policy
href: customize-windows-10-start-screens-by-using-group-policy.md
- - name: Customize Windows 10 Start and taskbar with provisioning packages
+ - name: Use provisioning packages
href: customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
- - name: Customize Windows 10 Start and taskbar with mobile device management (MDM)
+ - name: Use mobile device management (MDM)
href: customize-windows-10-start-screens-by-using-mobile-device-management.md
- name: Troubleshoot Start menu errors
href: start-layout-troubleshoot.md
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 814515de59..8dec3271ab 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -1,6 +1,6 @@
---
-title: Alter Windows 10 Start and taskbar via mobile device management
-description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users.
+title: Change the Windows 10 Start and taskbar using mobile device management | Microsoft Docs
+description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices.
ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
ms.reviewer:
manager: dansimp
@@ -12,7 +12,7 @@ author: greg-lindsay
ms.topic: article
ms.author: greglin
ms.localizationpriority: medium
-ms.date: 02/08/2018
+ms.date: 08/05/2021
---
# Customize Windows 10 Start and taskbar with mobile device management (MDM)
@@ -25,7 +25,7 @@ ms.date: 02/08/2018
>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
-In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required. The layout can be updated simply by overwriting the `.xml` file that contains the layout. This feature enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
>[!NOTE]
>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
@@ -56,36 +56,39 @@ Two features enable Start layout control:
## Create a policy for your customized Start layout
+The following example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout:
-This example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout. See the documentation for your MDM solution for help in applying the policy.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
+2. Select **Devices** > **Configuration profiles** > **Create profile**.
-2. Select **Device configuration**.
+3. Enter the following properties:
-3. Select **Profiles**.
+ - **Platform**: Select **Windows 10 and later**.
+ - **Profile type**: Select **Templates** > **Device restrictions** > **Create**.
-4. Select **Create profile**.
+4. In **Basics**, enter the following properties:
-5. Enter a friendly name for the profile.
+ - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Customize Start menu and taskbar**.
+ - **Description**: Enter a description for the profile. This setting is optional, but recommended.
-6. Select **Windows 10 and later** for the platform.
+5. Select **Next**.
-7. Select **Device restrictions for the profile type.
+6. In **Configuration settings**, select **Start**:
-8. Select **Start**.
+ - If you're using an XML file, select **Start menu layout**. Browse to and select your Start layout XML file.
+ - If you don't have an XML file, configure the others settings. For more information on these settings, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start).
-9. In **Start menu layout**, browse to and select your Start layout XML File.
+7. Select **Next**.
+8. In **Scope tags**, select **Next**. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
+9. In **Assignments**, select the user or groups that will receive your profile. Select **Next**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
+10. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
-10. Select **OK** twice, and then select **Create**.
-
-11. Assign the profile to a device group.
-
-For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
+> [!NOTE]
+> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
-## Related topics
-
+## Next steps
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
@@ -95,5 +98,3 @@ For other MDM solutions, you may need to use an OMA-URI setting for Start layout
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-
-
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 44006a3af5..d93337be79 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
index b255491bc9..aa195fb89f 100644
--- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
+++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
@@ -18,13 +18,13 @@ To configure assigned access (kiosk mode), you need the Application User Model I
To get the names and AUMIDs for all apps installed for the current user, open a Windows PowerShell command prompt and enter the following command:
```powershell
-get-StartApps
+Get-StartApps
```
To get the names and AUMIDs for Windows Store apps installed for another user, open a Windows PowerShell command prompt and enter the following commands:
```powershell
-$installedapps = get-AppxPackage
+$installedapps = Get-AppxPackage
$aumidList = @()
foreach ($app in $installedapps)
@@ -75,12 +75,12 @@ function listAumids( $userAccount ) {
elseif ($userAccount)
{
# Find installed packages for the specified account. Must be run as an administrator in order to use this option.
- $installedapps = get-AppxPackage -user $userAccount
+ $installedapps = Get-AppxPackage -user $userAccount
}
else
{
# Find installed packages for the current account.
- $installedapps = get-AppxPackage
+ $installedapps = Get-AppxPackage
}
$aumidList = @()
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index 30c052cbfe..66e42dca78 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -1,11 +1,11 @@
### YamlMime:Landing
-title: Configure Windows 10 # < 60 chars
-summary: Find out how to apply custom configurations to Windows 10 devices. Windows 10 provides a number of features and methods to help you configure or lock down specific parts of Windows 10. # < 160 chars
+title: Configure Windows client # < 60 chars
+summary: Find out how to apply custom configurations to Windows 10 and Windows 11 devices. Windows 10 provides a number of features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars
metadata:
- title: Configure Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars.
- description: Find out how to apply custom configurations to Windows 10 devices. # Required; article description that is displayed in search results. < 160 chars.
+ title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Find out how to apply custom configurations to Windows client devices. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
@@ -13,7 +13,7 @@ metadata:
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
- ms.date: 03/23/2021 #Required; mm/dd/yyyy format.
+ ms.date: 08/05/2021 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -22,7 +22,7 @@ landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- - title: Manage Windows 10 settings
+ - title: Manage Windows client settings
linkLists:
- linkListType: overview
links:
@@ -35,7 +35,7 @@ landingContent:
# Card (optional)
- - title: Configure a Windows 10 kiosk
+ - title: Configure a Windows kiosk
linkLists:
- linkListType: overview
links:
@@ -48,7 +48,7 @@ landingContent:
# Card (optional)
- - title: Windows 10 provisioning packages
+ - title: Windows client provisioning packages
linkLists:
- linkListType: overview
links:
@@ -70,7 +70,7 @@ landingContent:
url: wcd/wcd-oobe.md
# Card (optional)
- - title: Configure Cortana in Windows 10
+ - title: Configure Cortana in Windows client
linkLists:
- linkListType: overview
links:
@@ -80,7 +80,7 @@ landingContent:
url: cortana-at-work/cortana-at-work-voice-commands.md
# Card (optional)
- - title: User Experience Virtualization (UE-V) for Windows 10
+ - title: User Experience Virtualization (UE-V) for Windows client
linkLists:
- linkListType: overview
links:
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index ce489cfec1..e0816bbb6f 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -1,6 +1,6 @@
---
-title: Manage Windows 10 Start and taskbar layout (Windows 10)
-description: Organizations might want to deploy a customized Start and taskbar layout to devices.
+title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs
+description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more.
ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
ms.reviewer:
manager: dansimp
@@ -12,119 +12,215 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 06/19/2018
+ms.date: 08/05/2021
---
-# Manage Windows 10 Start and taskbar layout
+# Customize the Start menu and taskbar layout on Windows 10 and later devices
+**Applies to**:
-**Applies to**
-
-- Windows 10, Windows Server 2016 with Desktop Experience, Windows Server 2019 with Desktop Experience
+- Windows 10 version 1607 and later
+- Windows Server 2016 with Desktop Experience
+- Windows Server 2019 with Desktop Experience
> **Looking for consumer information?** [See what's on the Start menu](https://support.microsoft.com/help/17195/windows-10-see-whats-on-the-menu)
+>
+> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
-Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Pro, Enterprise, or Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default.
+Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default.
+
+>[!NOTE]
+>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
+
+As administrator, you can use these features to customize Start and taskbar to meet your organization needs. This article describes the different ways you can customize Start and taskbar, and lists the Start policies. It also includes taskbar information on a clean operating system (OS) installation, and when an OS is upgraded.
>[!NOTE]
->Taskbar configuration is available starting in Windows 10, version 1607.
->
->Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703.
->
>For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs).
>
>Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
+## Use XML
+On an existing Windows device, you can set up the **Start** screen, and then export the layout to an XML file. When you have the XML file, add this file to a group policy, a Windows Configuration Designer provisioning package, or a mobile device management (MDM) policy. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the layout configured in the XML file.
-## Start options
+For more information, see [Customize and export Start layout](customize-and-export-start-layout.md).
+
+For the **taskbar**, you can use the same XML file as the start screen. Or, you can create a new XML file. When you have the XML file, add this file to a group policy or a provisioning package. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the taskbar settings you configured in the XML file.
+
+For more information, see [Configure Windows 10 taskbar](configure-windows-10-taskbar.md).
+
+## Use group policy
+
+Using group policy objects (GPO), you can manage different parts of the Start menu and taskbar. You don't need to reimage the devices. Using administrative templates, you configure settings in a policy, and then deploy this policy to your devices. [Start menu policy settings](#start-menu-policy-settings) (in this article) lists the policies you can configure.
+
+For more information, see [Use group policy to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-group-policy.md).
+
+## Use provisioning packages
+
+Provisioning packages are containers that include a set of configuration settings. They're designed to configure a device quickly, without installing a new image. For more information on what provisioning packages are, and what they do, see [Provisioning packages](./provisioning-packages/provisioning-packages.md).
+
+Using a provisioning package, you can customize the Start and taskbar. For more information, see [Use provisioning packages to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
+
+## Use a mobile device management (MDM) solution
+
+Using an MDM solution, you add an XML file to a policy, and then deploy this policy to your devices.
+
+If you use Microsoft Intune for your MDM solution, then you can use settings to configure Start and the taskbar. For more information on the settings you can configure, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start).
+
+For more information, see [Use MDM to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-mobile-device-management.md).
+
+## Start menu policy settings
-Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy.
+The following list includes the different Start options, and any policy or local settings. The settings in the list can also be used in a provisioning package. If you use a provisioning package, see the [Windows Configuration Designer reference](./wcd/wcd-policies.md#start).
->[!NOTE]
->The MDM policy settings in the table can also be configured [in a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) using **Policies** > **Start**. [See the reference for **Start** settings in Windows Configuration Designer.](./wcd/wcd-policies.md#start)
+- **User tile**
+ - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove Logoff on the Start menu`
+ - **Local setting**: None
+ - **MDM policy**:
+ - Start/HideUserTile
+ - Start/HideSwitchAccount
+ - Start/HideSignOut
+ - Start/HideLock
+ - Start/HideChangeAccountSettings
-The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table.
+- **Most used**
+ - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove frequent programs from the Start menu`
+ - **Local setting**: Settings > Personalization > Start > Show most used apps
+ - **MDM policy**: Start/HideFrequentlyUsedApps
-| Start | Policy | Local setting |
-| --- | --- | --- |
-| User tile | MDM: **Start/HideUserTile****Start/HideSwitchAccount****Start/HideSignOut****Start/HideLock****Start/HideChangeAccountSettings**Group Policy: **Remove Logoff on the Start menu** | none |
-| Most used | MDM: **Start/HideFrequentlyUsedApps**Group Policy: **Remove frequent programs from the Start menu** | **Settings** > **Personalization** > **Start** > **Show most used apps** |
-| Suggestions-and-Dynamically inserted app tile | MDM: **Allow Windows Consumer Features**Group Policy: **Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences****Note:** This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu. | **Settings** > **Personalization** > **Start** > **Occasionally show suggestions in Start** |
-| Recently added | MDM: **Start/HideRecentlyAddedApps**
Group Policy: **Computer configuration**\\**Administrative Template**\\**Start Menu and Taskbar**\\**Remove "Recently Added" list from Start Menu** (for Windows 10, version 1803) | **Settings** > **Personalization** > **Start** > **Show recently added apps** |
-| Pinned folders | MDM: **AllowPinnedFolder** | **Settings** > **Personalization** > **Start** > **Choose which folders appear on Start** |
-| Power | MDM: **Start/HidePowerButton****Start/HideHibernate****Start/HideRestart****Start/HideShutDown****Start/HideSleep**Group Policy: **Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands** | none |
-| Start layout | MDM: **Start layout****ImportEdgeAssets**Group Policy: **Prevent users from customizing their Start screen****Note:** When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.**Start layout** policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. | none |
-| Jump lists | MDM: **Start/HideRecentJumplists**Group Policy: **Do not keep history of recently opened documents** | **Settings** > **Personalization** > **Start** > **Show recently opened items in Jump Lists on Start or the taskbar** |
-| Start size | MDM: **Force Start size**Group Policy: **Force Start to be either full screen size or menu size** | **Settings** > **Personalization** > **Start** > **Use Start full screen** |
-| App list | MDM: **Start/HideAppList** | **Settings** > **Personalization** > **Start** > **Show app list in Start menu** |
-| All Settings | Group Policy: **Prevent changes to Taskbar and Start Menu Settings** | none |
-| Taskbar | MDM: **Start/NoPinningToTaskbar** | none |
+- **Suggestions, Dynamically inserted app tile**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences`
->[!NOTE]
->In local **Settings** > **Personalization** > **Start**, there is an option to **Show more tiles**. The default tile layout for Start tiles is 3 columns of medium sized tiles. **Show more tiles** enables 4 columns. To configure the 4-column layout when you [customize and export a Start layout](customize-and-export-start-layout.md), turn on the **Show more tiles** setting and then arrange your tiles.
+ This policy also enables or disables notifications for:
-[Learn how to customize and export Start layout](customize-and-export-start-layout.md)
+ - A user's Microsoft account
+ - App tiles that Microsoft dynamically adds to the default Start menu
- ## Taskbar options
+ - **Local setting**: Settings > Personalization > Start > Occasionally show suggestions in Start
+ - **MDM policy**: Allow Windows Consumer Features
-Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region.
+- **Recently added**
+ - **Group policy**: `Computer configuration\Administrative Template\Start Menu and Taskbar\Remove "Recently Added" list from Start Menu`
-There are three categories of apps that might be pinned to a taskbar:
-* Apps pinned by the user
-* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store)
-* Apps pinned by the enterprise, such as in an unattended Windows setup
+ This policy applies to:
- >[!NOTE]
- >We recommend using [the layoutmodification.xml method](configure-windows-10-taskbar.md) to configure taskbar options, rather than the earlier method of using [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks) in an unattended Windows setup file.
+ - Windows 10 version 1803 and later
-The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
+ - **Local setting**: Settings > Personalization > Start > Show recently added apps
+ - **MDM policy**: Start/HideRecentlyAddedApps
+
+- **Pinned folders**
+ - **Local setting**: Settings > Personalization > Start > Choose which folders appear on Start
+ - **MDM policy**: AllowPinnedFolder
+
+- **Power**
+ - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`
+ - **Local setting**: None
+ - **MDM policy**:
+ - Start/HidePowerButton
+ - Start/HideHibernate
+ - Start/HideRestart
+ - Start/HideShutDown
+ - Start/HideSleep
+
+- **Start layout**
+ - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from customizing their Start screen`
+
+ When a full Start screen layout is imported with Group Policy or MDM, users can't pin, unpin, or uninstall apps from the Start screen. Users can see and open all apps in the **All Apps** view, but they can't pin any apps to the Start screen. When a partial Start screen layout is imported, users can't change the tile groups applied by the partial layout. They can change other tile groups, and create their own tile groups.
+
+ **Start layout** policy can be used to pin apps to the taskbar based on an XML File you provide. Users can change the order of pinned apps, unpin apps, and pin more apps to the taskbar.
+
+ - **Local setting**: None
+ - **MDM policy**:
+ - Start layout
+ - ImportEdgeAssets
+
+- **Jump lists**
+ - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`
+ - **Local setting**: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
+ - **MDM policy**: Start/HideRecentJumplists
+
+- **Start size**
+ - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Force Start to be either full screen size or menu size`
+ - **Local setting**: Settings > Personalization > Start > Use Start full screen
+ - **MDM policy**: Force Start size
+
+- **App list**
+ - **Local setting**: Settings > Personalization > Start > Show app list in Start menu
+ - **MDM policy**: Start/HideAppList
+
+- **All settings**
+ - **Group policy**: `User Configuration\Administrative Templates\Prevent changes to Taskbar and Start Menu Settings`
+ - **Local setting**: None
+
+- **Taskbar**
+ - **Local setting**: None
+ - **MDM policy**: Start/NoPinningToTaskbar
+
+> [!NOTE]
+> In the **Settings** app > **Personalization** > **Start**, there is a **Show more tiles on Start** option. The default tile layout for Start tiles is 3 columns of medium sized tiles. **Show more tiles on Start** enables 4 columns. To configure the 4-column layout when you [customize and export a Start layout](customize-and-export-start-layout.md), turn on the **Show more tiles** setting, and then arrange your tiles.
+
+## Taskbar options
+
+Starting in Windows 10 version 1607, you can pin more apps to the taskbar, and remove default pinned apps from the taskbar. You can select different taskbar configurations based on device locale or region.
+
+There are three app categories that could be pinned to a taskbar:
+
+- Apps pinned by the user
+- Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Store
+- Apps pinned by your organization, such as in an unattended Windows setup
+
+ In an unattended Windows setup file, it's recommended to use the [layoutmodification.xml method](configure-windows-10-taskbar.md) to configure the taskbar options. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks).
+
+The following example shows how apps are pinned. In OS configured to use a right-to-left language, the taskbar order is reversed:
+
+- Windows default apps to the left (blue circle)
+- Apps pinned by the user in the center (orange triangle)
+- Apps that you pin using XML to the right (green square)
->[!NOTE]
->In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
+If you apply the taskbar configuration to a clean install or an update, users can still:
+- Pin more apps
+- Change the order of pinned apps
+- Unpin any app
-
-Whether you apply the taskbar configuration to a clean install or an update, users will still be able to:
-* Pin additional apps
-* Change the order of pinned apps
-* Unpin any app
-
->[!NOTE]
->In Windows 10, version 1703, you can apply an MDM policy, `Start/NoPinningToTaskbar`, to prevents users from pinning and unpinning apps on the taskbar.
+> [!TIP]
+> In Windows 10 version 1703, you can apply the `Start/NoPinningToTaskbar` MDM policy. This policy prevents users from pinning and unpinning apps on the taskbar.
### Taskbar configuration applied to clean install of Windows 10
-In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied.
+In a clean install, if you apply a taskbar layout, only the following apps are pinned to the taskbar:
+
+- Apps you specifically add
+- Any default apps you don't remove
+
+After the layout is applied, users can pin more apps to the taskbar.
### Taskbar configuration applied to Windows 10 upgrades
-When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup.
+When a device is upgraded to Windows 10, apps are already pinned to the taskbar. Some apps may have been pinned to the taskbar by a user, by a customized base image, or by using Windows unattended setup.
-The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior:
-* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right.
-* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned.
-* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right.
-* New apps specified in updated layout file are pinned to right of user's pinned apps.
+On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply the following behavior:
+
+- If users pinned apps to the taskbar, then those pinned apps remain. New apps are added to the right.
+- If users didn't pin any apps (they're pinned during installation or by policy), and the apps aren't in an updated layout file, then the apps are unpinned.
+- If a user didn't pin the app, and the app is in the updated layout file, then the app is pinned to the right.
+- New apps specified in updated layout file are pinned to right of user's pinned apps.
[Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md).
## Start layout configuration errors
-If your Start layout customization is not applied as expected, open **Event Viewer** and navigate to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**, and check for one of the following events:
+If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events:
-- **Event 22** is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. This can occur if the file has extra spaces or unexpected characters, or if the file is not saved in the UTF8 format.
-- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood, elements are not in [the required order](start-layout-xml-desktop.md#required-order), or source is not found, such as a missing or misspelled .lnk.
-
-
-
-
-## Related topics
+- **Event 22**: The XML is malformed. The specified file isn’t valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format.
+- **Event 64**: The XML is valid, and has unexpected values. This event can happen when the configuration isn't understood, elements aren't in [the required order](start-layout-xml-desktop.md#required-order), or source isn't found, such as a missing or misspelled `.lnk`.
+## Next steps
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
- [Customize and export Start layout](customize-and-export-start-layout.md)
@@ -133,4 +229,4 @@ If your Start layout customization is not applied as expected, open **Event View
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
\ No newline at end of file
+- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json
index 032a6cf7e4..3ecf9e6104 100644
--- a/windows/configure/docfx.json
+++ b/windows/configure/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {
diff --git a/windows/deploy/docfx.json b/windows/deploy/docfx.json
index f8c535fddb..24a5e3b0ff 100644
--- a/windows/deploy/docfx.json
+++ b/windows/deploy/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-deploy",
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 048a630323..d61509c788 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -273,7 +273,7 @@
href: upgrade/windows-10-upgrade-paths.md
- name: Deploy Windows 10 with Microsoft 365
href: deploy-m365.md
- - name: Understanding the Unified Update Platform
+ - name: Understand the Unified Update Platform
href: update/windows-update-overview.md
- name: Servicing stack updates
href: update/servicing-stack-updates.md
@@ -321,57 +321,69 @@
- name: Active Directory-Based Activation Overview
href: volume-activation/active-directory-based-activation-overview.md
- name: Install and Configure VAMT
- href: volume-activation/install-configure-vamt.md
- - name: VAMT Requirements
- href: volume-activation/vamt-requirements.md
- - name: Install VAMT
- href: volume-activation/install-vamt.md
- - name: Configure Client Computers
- href: volume-activation/configure-client-computers-vamt.md
+ items:
+ - name: Overview
+ href: volume-activation/install-configure-vamt.md
+ - name: VAMT Requirements
+ href: volume-activation/vamt-requirements.md
+ - name: Install VAMT
+ href: volume-activation/install-vamt.md
+ - name: Configure Client Computers
+ href: volume-activation/configure-client-computers-vamt.md
- name: Add and Manage Products
- href: volume-activation/add-manage-products-vamt.md
- - name: Add and Remove Computers
- href: volume-activation/add-remove-computers-vamt.md
- - name: Update Product Status
- href: volume-activation/update-product-status-vamt.md
- - name: Remove Products
- href: volume-activation/remove-products-vamt.md
+ items:
+ - name: Overview
+ href: volume-activation/add-manage-products-vamt.md
+ - name: Add and Remove Computers
+ href: volume-activation/add-remove-computers-vamt.md
+ - name: Update Product Status
+ href: volume-activation/update-product-status-vamt.md
+ - name: Remove Products
+ href: volume-activation/remove-products-vamt.md
- name: Manage Product Keys
- href: volume-activation/manage-product-keys-vamt.md
- - name: Add and Remove a Product Key
- href: volume-activation/add-remove-product-key-vamt.md
- - name: Install a Product Key
- href: volume-activation/install-product-key-vamt.md
- - name: Install a KMS Client Key
- href: volume-activation/install-kms-client-key-vamt.md
+ items:
+ - name: Overview
+ href: volume-activation/manage-product-keys-vamt.md
+ - name: Add and Remove a Product Key
+ href: volume-activation/add-remove-product-key-vamt.md
+ - name: Install a Product Key
+ href: volume-activation/install-product-key-vamt.md
+ - name: Install a KMS Client Key
+ href: volume-activation/install-kms-client-key-vamt.md
- name: Manage Activations
- href: volume-activation/manage-activations-vamt.md
- - name: Perform Online Activation
- href: volume-activation/online-activation-vamt.md
- - name: Perform Proxy Activation
- href: volume-activation/proxy-activation-vamt.md
- - name: Perform KMS Activation
- href: volume-activation/kms-activation-vamt.md
- - name: Perform Local Reactivation
- href: volume-activation/local-reactivation-vamt.md
- - name: Activate an Active Directory Forest Online
- href: volume-activation/activate-forest-vamt.md
- - name: Activate by Proxy an Active Directory Forest
- href: volume-activation/activate-forest-by-proxy-vamt.md
+ items:
+ - name: Overview
+ href: volume-activation/manage-activations-vamt.md
+ - name: Run Online Activation
+ href: volume-activation/online-activation-vamt.md
+ - name: Run Proxy Activation
+ href: volume-activation/proxy-activation-vamt.md
+ - name: Run KMS Activation
+ href: volume-activation/kms-activation-vamt.md
+ - name: Run Local Reactivation
+ href: volume-activation/local-reactivation-vamt.md
+ - name: Activate an Active Directory Forest Online
+ href: volume-activation/activate-forest-vamt.md
+ - name: Activate by Proxy an Active Directory Forest
+ href: volume-activation/activate-forest-by-proxy-vamt.md
- name: Manage VAMT Data
- href: volume-activation/manage-vamt-data.md
- - name: Import and Export VAMT Data
- href: volume-activation/import-export-vamt-data.md
- - name: Use VAMT in Windows PowerShell
- href: volume-activation/use-vamt-in-windows-powershell.md
+ items:
+ - name: Overview
+ href: volume-activation/manage-vamt-data.md
+ - name: Import and Export VAMT Data
+ href: volume-activation/import-export-vamt-data.md
+ - name: Use VAMT in Windows PowerShell
+ href: volume-activation/use-vamt-in-windows-powershell.md
- name: VAMT Step-by-Step Scenarios
- href: volume-activation/vamt-step-by-step.md
- - name: "Scenario 1: Online Activation"
- href: volume-activation/scenario-online-activation-vamt.md
- - name: "Scenario 2: Proxy Activation"
- href: volume-activation/scenario-proxy-activation-vamt.md
- - name: "Scenario 3: KMS Client Activation"
- href: volume-activation/scenario-kms-activation-vamt.md
+ items:
+ - name: Overview
+ href: volume-activation/vamt-step-by-step.md
+ - name: "Scenario 1: Online Activation"
+ href: volume-activation/scenario-online-activation-vamt.md
+ - name: "Scenario 2: Proxy Activation"
+ href: volume-activation/scenario-proxy-activation-vamt.md
+ - name: "Scenario 3: KMS Client Activation"
+ href: volume-activation/scenario-kms-activation-vamt.md
- name: VAMT Known Issues
href: volume-activation/vamt-known-issues.md
@@ -486,67 +498,75 @@
- name: Application Compatibility Toolkit (ACT) Technical Reference
items:
- name: SUA User's Guide
- href: planning/sua-users-guide.md
- - name: Using the SUA Wizard
- href: planning/using-the-sua-wizard.md
- - name: Using the SUA Tool
- href: planning/using-the-sua-tool.md
- - name: Tabs on the SUA Tool Interface
- href: planning/tabs-on-the-sua-tool-interface.md
- - name: Showing Messages Generated by the SUA Tool
- href: planning/showing-messages-generated-by-the-sua-tool.md
- - name: Applying Filters to Data in the SUA Tool
- href: planning/applying-filters-to-data-in-the-sua-tool.md
- - name: Fixing Applications by Using the SUA Tool
- href: planning/fixing-applications-by-using-the-sua-tool.md
+ items:
+ - name: Overview
+ href: planning/sua-users-guide.md
+ - name: Use the SUA Wizard
+ href: planning/using-the-sua-wizard.md
+ - name: Use the SUA Tool
+ href: planning/using-the-sua-tool.md
+ - name: Tabs on the SUA Tool Interface
+ href: planning/tabs-on-the-sua-tool-interface.md
+ - name: Show Messages Generated by the SUA Tool
+ href: planning/showing-messages-generated-by-the-sua-tool.md
+ - name: Apply Filters to Data in the SUA Tool
+ href: planning/applying-filters-to-data-in-the-sua-tool.md
+ - name: Fix apps using the SUA Tool
+ href: planning/fixing-applications-by-using-the-sua-tool.md
- name: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
href: planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
- name: Compatibility Administrator User's Guide
- href: planning/compatibility-administrator-users-guide.md
- - name: Using the Compatibility Administrator Tool
- href: planning/using-the-compatibility-administrator-tool.md
- - name: Available Data Types and Operators in Compatibility Administrator
- href: planning/available-data-types-and-operators-in-compatibility-administrator.md
- - name: Searching for Fixed Applications in Compatibility Administrator
- href: planning/searching-for-fixed-applications-in-compatibility-administrator.md
- - name: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
- href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
- - name: Creating a Custom Compatibility Fix in Compatibility Administrator
- href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
- - name: Creating a Custom Compatibility Mode in Compatibility Administrator
- href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
- - name: Creating an AppHelp Message in Compatibility Administrator
- href: planning/creating-an-apphelp-message-in-compatibility-administrator.md
- - name: Viewing the Events Screen in Compatibility Administrator
- href: planning/viewing-the-events-screen-in-compatibility-administrator.md
- - name: Enabling and Disabling Compatibility Fixes in Compatibility Administrator
- href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
- - name: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
- href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
- - name: Managing Application-Compatibility Fixes and Custom Fix Databases
- href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
- - name: Understanding and Using Compatibility Fixes
- href: planning/understanding-and-using-compatibility-fixes.md
- - name: Compatibility Fix Database Management Strategies and Deployment
- href: planning/compatibility-fix-database-management-strategies-and-deployment.md
- - name: Testing Your Application Mitigation Packages
- href: planning/testing-your-application-mitigation-packages.md
- - name: Using the Sdbinst.exe Command-Line Tool
- href: planning/using-the-sdbinstexe-command-line-tool.md
+ items:
+ - name: Overview
+ href: planning/compatibility-administrator-users-guide.md
+ - name: Use the Compatibility Administrator Tool
+ href: planning/using-the-compatibility-administrator-tool.md
+ - name: Available Data Types and Operators in Compatibility Administrator
+ href: planning/available-data-types-and-operators-in-compatibility-administrator.md
+ - name: Search for Fixed Applications in Compatibility Administrator
+ href: planning/searching-for-fixed-applications-in-compatibility-administrator.md
+ - name: Search for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
+ href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
+ - name: Create a Custom Compatibility Fix in Compatibility Administrator
+ href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
+ - name: Create a Custom Compatibility Mode in Compatibility Administrator
+ href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
+ - name: Create an AppHelp Message in Compatibility Administrator
+ href: planning/creating-an-apphelp-message-in-compatibility-administrator.md
+ - name: View the Events Screen in Compatibility Administrator
+ href: planning/viewing-the-events-screen-in-compatibility-administrator.md
+ - name: Enable and Disable Compatibility Fixes in Compatibility Administrator
+ href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
+ - name: Install and Uninstall Custom Compatibility Databases in Compatibility Administrator
+ href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
+ - name: Manage Application-Compatibility Fixes and Custom Fix Databases
+ items:
+ - name: Overview
+ href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
+ - name: Understand and Use Compatibility Fixes
+ href: planning/understanding-and-using-compatibility-fixes.md
+ - name: Compatibility Fix Database Management Strategies and Deployment
+ href: planning/compatibility-fix-database-management-strategies-and-deployment.md
+ - name: Test Your Application Mitigation Packages
+ href: planning/testing-your-application-mitigation-packages.md
+ - name: Use the Sdbinst.exe Command-Line Tool
+ href: planning/using-the-sdbinstexe-command-line-tool.md
- name: Volume Activation
- href: volume-activation/volume-activation-windows-10.md
- - name: Plan for volume activation
- href: volume-activation/plan-for-volume-activation-client.md
- - name: Activate using Key Management Service
- href: volume-activation/activate-using-key-management-service-vamt.md
- - name: Activate using Active Directory-based activation
- href: volume-activation/activate-using-active-directory-based-activation-client.md
- - name: Activate clients running Windows 10
- href: volume-activation/activate-windows-10-clients-vamt.md
- - name: Monitor activation
- href: volume-activation/monitor-activation-client.md
- - name: Use the Volume Activation Management Tool
- href: volume-activation/use-the-volume-activation-management-tool-client.md
+ items:
+ - name: Overview
+ href: volume-activation/volume-activation-windows-10.md
+ - name: Plan for volume activation
+ href: volume-activation/plan-for-volume-activation-client.md
+ - name: Activate using Key Management Service
+ href: volume-activation/activate-using-key-management-service-vamt.md
+ - name: Activate using Active Directory-based activation
+ href: volume-activation/activate-using-active-directory-based-activation-client.md
+ - name: Activate clients running Windows 10
+ href: volume-activation/activate-windows-10-clients-vamt.md
+ - name: Monitor activation
+ href: volume-activation/monitor-activation-client.md
+ - name: Use the Volume Activation Management Tool
+ href: volume-activation/use-the-volume-activation-management-tool-client.md
- name: "Appendix: Information sent to Microsoft during activation "
href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index 6c5df77f39..084c1d13cc 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -28,7 +28,11 @@ This topic provides an overview of new solutions and online content related to d
- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index).
-## Latest news
+## [Preview] Windows Autopilot diagnostics page
+
+When you deploy Windows 11 with Autopilot, you can enable users to view additional information about the Autopilot provisioning process. A new **Windows Autopilot diagnostics Page** is available to provide IT admins and end users with a user-friendly view to troubleshoot Autopilot failures. For more information, see [Windows Autopilot: What's new](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page).
+
+## Windows 11
Check out the following new articles about Windows 11:
- [Overview of Windows 11](/windows/whats-new/windows-11)
@@ -37,7 +41,9 @@ Check out the following new articles about Windows 11:
The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
-[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.
+## Deployment tools
+
+[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
VPN support is added to [Windows Autopilot](#windows-autopilot)
An in-place upgrade wizard is available in [Configuration Manager](#microsoft-endpoint-configuration-manager).
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 2150a2ab0c..92bdcde554 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -72,7 +72,7 @@ To monitor the task sequence as it happens, right-click the **MDT Build Lab** de
### Configure permissions for the deployment share
-In order to read files in the deployment share and write the reference image back to it, you need to assign NTSF and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder
+In order to read files in the deployment share and write the reference image back to it, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder
On **MDT01**:
@@ -679,4 +679,4 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file
+[Configure MDT settings](configure-mdt-settings.md)
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 1aaab1936a..62cb47a58a 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -32,16 +32,16 @@ To configure your environment for BitLocker, you will need to do the following:
4. Configure the rules (CustomSettings.ini) for BitLocker.
> [!NOTE]
-> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
+> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For more information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
> [!NOTE]
> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
>[!NOTE]
->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For more information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
-For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
+For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
## Configure Active Directory for BitLocker
@@ -69,7 +69,7 @@ The BitLocker Drive Encryption Administration Utilities are added as features vi
1. BitLocker Drive Encryption Administration Utilities
2. BitLocker Drive Encryption Tools
3. BitLocker Recovery Password Viewer
-7. On the **Confirm installation selections** page, click **Install** and then click **Close**.
+7. On the **Confirm installation selections** page, click **Install**, and then click **Close**.
@@ -95,7 +95,7 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor
### Set permissions in Active Directory for BitLocker
-In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://gallery.technet.microsoft.com/ScriptCenter/b4dee016-053e-4aa3-a278-3cebf70d1191) from Microsoft to C:\\Setup\\Scripts on DC01.
+In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://raw.githubusercontent.com/DeploymentArtist/DF4/master/BitLocker%20and%20TPM/Add-TPMSelfWriteACE.vbs) to C:\\Setup\\Scripts on DC01.
1. On DC01, start an elevated PowerShell prompt (run as Administrator).
2. Configure the permissions by running the following command:
@@ -114,7 +114,7 @@ If you want to automate enabling the TPM chip as part of the deployment process,
### Add tools from Dell
-[Dell Comnmand | Configure](https://www.dell.com/support/article/us/en/04/sln311302/dell-command-configure) provides a Command Line Interface and a Graphical User Interface.
+[Dell Command | Configure](https://www.dell.com/support/article/us/en/04/sln311302/dell-command-configure) provides a Command Line Interface and a Graphical User Interface.
### Add tools from HP
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
index cecc2b30b5..b33480ce11 100644
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@@ -34,6 +34,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 2664d3f9d8..49943752c3 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -1,5 +1,5 @@
---
-title: Update Windows 10 media with Dynamic Update
+title: Update Windows installation media with Dynamic Update
description: Learn how to deploy feature updates to your mission critical devices
ms.prod: w10
ms.mktglfcycl: manage
@@ -14,17 +14,17 @@ ms.collection: M365-modern-desktop
ms.topic: article
---
-# Update Windows 10 media with Dynamic Update
+# Update Windows installation media with Dynamic Update
-**Applies to**: Windows 10
+**Applies to**: Windows 10, Windows 11
-This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
+This topic explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
-Volume-licensed media is available for each release of Windows 10 in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows 10 devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
+Volume-licensed media is available for each release of Windows in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
## Dynamic Update
-Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows 10 Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages include the following kinds of updates:
+Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages include the following kinds of updates:
- Updates to Setup.exe binaries or other files that Setup uses for feature updates
- Updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment
@@ -53,14 +53,14 @@ The various Dynamic Update packages might not all be present in the results from
If you want to customize the image with additional languages or Features on Demand, download supplemental media ISO files from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). For example, since Dynamic Update will be disabled for your devices, and if users require specific Features on Demand, you can preinstall these into the image.
-## Update Windows 10 installation media
+## Update Windows installation media
Properly updating the installation media involves a large number of actions operating on several different targets (image files). Some actions are repeated on different targets. The target images files include:
- Windows Preinstallation Environment (WinPE): a small operating system used to install, deploy, and repair Windows operating systems
- Windows Recovery Environment (WinRE): repairs common causes of unbootable operating systems. WinRE is based on WinPE and can be customized with additional drivers, languages, optional packages, and other troubleshooting or diagnostic tools.
-- Windows operating system: one or more editions of Windows 10 stored in \sources\install.wim
-- Windows installation media: the complete collection of files and folders in the Windows 10 installation media. For example, \sources folder, \boot folder, Setup.exe, and so on.
+- Windows operating system: one or more editions of Windows stored in \sources\install.wim
+- Windows installation media: the complete collection of files and folders in the Windows installation media. For example, \sources folder, \boot folder, Setup.exe, and so on.
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding the Dynamic Update for Setup to the new media (26).
@@ -89,7 +89,7 @@ This table shows the correct sequence for applying the various tasks to the file
### Multiple Windows editions
-The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
+The main operating system file (install.wim) contains multiple editions of Windows. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
### Additional languages and features
@@ -178,8 +178,6 @@ The script assumes that only a single edition is being updated, indicated by Ind
It finishes by cleaning and exporting the image to reduce the image size.
-> [!NOTE]
-> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary components in the recovery environment. The components that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
```powershell
# Mount the main operating system, used throughout the script
@@ -194,8 +192,33 @@ Write-Output "$(Get-TS): Mounting WinRE"
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update
+
+# Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
+# This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update.
+
+# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
+# This error should be caught and ignored, as the last step will be to apply the cumulative update
+# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
+
Write-Output "$(Get-TS): Adding package $SSU_PATH"
-Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+
+try
+{
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
+}
+Catch
+{
+ $theError = $_
+ Write-Output "$(Get-TS): $theError"
+
+ if ($theError.Exception -like "*0x8007007e*") {
+ Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ }
+ else {
+ throw
+ }
+}
#
# Optional: Add the language to recovery environment
@@ -278,8 +301,33 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add SSU
+
+ # Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
+ # This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update.
+
+ # Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+ # There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
+ # This error should be caught and ignored, as the last step will be to apply the cumulative update
+ # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
+
Write-Output "$(Get-TS): Adding package $SSU_PATH"
- Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+
+ try
+ {
+ Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
+ }
+ Catch
+ {
+ $theError = $_
+ Write-Output "$(Get-TS): $theError"
+
+ if ($theError.Exception -like "*0x8007007e*") {
+ Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ }
+ else {
+ throw
+ }
+ }
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json
index fb05d45e14..ce2b043c43 100644
--- a/windows/device-security/docfx.json
+++ b/windows/device-security/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
diff --git a/windows/docfx.json b/windows/docfx.json
index 68d6d5933c..30f4698e66 100644
--- a/windows/docfx.json
+++ b/windows/docfx.json
@@ -14,6 +14,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"ROBOTS": "INDEX, FOLLOW",
"audience": "ITPro",
"breadcrumb_path": "/itpro/windows/breadcrumb/toc.json",
diff --git a/windows/eulas/docfx.json b/windows/eulas/docfx.json
index 1dd02b74b2..2834682ce7 100644
--- a/windows/eulas/docfx.json
+++ b/windows/eulas/docfx.json
@@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/eulas/breadcrumb/toc.json",
"extendBreadcrumb": true,
"feedback_system": "None",
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index ba6cb520ce..f8e5b9331d 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -34,6 +34,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"audience": "ITPro",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index f61c3a9861..e3a2448009 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -95,6 +95,8 @@ landingContent:
url: /windows/client-management/mandatory-user-profile
- text: New policies for Windows 10
url: /windows/client-management/new-policies-for-windows-10
+ - text: Configuration service provider reference
+ url: /windows/client-management/mdm/configuration-service-provider-reference
# Card (optional)
- title: Security and Privacy
diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json
index d153310b25..aa250a2f5c 100644
--- a/windows/keep-secure/docfx.json
+++ b/windows/keep-secure/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"feedback_system": "None",
"_op_documentIdPathDepotMapping": {
"./": {
diff --git a/windows/known-issues/docfx.json b/windows/known-issues/docfx.json
index 6c9c489c80..d331ee80d1 100644
--- a/windows/known-issues/docfx.json
+++ b/windows/known-issues/docfx.json
@@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json
index 904388daf4..c5275101bf 100644
--- a/windows/manage/docfx.json
+++ b/windows/manage/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-manage",
diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json
index f226ea1fe0..9a47bdcced 100644
--- a/windows/plan/docfx.json
+++ b/windows/plan/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-plan",
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 86e8ebcf13..826c5527fe 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -52,7 +52,7 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience
In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 11 device to limit crash dumps and logs](#configure-a-windows-11-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data).
-Additionally, you will see the following policy changes in an upcoming release of Windows 10:
+Additionally, you will see the following policy changes in an upcoming release of Windows Holographic, version 21H1 (HoloLens 2), Windows Server 2022 and Windows 11:
| Policy type | Current policy | Renamed policy |
| --- | --- | --- |
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index 29f46358f8..13d72f2e30 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json
index 111809e6f2..c5cbdfb50a 100644
--- a/windows/release-information/docfx.json
+++ b/windows/release-information/docfx.json
@@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/release-information/breadcrumb/toc.json",
"ms.prod": "w10",
"ms.date": "4/30/2019",
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index e8accb5982..3a997cd1e9 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -33,6 +33,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 703848eaf3..5d76d6be7c 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -21,16 +21,33 @@ ms.reviewer:
**Applies to**
- Windows 10
- Windows Server 2016
+- Windows Server 2019
Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when it is enabled. For further information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following known issue has been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/help/4051033):
-- Scheduled tasks with stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
- "Task Scheduler failed to log on ‘\Test’ .
- Failure occurred in ‘LogonUserExEx’ .
+- Scheduled tasks with domain user stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
+ "Task Scheduler failed to log on ‘\Test’.
+ Failure occurred in ‘LogonUserExEx’.
User Action: Ensure the credentials for the task are correctly specified.
- Additional Data: Error Value: 2147943726. 2147943726 : ERROR\_LOGON\_FAILURE (The user name or password is incorrect)."
+ Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect)."
+- When enabling NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. For example:
+ > Log Name: Microsoft-Windows-NTLM/Operational
+ Source: Microsoft-Windows-Security-Netlogon
+ Event ID: 8004
+ Task Category: Auditing NTLM
+ Level: Information
+ Description:
+ Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
+ Secure Channel name: \
+ User name:
+ @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
+ Domain name: NULL
+
+ - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
+ - The username appears in an unusual format because local accounts aren’t protected by Credential Guard. The task also fails to execute.
+ - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
@@ -107,4 +124,4 @@ Windows Defender Credential Guard is not supported by either these products, pro
This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Windows Defender Credential Guard.
- Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
\ No newline at end of file
+ Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index 66f580bcad..e6bce8b91b 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -16,7 +16,7 @@ ms.date: 08/17/2017
ms.reviewer:
---
-# Windows Defender Credential Guard protection limits
+# Windows Defender Credential Guard protection limits and mitigations
**Applies to**
- Windows 10
@@ -43,7 +43,7 @@ do not qualify as credentials because they cannot be presented to another comput
## Additional mitigations
-Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
+Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
### Restricting domain users to specific domain-joined devices
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index da0e139923..b8ce7af3da 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -679,6 +679,11 @@ Sign-in a workstation with access equivalent to a _domain user_.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
+
+ > [!NOTE]
+ > If the distinguished name contains special characters like a plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”.
+ > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
+
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
@@ -712,4 +717,4 @@ You have successfully completed the configuration. Add users that need to enrol
> * Install and Configure the NDES Role
> * Configure Network Device Enrollment Services to work with Microsoft Intune
> * Download, Install, and Configure the Intune Certificate Connector
-> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
\ No newline at end of file
+> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml
index 036ef214e2..ae12fde723 100644
--- a/windows/security/threat-protection/TOC.yml
+++ b/windows/security/threat-protection/TOC.yml
@@ -265,8 +265,8 @@
href: windows-sandbox/windows-sandbox-architecture.md
- name: Windows Sandbox configuration
href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md
- - name: "Windows Defender Device Guard: virtualization-based security and WDAC"
- href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+ - name: "Windows Defender Application Control and virtualization-based protection of code integrity"
+ href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: Windows Certifications
items:
- name: FIPS 140 Validations
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 0628013832..1ede3ef4ed 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -10,14 +10,15 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/01/2019
+ms.date: 07/30/2021
ms.reviewer:
ms.technology: mde
---
# Enable virtualization-based protection of code integrity
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to**
+- Windows 10
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
Some applications, including device drivers, may be incompatible with HVCI.
@@ -103,7 +104,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
-> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
+**To enable VBS with Secure Boot and DMA (value 3)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
+```
**To enable VBS without UEFI lock (value 0)**
@@ -111,7 +116,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
```
-> To enable **VBS with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
+**To enable VBS with UEFI lock (value 1)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
+```
**To enable virtualization-based protection of Code Integrity policies**
@@ -125,7 +134,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
```
-> To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
+**To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
+```
#### For Windows 10 version 1511 and earlier
@@ -155,7 +168,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
-> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
+**To enable VBS with Secure Boot and DMA (value 3)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
+```
**To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**
@@ -296,4 +313,4 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
-- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
\ No newline at end of file
+- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 21b9780bc2..4065b2122a 100644
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -18,7 +18,8 @@ ms.technology: mde
# Baseline protections and additional qualifications for virtualization-based protection of code integrity
-**Applies to** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to**
+- Windows 10
Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index 593984f0dc..d2ee8b1f7a 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -19,7 +19,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- Windows 10
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index 7a2cd61939..9ad53a26f5 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -17,7 +17,7 @@ metadata:
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
- **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index f3cbd518da..994ade09de 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -18,7 +18,7 @@ ms.technology: mde
# Prepare to install Microsoft Defender Application Guard
**Applies to:**
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- - Windows 10
## Review system requirements
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 83850f5a21..de798293db 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -17,7 +17,8 @@ ms.technology: mde
# Microsoft Defender Application Guard overview
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to**
+- Windows 10
Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index a54f8667cd..fb162b5632 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -1,5 +1,5 @@
---
-title: System requirements for Microsoft Defender Application Guard (Windows 10)
+title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
ms.prod: m365-security
ms.mktglfcycl: manage
@@ -17,7 +17,8 @@ ms.technology: mde
# System requirements for Microsoft Defender Application Guard
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to**
+- Windows 10
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index 9baa7baa78..74525211f8 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -19,7 +19,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- Windows 10
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
index 7a2193fd9c..31325347d6 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
@@ -14,7 +14,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
ms.technology: mde
---
@@ -31,17 +30,11 @@ This policy setting enables or disables blocking a domain controller from accept
### Possible values
-- Enabled
+- **Enabled** When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password.
- When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password.
+- **Disabled** When disabled, this setting allows a domain controller to accept any changes to a machine account's password.
-- Disabled
-
- When disabled, this setting allows a domain controller to accept any changes to a machine account's password.
-
-- Not defined
-
- Same as Disabled.
+- **Not defined** Same as Disabled.
### Best practices
@@ -51,18 +44,25 @@ This policy setting enables or disables blocking a domain controller from accept
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+The policy referenced configures the following registry value:
+
+Registry Hive: HKEY_LOCAL_MACHINE
+Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\
+
+Value Name: RefusePasswordChange
+
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
| Server type or GPO | Default value |
-| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Not applicable|
+|---|---|
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Not applicable |
## Policy management
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 6ac3422250..d9a41c8eff 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -86,6 +86,32 @@ To enable 3090 allow events, and 3091 and 3092 events, you must instead create a
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
```
+## System Integrity Policy Options
+The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options).
+
+| Bit Address | Policy Rule Option |
+|-------|------|
+| 2 | `Enabled:UMCI` |
+| 3 | `Enabled:Boot Menu Protection` |
+| 4 | `Enabled:Intelligent Security Graph Authorization` |
+| 5 | `Enabled:Invalidate EAs on Reboot` |
+| 7 | `Required:WHQL` |
+| 10 | `Enabled:Allow Supplemental Policies` |
+| 11 | `Disabled:Runtime FilePath Rule Protection` |
+| 13 | `Enabled:Revoked Expired As Unsigned` |
+| 16 | `Enabled:Audit Mode (Default)` |
+| 17 | `Disabled:Flight Signing` |
+| 18 | `Enabled:Inherit Default Policy` |
+| 19 | `Enabled:Unsigned System Integrity Policy (Default)` |
+| 20 | `Enabled:Dynamic Code Security` |
+| 21 | `Required:EV Signers` |
+| 22 | `Enabled:Boot Audit on Failure` |
+| 23 | `Enabled:Advanced Boot Options Menu` |
+| 24 | `Disabled:Script Enforcement` |
+| 25 | `Required:Enforce Store Applications` |
+| 27 | `Enabled:Managed Installer` |
+| 28 | `Enabled:Update Policy No Reboot` |
+
## Appendix
A list of other relevant event IDs and their corresponding description.
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 16dd454c61..0f9af0978c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -14,7 +14,7 @@ author: denisebmsft
ms.reviewer: isbrahm
ms.author: deniseb
manager: dansimp
-ms.date: 04/15/2020
+ms.date: 07/29/2021
ms.custom: asr
ms.technology: mde
---
@@ -26,18 +26,18 @@ ms.technology: mde
- Windows 10
- Windows Server 2016 and above
-| Capability | WDAC | AppLocker |
-|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Platform support | Available on Windows 10 | Available on Windows 8+ |
-| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. |
-| Management solutions | - [Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
- [Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
- [Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md)
- PowerShell
| - [Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
- MEMCM (custom policy deployment via Software Distribution only)
- [Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)
- PowerShell
|
-| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
-| Kernel mode policies | Available on all Windows 10 versions | Not available |
-| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
-| Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available |
-| Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available |
-| Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available |
-| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
-| COM object configurability | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md) | Not available |
-| Packaged app rules | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md) | Available on Windows 8+ |
+| Capability | WDAC | AppLocker |
+|-------------|------|-------------|
+| Platform support | Available on Windows 10 | Available on Windows 8+ |
+| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. |
+| Management solutions | - [Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
- [Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
- [Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md)
- PowerShell
| - [Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
- MEMCM (custom policy deployment via Software Distribution only)
- [Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)
- PowerShell
|
+| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
+| Kernel mode policies | Available on all Windows 10 versions | Not available |
+| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
+| Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available |
+| Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available |
+| Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available |
+| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability checks enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
+| COM object configurability | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md) | Not available |
+| Packaged app rules | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md) | Available on Windows 8+ |
| Enforceable file types | - Driver files: .sys
- Executable files: .exe and .com
- DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .vbs, and .js
- Packaged apps and packaged app installers: .appx
| - Executable files: .exe and .com
- [Optional] DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .bat, .cmd, .vbs, and .js
- Packaged apps and packaged app installers: .appx
|
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 794cefca57..8f9b6ac45d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No |
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes |
| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No |
+| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with expired and/or revoked certificates as "Unsigned binaries" for user-mode process/components under enterprise signing scenarios. | No |
## Windows Defender Application Control file rule levels
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
index 7576fcf3df..5f30884997 100644
--- a/windows/threat-protection/docfx.json
+++ b/windows/threat-protection/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
diff --git a/windows/update/docfx.json b/windows/update/docfx.json
index 723941b24a..d577905730 100644
--- a/windows/update/docfx.json
+++ b/windows/update/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-update",
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index fe5bc2fe98..e8a0332615 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 5d395a418c..f2dedd5144 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -55,7 +55,7 @@ If you aren’t already taking advantage of cloud-based management capabilities,
The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them:
-- **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features.
+- **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. The [Windows Autopilot diagnostics page](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page) is new feature that is available when you use in Windows Autopilot to deploy Windows 11.
- **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps.
- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Endpoint Manager.
diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md
index 699a271b9f..d7f3653761 100644
--- a/windows/whats-new/windows-11.md
+++ b/windows/whats-new/windows-11.md
@@ -47,6 +47,8 @@ For more information about device eligibility, see [Windows 11 requirements](win
If you are interested in testing Windows 11 before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows 11 by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS).
+If you are an administrator, you can manage installations of Windows 11 Insider Preview Builds across multiple devices in your organization using Group Policy, MDM solutions such as Intune, Configuration Manager, or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). For more information, see [Manage Insider Preview builds across your organization](/windows-insider/business/manage-builds).
+
## Before you begin
The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows 11.
@@ -86,4 +88,4 @@ When Windows 11 reaches general availability, important servicing-related announ
## Also see
-[What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows)
\ No newline at end of file
+[What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows)