From 0ef901195f4364ce818e624699196049fe5775d7 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Sun, 25 Apr 2021 23:14:23 +0500
Subject: [PATCH 01/68] Update hello-hybrid-aadj-sso-cert.md
---
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index da0e139923..3bcde4eec9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -679,6 +679,11 @@ Sign-in a workstation with access equivalent to a _domain user_.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
+
+ > [!Note]
+ > If the distinguished names contain scpecial characters ("+", ",", ";" or "="), put quotation marks: CN=”{{OnPrem_Distinguished_Name}}”.
+ > If the distinguished names length is more than 64 characters, name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement)
+
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
@@ -712,4 +717,4 @@ You have successfully completed the configuration. Add users that need to enrol
> * Install and Configure the NDES Role
> * Configure Network Device Enrollment Services to work with Microsoft Intune
> * Download, Install, and Configure the Intune Certificate Connector
-> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
\ No newline at end of file
+> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
From 33f51de4962c7468947f1f9e030ebba2a2eae5e6 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Tue, 27 Apr 2021 14:09:24 +0500
Subject: [PATCH 02/68] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 3bcde4eec9..37b51d0f58 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -680,7 +680,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
- > [!Note]
+ > [!NOTE]
> If the distinguished names contain scpecial characters ("+", ",", ";" or "="), put quotation marks: CN=”{{OnPrem_Distinguished_Name}}”.
> If the distinguished names length is more than 64 characters, name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement)
From 84a64b71fa3ab330f7bdb7927e92720ea32277a4 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Tue, 27 Apr 2021 14:09:33 +0500
Subject: [PATCH 03/68] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 37b51d0f58..ef4f0465c4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -681,7 +681,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
> [!NOTE]
- > If the distinguished names contain scpecial characters ("+", ",", ";" or "="), put quotation marks: CN=”{{OnPrem_Distinguished_Name}}”.
+ > If the distinguished name contains special characters like plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”.
> If the distinguished names length is more than 64 characters, name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement)
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
From 8cf38b6fcac09a95c54e88fc9976c2b91111410f Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Tue, 27 Apr 2021 14:09:38 +0500
Subject: [PATCH 04/68] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index ef4f0465c4..090085514e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -682,7 +682,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
> [!NOTE]
> If the distinguished name contains special characters like plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”.
- > If the distinguished names length is more than 64 characters, name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement)
+ > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
From f0bd7db771eb2d52427039cfa8d6184d9e61689c Mon Sep 17 00:00:00 2001
From: Reza Tavakoli <9096461+tavrez@users.noreply.github.com>
Date: Sun, 18 Jul 2021 21:16:27 +0430
Subject: [PATCH 05/68] Small typo fixes
---
.../deploy-windows-mdt/create-a-windows-10-reference-image.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 2150a2ab0c..92bdcde554 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -72,7 +72,7 @@ To monitor the task sequence as it happens, right-click the **MDT Build Lab** de
### Configure permissions for the deployment share
-In order to read files in the deployment share and write the reference image back to it, you need to assign NTSF and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder
+In order to read files in the deployment share and write the reference image back to it, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder
On **MDT01**:
@@ -679,4 +679,4 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
[Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md)
\ No newline at end of file
+[Configure MDT settings](configure-mdt-settings.md)
From 6a9a6be184810050decf71da11624e084ab94694 Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 23 Jul 2021 23:14:52 +0530
Subject: [PATCH 06/68] added manage Insider Preview builds org link
this is my own PR, i added Manage Insider Preview builds across your organization link and its explanation (not own explanation ) I copied and pasted from below article
**https://docs.microsoft.com/windows-insider/business/manage-builds**
I need help from @JohanFreelancer9 to verify . So please assist me with your suggestions.
Thanking you
---
windows/whats-new/windows-11.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md
index 699a271b9f..bd540d2145 100644
--- a/windows/whats-new/windows-11.md
+++ b/windows/whats-new/windows-11.md
@@ -47,6 +47,8 @@ For more information about device eligibility, see [Windows 11 requirements](win
If you are interested in testing Windows 11 before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows 11 by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS).
+If you're an administrator, you can manage installations of Windows 11 Insider Preview Builds across multiple devices in your organization using Group Policy, MDM solutions such as Intune, Configuration Manager, or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS).For more informinformation see [Manage Insider Preview builds across your organization](https://docs.microsoft.com/windows-insider/business/manage-builds).
+
## Before you begin
The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows 11.
@@ -86,4 +88,4 @@ When Windows 11 reaches general availability, important servicing-related announ
## Also see
-[What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows)
\ No newline at end of file
+[What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows)
From 41208fe04262afccc5c775e70616f9e72f04b6ad Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Sat, 24 Jul 2021 09:25:42 +0530
Subject: [PATCH 07/68] Update windows/whats-new/windows-11.md
acceptec
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
windows/whats-new/windows-11.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md
index bd540d2145..d7f3653761 100644
--- a/windows/whats-new/windows-11.md
+++ b/windows/whats-new/windows-11.md
@@ -47,7 +47,7 @@ For more information about device eligibility, see [Windows 11 requirements](win
If you are interested in testing Windows 11 before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows 11 by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS).
-If you're an administrator, you can manage installations of Windows 11 Insider Preview Builds across multiple devices in your organization using Group Policy, MDM solutions such as Intune, Configuration Manager, or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS).For more informinformation see [Manage Insider Preview builds across your organization](https://docs.microsoft.com/windows-insider/business/manage-builds).
+If you are an administrator, you can manage installations of Windows 11 Insider Preview Builds across multiple devices in your organization using Group Policy, MDM solutions such as Intune, Configuration Manager, or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). For more information, see [Manage Insider Preview builds across your organization](/windows-insider/business/manage-builds).
## Before you begin
From d02dc3092749ea7f03019dab781cc9a23e3c6158 Mon Sep 17 00:00:00 2001
From: ratijas
Date: Tue, 27 Jul 2021 01:54:19 +0300
Subject: [PATCH 08/68] Use proper capitalization for PowerShell cmdlets
---
...d-the-application-user-model-id-of-an-installed-app.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
index b255491bc9..aa195fb89f 100644
--- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
+++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
@@ -18,13 +18,13 @@ To configure assigned access (kiosk mode), you need the Application User Model I
To get the names and AUMIDs for all apps installed for the current user, open a Windows PowerShell command prompt and enter the following command:
```powershell
-get-StartApps
+Get-StartApps
```
To get the names and AUMIDs for Windows Store apps installed for another user, open a Windows PowerShell command prompt and enter the following commands:
```powershell
-$installedapps = get-AppxPackage
+$installedapps = Get-AppxPackage
$aumidList = @()
foreach ($app in $installedapps)
@@ -75,12 +75,12 @@ function listAumids( $userAccount ) {
elseif ($userAccount)
{
# Find installed packages for the specified account. Must be run as an administrator in order to use this option.
- $installedapps = get-AppxPackage -user $userAccount
+ $installedapps = Get-AppxPackage -user $userAccount
}
else
{
# Find installed packages for the current account.
- $installedapps = get-AppxPackage
+ $installedapps = Get-AppxPackage
}
$aumidList = @()
From 61270ecfed2161180818a7098aadb9deeb96d670 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 26 Jul 2021 17:40:56 -0700
Subject: [PATCH 09/68] Edited select-type and event-id documents.
- select-type-of-rules-to-create: added option 20 to table 1.
- event-id-explanations: Added a new System Integrity Policy Options table for event ID 3099.
---
.../event-id-explanations.md | 29 +++++++++++++++++++
.../select-types-of-rules-to-create.md | 1 +
2 files changed, 30 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 6ac3422250..2d450b1c94 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -86,6 +86,35 @@ To enable 3090 allow events, and 3091 and 3092 events, you must instead create a
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
```
+## System Integrity Policy Options
+Below are the policy options in event 3099.
+
+| Bit Address | Policy Rule Option |
+|-------|------|
+| 2 | Enabled:UMCI |
+| 3 | Enabled:Boot Menu Protection |
+| 4 | Enabled:Intelligent Security Graph Authorization |
+| 5 | Enabled:Invalidate EAs on Reboot |
+| 7 |Required:WHQL |
+| 8 | Enabled:Developer Dynamic Code Security |
+| 9 | Enabled: No Revalidation Upon Refresh |
+| 10 | Enabled:Allow Supplemental Policies |
+| 11 | Disabled:Runtime FilePath Rule Protection |
+| 13 | Enabled: Revoked Expired As Unsigned |
+| 16 |Enabled:Audit Mode (Default) |
+| 17 | Disabled:Flight Signing |
+| 18 | Enabled:Inherit Default Policy |
+| 19 | Enabled:Unsigned System Integrity Policy (Default) |
+| 20 | Enabled:Dynamic Code Security |
+| 21 | Required:EV Signers |
+| 22 | Enabled:Boot Audit on Failure |
+| 23 | Enabled:Advanced Boot Options Menu |
+| 24 | Disabled:Script Enforcement |
+| 25 | Required:Enforce Store Applications |
+| 26 | Enabled: Host Policy Enforcement |
+| 27 |Enabled:Managed Installer |
+| 28 |Enabled:Update Policy No Reboot |
+
## Appendix
A list of other relevant event IDs and their corresponding description.
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 794cefca57..0d7b426112 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No |
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes |
| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No |
+| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with an expired and/or revoked certificates as "Unsigned binaries" for user mode process/components under enterprise signing scenarios. | No |
## Windows Defender Application Control file rule levels
From 5a52a3bd439485aaaea3ae0095582ec5d2db1186 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Tue, 27 Jul 2021 16:20:28 -0700
Subject: [PATCH 10/68] Added the suggested feedback
to select-types-of-rules and event-id-explanations documents.
---
.../event-id-explanations.md | 16 ++++++++--------
.../select-types-of-rules-to-create.md | 2 +-
2 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 2d450b1c94..e3ae7a65ba 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -87,7 +87,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x
```
## System Integrity Policy Options
-Below are the policy options in event 3099.
+The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options).
| Bit Address | Policy Rule Option |
|-------|------|
@@ -95,13 +95,13 @@ Below are the policy options in event 3099.
| 3 | Enabled:Boot Menu Protection |
| 4 | Enabled:Intelligent Security Graph Authorization |
| 5 | Enabled:Invalidate EAs on Reboot |
-| 7 |Required:WHQL |
+| 7 | Required:WHQL |
| 8 | Enabled:Developer Dynamic Code Security |
-| 9 | Enabled: No Revalidation Upon Refresh |
+| 9 | Enabled:No Revalidation Upon Refresh |
| 10 | Enabled:Allow Supplemental Policies |
| 11 | Disabled:Runtime FilePath Rule Protection |
-| 13 | Enabled: Revoked Expired As Unsigned |
-| 16 |Enabled:Audit Mode (Default) |
+| 13 | Enabled:Revoked Expired As Unsigned |
+| 16 | Enabled:Audit Mode (Default) |
| 17 | Disabled:Flight Signing |
| 18 | Enabled:Inherit Default Policy |
| 19 | Enabled:Unsigned System Integrity Policy (Default) |
@@ -111,9 +111,9 @@ Below are the policy options in event 3099.
| 23 | Enabled:Advanced Boot Options Menu |
| 24 | Disabled:Script Enforcement |
| 25 | Required:Enforce Store Applications |
-| 26 | Enabled: Host Policy Enforcement |
-| 27 |Enabled:Managed Installer |
-| 28 |Enabled:Update Policy No Reboot |
+| 26 | Enabled:Host Policy Enforcement |
+| 27 | Enabled:Managed Installer |
+| 28 | Enabled:Update Policy No Reboot |
## Appendix
A list of other relevant event IDs and their corresponding description.
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 0d7b426112..8f9b6ac45d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -70,7 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No |
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes |
| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No |
-| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with an expired and/or revoked certificates as "Unsigned binaries" for user mode process/components under enterprise signing scenarios. | No |
+| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with expired and/or revoked certificates as "Unsigned binaries" for user-mode process/components under enterprise signing scenarios. | No |
## Windows Defender Application Control file rule levels
From 1a8058fe21ccf0ab46e13cd1aaa32c87fe34c90a Mon Sep 17 00:00:00 2001
From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit>
Date: Thu, 29 Jul 2021 14:18:25 -0700
Subject: [PATCH 11/68] Update feature-availability.md
---
.../feature-availability.md | 30 +++++++++----------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 16dd454c61..2116fe20d2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -14,7 +14,7 @@ author: denisebmsft
ms.reviewer: isbrahm
ms.author: deniseb
manager: dansimp
-ms.date: 04/15/2020
+ms.date: 07/29/2021
ms.custom: asr
ms.technology: mde
---
@@ -26,18 +26,18 @@ ms.technology: mde
- Windows 10
- Windows Server 2016 and above
-| Capability | WDAC | AppLocker |
-|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Platform support | Available on Windows 10 | Available on Windows 8+ |
-| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. |
-| Management solutions | - [Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
- [Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
- [Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md)
- PowerShell
| - [Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
- MEMCM (custom policy deployment via Software Distribution only)
- [Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)
- PowerShell
|
-| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
-| Kernel mode policies | Available on all Windows 10 versions | Not available |
-| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
-| Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available |
-| Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available |
-| Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available |
-| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
-| COM object configurability | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md) | Not available |
-| Packaged app rules | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md) | Available on Windows 8+ |
+| Capability | WDAC | AppLocker |
+|-------------|------|-------------|
+| Platform support | Available on Windows 10 | Available on Windows 8+ |
+| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. |
+| Management solutions | - [Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)
- [Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
- [Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md)
- PowerShell
| - [Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
- MEMCM (custom policy deployment via Software Distribution only)
- [Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)
- PowerShell
|
+| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
+| Kernel mode policies | Available on all Windows 10 versions | Not available |
+| Per-app rules | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) | Not available |
+| Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available |
+| Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available |
+| Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available |
+| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
+| COM object configurability | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md) | Not available |
+| Packaged app rules | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md) | Available on Windows 8+ |
| Enforceable file types | - Driver files: .sys
- Executable files: .exe and .com
- DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .vbs, and .js
- Packaged apps and packaged app installers: .appx
| - Executable files: .exe and .com
- [Optional] DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .bat, .cmd, .vbs, and .js
- Packaged apps and packaged app installers: .appx
|
\ No newline at end of file
From 52ee33f68692148a4caa489df5b708182d3b897d Mon Sep 17 00:00:00 2001
From: denisebmsft <18405051+denisebmsft@users.noreply.github.comgit>
Date: Thu, 29 Jul 2021 14:20:17 -0700
Subject: [PATCH 12/68] Update feature-availability.md
---
.../feature-availability.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 2116fe20d2..0f9af0978c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -37,7 +37,7 @@ ms.technology: mde
| Managed Installer (MI) | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md) | Not available |
| Reputation-Based intelligence | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md) | Not available |
| Multiple policy support | [Available on 1903+](./deploy-multiple-windows-defender-application-control-policies.md) | Not available |
-| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
+| Path-based rules | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability checks enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
| COM object configurability | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md) | Not available |
| Packaged app rules | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md) | Available on Windows 8+ |
| Enforceable file types | - Driver files: .sys
- Executable files: .exe and .com
- DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .vbs, and .js
- Packaged apps and packaged app installers: .appx
| - Executable files: .exe and .com
- [Optional] DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .bat, .cmd, .vbs, and .js
- Packaged apps and packaged app installers: .appx
|
\ No newline at end of file
From 78c219b8c32a85cf859419534dc9875672a3c2ce Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Fri, 30 Jul 2021 10:51:06 +0300
Subject: [PATCH 13/68] update info
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9521
---
.../mdm/clientcertificateinstall-csp.md | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 1e66232f8b..4d4367df3c 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -205,11 +205,8 @@ Supported operations are Add, Get, Delete, and Replace.
Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus +. For example, OID1+OID2+OID3.
Data type is string.
-Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail.
-Data type is int.
-
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Get, Add, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
Required. Specifies the subject name.
@@ -242,7 +239,9 @@ Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
- Supported operations are Add, Get, Delete, and Replace. Value type is integer.
+Data type is int.
+
+Supported operations are Add, Get, Delete, and Replace.
**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
@@ -700,4 +699,4 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c
## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)
From 74eb90a8d76b05500ccf9ce20583614a5575ea2a Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 30 Jul 2021 17:46:30 +0530
Subject: [PATCH 14/68] Added powershell commands
as per user feedback #9824, so i added correct commands after verification from the windows 11 dev channel.
Also, I found that TWO screenshots are really old, so I want to add new screenshots.
---
...tion-based-protection-of-code-integrity.md | 26 +++++++++++++++----
1 file changed, 21 insertions(+), 5 deletions(-)
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 0628013832..e0a2325d8c 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -103,7 +103,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
-> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
+**To enable VBS with Secure Boot and DMA (value 3)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
+```
**To enable VBS without UEFI lock (value 0)**
@@ -111,7 +115,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
```
-> To enable **VBS with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
+**To enable VBS with UEFI lock (value 1)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
+```
**To enable virtualization-based protection of Code Integrity policies**
@@ -125,7 +133,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
```
-> To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
+**To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
+```
#### For Windows 10 version 1511 and earlier
@@ -155,7 +167,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
-> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
+**To enable VBS with Secure Boot and DMA (value 3)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
+```
**To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**
@@ -296,4 +312,4 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
-- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
\ No newline at end of file
+- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
From 2cf0c6cf1b87c64594c832e8b63c3be4ded916d8 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 30 Jul 2021 09:04:29 -0700
Subject: [PATCH 15/68] Update
enable-virtualization-based-protection-of-code-integrity.md
---
.../enable-virtualization-based-protection-of-code-integrity.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index e0a2325d8c..429cc12f93 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -10,7 +10,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/01/2019
+ms.date: 07/30/2021
ms.reviewer:
ms.technology: mde
---
From c3f2ec88662b21ff6daa1d3645b5ad0e56895b1f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Fri, 30 Jul 2021 09:06:06 -0700
Subject: [PATCH 16/68] Update clientcertificateinstall-csp.md
---
windows/client-management/mdm/clientcertificateinstall-csp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 4d4367df3c..ffb8f4fa5d 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
-ms.date: 02/28/2020
+ms.date: 07/30/2021
---
# ClientCertificateInstall CSP
From dabb276d99a1ef9c5b264fa1f022849425feb276 Mon Sep 17 00:00:00 2001
From: greg-lindsay
Date: Fri, 30 Jul 2021 12:43:19 -0700
Subject: [PATCH 17/68] add diagnostic page info
---
windows/deployment/deploy-whats-new.md | 10 ++++++++--
windows/whats-new/windows-11-prepare.md | 2 +-
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index 6c5df77f39..084c1d13cc 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -28,7 +28,11 @@ This topic provides an overview of new solutions and online content related to d
- For an all-up overview of new features in Windows 10, see [What's new in Windows 10](/windows/whats-new/index).
-## Latest news
+## [Preview] Windows Autopilot diagnostics page
+
+When you deploy Windows 11 with Autopilot, you can enable users to view additional information about the Autopilot provisioning process. A new **Windows Autopilot diagnostics Page** is available to provide IT admins and end users with a user-friendly view to troubleshoot Autopilot failures. For more information, see [Windows Autopilot: What's new](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page).
+
+## Windows 11
Check out the following new articles about Windows 11:
- [Overview of Windows 11](/windows/whats-new/windows-11)
@@ -37,7 +41,9 @@ Check out the following new articles about Windows 11:
The [Windows ADK for Windows 11](/windows-hardware/get-started/adk-install) is available.
-[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later.
+## Deployment tools
+
+[SetupDiag](#setupdiag) is included with Windows 10, version 2004 and later, and Windows 11.
New capabilities are available for [Delivery Optimization](#delivery-optimization) and [Windows Update for Business](#windows-update-for-business).
VPN support is added to [Windows Autopilot](#windows-autopilot)
An in-place upgrade wizard is available in [Configuration Manager](#microsoft-endpoint-configuration-manager).
diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md
index 5d395a418c..f2dedd5144 100644
--- a/windows/whats-new/windows-11-prepare.md
+++ b/windows/whats-new/windows-11-prepare.md
@@ -55,7 +55,7 @@ If you aren’t already taking advantage of cloud-based management capabilities,
The following are some common use cases and the corresponding Microsoft Endpoint Manager capabilities that support them:
-- **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features.
+- **Provision and pre-configure new Windows 11 devices**: [Windows Autopilot](/mem/autopilot/windows-autopilot) enables you to deploy new Windows 11 devices in a “business-ready” state that includes your desired applications, settings, and policies. It can also be used to change the edition of Windows. For example, you can upgrade from Pro to Enterprise edition and gain the use of advanced features. The [Windows Autopilot diagnostics page](/mem/autopilot/windows-autopilot-whats-new#preview-windows-autopilot-diagnostics-page) is new feature that is available when you use in Windows Autopilot to deploy Windows 11.
- **Configure rules and control settings for users, apps, and devices**: When you enroll devices in [Microsoft Intune](/mem/intune/fundamentals/what-is-intune), administrators have full control over apps, settings, features, and security for both Windows 11 and Windows 10. You can also use app protection policies to require multi-factor authentication (MFA) for specific apps.
- **Streamline device management for frontline, remote, and onsite workers**: Introduced with Windows 10, [cloud configuration](/mem/intune/fundamentals/cloud-configuration) is a standard, easy-to-manage, device configuration that is cloud-optimized for users with specific workflow needs. It can be deployed to devices running the Pro, Enterprise, and Education editions of Windows 11 by using Microsoft Endpoint Manager.
From 6b86e2088932a2a3d48050666cf988b9b5a95bac Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Mon, 2 Aug 2021 15:43:29 +0300
Subject: [PATCH 18/68] Registry info update
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9537
---
...n-controller-refuse-machine-account-password-changes.md | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
index 7a2193fd9c..60cec5d3f7 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
@@ -51,6 +51,13 @@ This policy setting enables or disables blocking a domain controller from accept
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
+The policy referenced configures the following registry value:
+
+Registry Hive: HKEY_LOCAL_MACHINE
+Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\
+
+Value Name: RefusePasswordChange
+
### Default values
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
From 61534ecbc113da7cac2c5ca3a17dd2df586ece0c Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Mon, 2 Aug 2021 09:35:58 -0700
Subject: [PATCH 19/68] Update
domain-controller-refuse-machine-account-password-changes.md
---
...refuse-machine-account-password-changes.md | 27 +++++++------------
1 file changed, 10 insertions(+), 17 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
index 60cec5d3f7..31325347d6 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md
@@ -14,7 +14,6 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
ms.technology: mde
---
@@ -31,17 +30,11 @@ This policy setting enables or disables blocking a domain controller from accept
### Possible values
-- Enabled
+- **Enabled** When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password.
- When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password.
+- **Disabled** When disabled, this setting allows a domain controller to accept any changes to a machine account's password.
-- Disabled
-
- When disabled, this setting allows a domain controller to accept any changes to a machine account's password.
-
-- Not defined
-
- Same as Disabled.
+- **Not defined** Same as Disabled.
### Best practices
@@ -63,13 +56,13 @@ Value Name: RefusePasswordChange
The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
| Server type or GPO | Default value |
-| - | - |
-| Default Domain Policy | Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Disabled|
-| Member Server Effective Default Settings | Disabled|
-| Client Computer Effective Default Settings | Not applicable|
+|---|---|
+| Default Domain Policy | Not defined |
+| Default Domain Controller Policy | Not defined |
+| Stand-Alone Server Default Settings | Not defined |
+| DC Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Not applicable |
## Policy management
From 20f3b55c1616b754a0a1fd8620bfd30511831146 Mon Sep 17 00:00:00 2001
From: Kim Klein
Date: Mon, 2 Aug 2021 10:07:49 -0700
Subject: [PATCH 20/68] Updated the last of the suggestions.
---
.../event-id-explanations.md | 3 ---
1 file changed, 3 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index e3ae7a65ba..ff7f78475a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -96,8 +96,6 @@ The WDAC policy rule-option values can be derived from the "Options" field in th
| 4 | Enabled:Intelligent Security Graph Authorization |
| 5 | Enabled:Invalidate EAs on Reboot |
| 7 | Required:WHQL |
-| 8 | Enabled:Developer Dynamic Code Security |
-| 9 | Enabled:No Revalidation Upon Refresh |
| 10 | Enabled:Allow Supplemental Policies |
| 11 | Disabled:Runtime FilePath Rule Protection |
| 13 | Enabled:Revoked Expired As Unsigned |
@@ -111,7 +109,6 @@ The WDAC policy rule-option values can be derived from the "Options" field in th
| 23 | Enabled:Advanced Boot Options Menu |
| 24 | Disabled:Script Enforcement |
| 25 | Required:Enforce Store Applications |
-| 26 | Enabled:Host Policy Enforcement |
| 27 | Enabled:Managed Installer |
| 28 | Enabled:Update Policy No Reboot |
From a1bf5c0280eeb670b19aa412cdd719f2036801fe Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Tue, 3 Aug 2021 15:25:24 +0530
Subject: [PATCH 21/68] Update defender-csp.md
---
windows/client-management/mdm/defender-csp.md | 166 ++++++++++++++++++
1 file changed, 166 insertions(+)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index c66d28ae30..8546b958f3 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -35,6 +35,18 @@ Defender
------------InitialDetectionTime
------------LastThreatStatusChangeTime
------------NumberOfDetections
+----EnableNetworkProtection
+--------AllowNetworkProtectionDownLevel
+--------AllowNetworkProtectionOnWinServer
+--------DisableNetworkProtectionPerfTelemetry
+--------DisableDatagramProcessing
+--------DisableInboundConnectionFiltering
+--------EnableDnsSinkhole
+--------DisableDnsOverTcpParsing
+--------DisableHttpParsing
+--------DisableRdpParsing
+--------DisableSshParsing
+--------DisableTlsParsing
----Health
--------ProductStatus (Added in Windows 10 version 1809)
--------ComputerState
@@ -189,6 +201,27 @@ The following list shows the supported values:
Supported operation is Get.
+**Detections/*ThreatId*/CurrentStatus**
+Information about the current status of the threat.
+
+The data type is integer.
+
+The following list shows the supported values:
+
+- 0 = Active
+- 1 = Action failed
+- 2 = Manual steps required
+- 3 = Full scan required
+- 4 = Reboot required
+- 5 = Remediated with noncritical failures
+- 6 = Quarantined
+- 7 = Removed
+- 8 = Cleaned
+- 9 = Allowed
+- 10 = No Status ( Cleared)
+
+Supported operation is Get.
+
**Detections/*ThreatId*/ExecutionStatus**
Information about the execution status of the threat.
@@ -217,6 +250,139 @@ The data type is integer.
Supported operation is Get.
+**EnableNetworkProtection**
+
+The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources.
+The acceptable values for this parameter are:
+- 0: Disabled. The Network Protection service will not block navigations to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
+- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service.
+- 2: AuditMode. As above, but the Network Protection service will not block connections to malicious websites, but will instead log the access to the event log.
+
+Accepted values: Disabled, Enabled, and AuditMode
+Position: Named
+Default value: Disabled
+Accept pipeline input: False
+Accept wildcard characters: False
+
+**EnableNetworkProtection/AllowNetworkProtectionDownLevel**
+
+By default, network protection is not allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/AllowNetworkProtectionOnWinServer**
+
+By default, network protection is not allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableNetworkProtectionPerfTelemetry**
+
+Network Protection sends up anonymized performance statistics about its connection monitoring to improve our product and help to find bugs. You can disable this behavior by setting this configuration to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableDatagramProcessing**
+
+Network Protection inspects UDP connections allowing us to find malicious DNS or other UDP Traffic. To disable this functionality, set this configuration to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableInboundConnectionFiltering**
+
+Network Protection inspects and can block both connections that originates from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/EnableDnsSinkhole**
+
+Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sinkhole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature.
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableDnsOverTcpParsing**
+
+Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS Sinkholing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableDnsParsing**
+
+Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS Sinkholing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableHttpParsing**
+
+Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableRdpParsing**
+
+Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableSshParsing**
+
+Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. if -EnableNetworkProtection is set to enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
+**EnableNetworkProtection/DisableTlsParsing**
+
+Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
+
+- Type: Boolean
+- Position: Named
+- Default value: False
+- Accept pipeline input: False
+- Accept wildcard characters: False
+
**Health**
An interior node to group information about Windows Defender health status.
From aaf41ed62fe38999860050bb8d44e7a699552867 Mon Sep 17 00:00:00 2001
From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com>
Date: Tue, 3 Aug 2021 15:50:28 +0530
Subject: [PATCH 22/68] Updated
---
windows/client-management/mdm/defender-csp.md | 26 +++++++++----------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 8546b958f3..3acf1cca00 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -137,7 +137,7 @@ The following table describes the supported values:
| 7 | Remote access Trojan |
| 8 | Trojan |
| 9 | Email flooder |
-| 10 | Keylogger |
+| 10 | Key logger |
| 11 | Dialer |
| 12 | Monitoring software |
| 13 | Browser modifier |
@@ -197,7 +197,7 @@ The following list shows the supported values:
- 7 = Removed
- 8 = Cleaned
- 9 = Allowed
-- 10 = No Status ( Cleared)
+- 10 = No Status (Cleared)
Supported operation is Get.
@@ -218,7 +218,7 @@ The following list shows the supported values:
- 7 = Removed
- 8 = Cleaned
- 9 = Allowed
-- 10 = No Status ( Cleared)
+- 10 = No Status (Cleared)
Supported operation is Get.
@@ -254,7 +254,7 @@ Supported operation is Get.
The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources.
The acceptable values for this parameter are:
-- 0: Disabled. The Network Protection service will not block navigations to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
+- 0: Disabled. The Network Protection service will not block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service.
- 2: AuditMode. As above, but the Network Protection service will not block connections to malicious websites, but will instead log the access to the event log.
@@ -305,7 +305,7 @@ Network Protection inspects UDP connections allowing us to find malicious DNS or
**EnableNetworkProtection/DisableInboundConnectionFiltering**
-Network Protection inspects and can block both connections that originates from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
+Network Protection inspects and can block both connections that originate from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
- Type: Boolean
- Position: Named
@@ -315,7 +315,7 @@ Network Protection inspects and can block both connections that originates from
**EnableNetworkProtection/EnableDnsSinkhole**
-Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sinkhole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature.
+Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature.
- Type: Boolean
- Position: Named
@@ -325,7 +325,7 @@ Network Protection can inspect the DNS traffic of a machine and, in conjunction
**EnableNetworkProtection/DisableDnsOverTcpParsing**
-Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS Sinkholing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
+Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@@ -335,7 +335,7 @@ Network Protection inspects DNS traffic that occurs over a TCP channel, to provi
**EnableNetworkProtection/DisableDnsParsing**
-Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS Sinkholing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
+Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@@ -355,7 +355,7 @@ Network Protection inspects HTTP traffic to see if a connection is being made to
**EnableNetworkProtection/DisableRdpParsing**
-Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
+Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@@ -365,7 +365,7 @@ Network Protection inspects RDP traffic so that it can block connections from kn
**EnableNetworkProtection/DisableSshParsing**
-Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. if -EnableNetworkProtection is set to enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
+Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
@@ -414,7 +414,7 @@ Supported product status values:
- Service is shutting down as part of system shutdown = 1 << 16
- Threat remediation failed critically = 1 << 17
- Threat remediation failed non-critically = 1 << 18
-- No status flags set (well initialized state) = 1 << 19
+- No status flags set (well-initialized state) = 1 << 19
- Platform is out of date = 1 << 20
- Platform update is in progress = 1 << 21
- Platform is about to be outdated = 1 << 22
@@ -698,7 +698,7 @@ Beta Channel: Devices set to this channel will be the first to receive new updat
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
@@ -727,7 +727,7 @@ Beta Channel: Devices set to this channel will be the first to receive new updat
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
-Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
+Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
From 7256cfbd44caad772dd4c4d8ca87c240fce1b2e7 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Tue, 3 Aug 2021 10:16:59 -0700
Subject: [PATCH 23/68] windows-client-security
---
.../credential-guard-not-protected-scenarios.md | 2 +-
windows/security/threat-protection/TOC.yml | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index 66f580bcad..ac64658154 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -43,7 +43,7 @@ do not qualify as credentials because they cannot be presented to another comput
## Additional mitigations
-Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
+Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
### Restricting domain users to specific domain-joined devices
diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml
index 036ef214e2..ae12fde723 100644
--- a/windows/security/threat-protection/TOC.yml
+++ b/windows/security/threat-protection/TOC.yml
@@ -265,8 +265,8 @@
href: windows-sandbox/windows-sandbox-architecture.md
- name: Windows Sandbox configuration
href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md
- - name: "Windows Defender Device Guard: virtualization-based security and WDAC"
- href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+ - name: "Windows Defender Application Control and virtualization-based protection of code integrity"
+ href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- name: Windows Certifications
items:
- name: FIPS 140 Validations
From c7af8e096b46e39d7ba938dd948513e9aa6dd1a9 Mon Sep 17 00:00:00 2001
From: Steve DiAcetis
Date: Tue, 3 Aug 2021 12:21:31 -0700
Subject: [PATCH 24/68] Update media-dynamic-update.md
---
.../deployment/update/media-dynamic-update.md | 56 +++++++++++++++++--
1 file changed, 52 insertions(+), 4 deletions(-)
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 2664d3f9d8..1e449b3202 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -178,8 +178,6 @@ The script assumes that only a single edition is being updated, indicated by Ind
It finishes by cleaning and exporting the image to reduce the image size.
-> [!NOTE]
-> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary components in the recovery environment. The components that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
```powershell
# Mount the main operating system, used throughout the script
@@ -194,8 +192,33 @@ Write-Output "$(Get-TS): Mounting WinRE"
Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
# Add servicing stack update
+
+# Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
+# This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update.
+
+# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
+# This error should be caught and ignored, as the last step will be to apply the cumulative update (or in this case the combined cumulative update)
+# and thus the image will be left with the correct packages installed.
+
Write-Output "$(Get-TS): Adding package $SSU_PATH"
-Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+
+try
+{
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+}
+Catch
+{
+ $theError = $_
+ Write-Output "$(Get-TS): $theError"
+
+ if ($theError.Exception -like "*0x8007007e*") {
+ Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ }
+ else {
+ throw
+ }
+}
#
# Optional: Add the language to recovery environment
@@ -278,8 +301,33 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
# Add SSU
+
+ # Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required
+ # This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update.
+
+ # Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
+ # There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
+ # This error should be caught and ignored, as the last step will be to apply the cumulative update (or in this case the combined cumulative update)
+ # and thus the image will be left with the correct packages installed.
+
Write-Output "$(Get-TS): Adding package $SSU_PATH"
- Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+
+ try
+ {
+ Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+ }
+ Catch
+ {
+ $theError = $_
+ Write-Output "$(Get-TS): $theError"
+
+ if ($theError.Exception -like "*0x8007007e*") {
+ Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore."
+ }
+ else {
+ throw
+ }
+ }
# Install lp.cab cab
Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
From ee685f35b42a0c0ea2c4b108e78ffb5ad01b6ad5 Mon Sep 17 00:00:00 2001
From: Steve DiAcetis
Date: Tue, 3 Aug 2021 12:30:31 -0700
Subject: [PATCH 25/68] Update media-dynamic-update.md
---
windows/deployment/update/media-dynamic-update.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 1e449b3202..e81a36becc 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -198,8 +198,8 @@ Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MO
# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
-# This error should be caught and ignored, as the last step will be to apply the cumulative update (or in this case the combined cumulative update)
-# and thus the image will be left with the correct packages installed.
+# This error should be caught and ignored, as the last step will be to apply the cumulative update
+# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
Write-Output "$(Get-TS): Adding package $SSU_PATH"
@@ -307,8 +307,8 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month)
# There is a known issue where the servicing stack update is installed, but the cumulative update will fail.
- # This error should be caught and ignored, as the last step will be to apply the cumulative update (or in this case the combined cumulative update)
- # and thus the image will be left with the correct packages installed.
+ # This error should be caught and ignored, as the last step will be to apply the cumulative update
+ # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed.
Write-Output "$(Get-TS): Adding package $SSU_PATH"
From 40846db2d6e54e515a819e68ac853d6cb3387589 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Tue, 3 Aug 2021 13:29:45 -0700
Subject: [PATCH 26/68] h1 fix
---
.../credential-guard-not-protected-scenarios.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
index ac64658154..e6bce8b91b 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md
@@ -16,7 +16,7 @@ ms.date: 08/17/2017
ms.reviewer:
---
-# Windows Defender Credential Guard protection limits
+# Windows Defender Credential Guard protection limits and mitigations
**Applies to**
- Windows 10
From 93664e8fc9f13eece2527424ad70aa17ff946229 Mon Sep 17 00:00:00 2001
From: Steve DiAcetis
Date: Tue, 3 Aug 2021 16:45:54 -0700
Subject: [PATCH 27/68] Update media-dynamic-update.md
---
.../deployment/update/media-dynamic-update.md | 24 +++++++++----------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index e81a36becc..49943752c3 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -1,5 +1,5 @@
---
-title: Update Windows 10 media with Dynamic Update
+title: Update Windows installation media with Dynamic Update
description: Learn how to deploy feature updates to your mission critical devices
ms.prod: w10
ms.mktglfcycl: manage
@@ -14,17 +14,17 @@ ms.collection: M365-modern-desktop
ms.topic: article
---
-# Update Windows 10 media with Dynamic Update
+# Update Windows installation media with Dynamic Update
-**Applies to**: Windows 10
+**Applies to**: Windows 10, Windows 11
-This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
+This topic explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
-Volume-licensed media is available for each release of Windows 10 in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows 10 devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
+Volume-licensed media is available for each release of Windows in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
## Dynamic Update
-Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows 10 Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages include the following kinds of updates:
+Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages include the following kinds of updates:
- Updates to Setup.exe binaries or other files that Setup uses for feature updates
- Updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment
@@ -53,14 +53,14 @@ The various Dynamic Update packages might not all be present in the results from
If you want to customize the image with additional languages or Features on Demand, download supplemental media ISO files from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). For example, since Dynamic Update will be disabled for your devices, and if users require specific Features on Demand, you can preinstall these into the image.
-## Update Windows 10 installation media
+## Update Windows installation media
Properly updating the installation media involves a large number of actions operating on several different targets (image files). Some actions are repeated on different targets. The target images files include:
- Windows Preinstallation Environment (WinPE): a small operating system used to install, deploy, and repair Windows operating systems
- Windows Recovery Environment (WinRE): repairs common causes of unbootable operating systems. WinRE is based on WinPE and can be customized with additional drivers, languages, optional packages, and other troubleshooting or diagnostic tools.
-- Windows operating system: one or more editions of Windows 10 stored in \sources\install.wim
-- Windows installation media: the complete collection of files and folders in the Windows 10 installation media. For example, \sources folder, \boot folder, Setup.exe, and so on.
+- Windows operating system: one or more editions of Windows stored in \sources\install.wim
+- Windows installation media: the complete collection of files and folders in the Windows installation media. For example, \sources folder, \boot folder, Setup.exe, and so on.
This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding the Dynamic Update for Setup to the new media (26).
@@ -89,7 +89,7 @@ This table shows the correct sequence for applying the various tasks to the file
### Multiple Windows editions
-The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
+The main operating system file (install.wim) contains multiple editions of Windows. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
### Additional languages and features
@@ -205,7 +205,7 @@ Write-Output "$(Get-TS): Adding package $SSU_PATH"
try
{
- Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+ Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null
}
Catch
{
@@ -314,7 +314,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) {
try
{
- Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
+ Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null
}
Catch
{
From 24c6ab5666364a40a5993c3e5f07c66c25e19da0 Mon Sep 17 00:00:00 2001
From: greg-lindsay
Date: Wed, 4 Aug 2021 10:36:02 -0700
Subject: [PATCH 28/68] Script link issue
---
.../deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 1aaab1936a..b844a86db3 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -95,7 +95,7 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor
### Set permissions in Active Directory for BitLocker
-In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://gallery.technet.microsoft.com/ScriptCenter/b4dee016-053e-4aa3-a278-3cebf70d1191) from Microsoft to C:\\Setup\\Scripts on DC01.
+In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the [Add-TPMSelfWriteACE.vbs script](https://raw.githubusercontent.com/DeploymentArtist/DF4/master/BitLocker%20and%20TPM/Add-TPMSelfWriteACE.vbs) to C:\\Setup\\Scripts on DC01.
1. On DC01, start an elevated PowerShell prompt (run as Administrator).
2. Configure the permissions by running the following command:
From 147e3bf47b72e15c41d7e3e1caa94e11302202c7 Mon Sep 17 00:00:00 2001
From: greg-lindsay
Date: Wed, 4 Aug 2021 10:49:42 -0700
Subject: [PATCH 29/68] a few fixes
---
.../deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index b844a86db3..62cb47a58a 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -32,16 +32,16 @@ To configure your environment for BitLocker, you will need to do the following:
4. Configure the rules (CustomSettings.ini) for BitLocker.
> [!NOTE]
-> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For additional information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
+> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery password in Active Directory. For more information about this feature, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds).
If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
> [!NOTE]
> Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511.
>[!NOTE]
->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
+>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For more information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
-For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
+For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
## Configure Active Directory for BitLocker
@@ -69,7 +69,7 @@ The BitLocker Drive Encryption Administration Utilities are added as features vi
1. BitLocker Drive Encryption Administration Utilities
2. BitLocker Drive Encryption Tools
3. BitLocker Recovery Password Viewer
-7. On the **Confirm installation selections** page, click **Install** and then click **Close**.
+7. On the **Confirm installation selections** page, click **Install**, and then click **Close**.
@@ -114,7 +114,7 @@ If you want to automate enabling the TPM chip as part of the deployment process,
### Add tools from Dell
-[Dell Comnmand | Configure](https://www.dell.com/support/article/us/en/04/sln311302/dell-command-configure) provides a Command Line Interface and a Graphical User Interface.
+[Dell Command | Configure](https://www.dell.com/support/article/us/en/04/sln311302/dell-command-configure) provides a Command Line Interface and a Graphical User Interface.
### Add tools from HP
From f78007dfe9c82c90c5cdb508db71b05b8ccdf9b5 Mon Sep 17 00:00:00 2001
From: julihooper <65675989+julihooper@users.noreply.github.com>
Date: Wed, 4 Aug 2021 12:17:26 -0700
Subject: [PATCH 30/68] Update defender-csp.md
---
windows/client-management/mdm/defender-csp.md | 20 +++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index ae2739b076..22820a3680 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -453,6 +453,26 @@ Valid values are:
- 1 – Enable.
- 0 (default) – Disable.
+**Configuration/HideExclusionsFromLocalAdmins**
+This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled.
+
+If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App and via PowerShell.
+
+If you enable this setting, Local Admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
+
+> [!NOTE]
+> Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**.
+
+Supported OS versions: Windows 10
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+- 1 – Enable.
+- 0 (default) – Disable.
+
**Configuration/DisableCpuThrottleOnIdleScans**
Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur.
From 75c51df5c33dd87ec6df3a717bcfd0a75fd781bc Mon Sep 17 00:00:00 2001
From: Anna-Li <70676128+v-lianna@users.noreply.github.com>
Date: Thu, 5 Aug 2021 17:10:14 +0800
Subject: [PATCH 31/68] CI_153986_Update_credential-guard-known-issues
---
.../credential-guard-known-issues.md | 21 +++++++++++++++++--
1 file changed, 19 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 703848eaf3..4aa8190429 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -21,16 +21,33 @@ ms.reviewer:
**Applies to**
- Windows 10
- Windows Server 2016
+- Windows Server 2019
Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when it is enabled. For further information, see [Application requirements](/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following known issue has been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/help/4051033):
-- Scheduled tasks with stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
+- Scheduled tasks with domain user stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
"Task Scheduler failed to log on ‘\Test’ .
Failure occurred in ‘LogonUserExEx’ .
User Action: Ensure the credentials for the task are correctly specified.
Additional Data: Error Value: 2147943726. 2147943726 : ERROR\_LOGON\_FAILURE (The user name or password is incorrect)."
+- When enabling NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. For example:
+ > Log Name: Microsoft-Windows-NTLM/Operational
+ Source: Microsoft-Windows-Security-Netlogon
+ Event ID: 8004
+ Task Category: Auditing NTLM
+ Level: Information
+ Description:
+ Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
+ Secure Channel name: \
+ User name:
+ @@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
+ Domain name: NULL
+
+ - This event stems from a scheduled task running under local user context with the Cumulative Security Update for November 2017 or later and happens when Credential Guard is enabled.
+ - The username appears in an unusual format because local accounts aren’t protected by Credential Guard. The task also fails to execute.
+ - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
@@ -107,4 +124,4 @@ Windows Defender Credential Guard is not supported by either these products, pro
This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Windows Defender Credential Guard.
- Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
\ No newline at end of file
+ Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.
From 461a48151d72a6ba0208018fcfba88fd21e809d3 Mon Sep 17 00:00:00 2001
From: greg-lindsay
Date: Thu, 5 Aug 2021 10:08:41 -0700
Subject: [PATCH 32/68] replace references to Windows 10 with Windows client
---
windows/client-management/index.yml | 2 +-
windows/configuration/index.yml | 20 ++++++++++----------
windows/hub/index.yml | 2 ++
3 files changed, 13 insertions(+), 11 deletions(-)
diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml
index 3731f3f13d..1396acc86a 100644
--- a/windows/client-management/index.yml
+++ b/windows/client-management/index.yml
@@ -4,7 +4,7 @@ title: Client management # < 60 chars
summary: Find out how to apply custom configurations to Windows client devices. Windows provides a number of features and methods to help you configure or lock down specific parts of the Windows interface. # < 160 chars
metadata:
- title: Configure Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars.
+ title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Learn about the administrative tools, tasks and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index 30c052cbfe..66e42dca78 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -1,11 +1,11 @@
### YamlMime:Landing
-title: Configure Windows 10 # < 60 chars
-summary: Find out how to apply custom configurations to Windows 10 devices. Windows 10 provides a number of features and methods to help you configure or lock down specific parts of Windows 10. # < 160 chars
+title: Configure Windows client # < 60 chars
+summary: Find out how to apply custom configurations to Windows 10 and Windows 11 devices. Windows 10 provides a number of features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars
metadata:
- title: Configure Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars.
- description: Find out how to apply custom configurations to Windows 10 devices. # Required; article description that is displayed in search results. < 160 chars.
+ title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
+ description: Find out how to apply custom configurations to Windows client devices. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
@@ -13,7 +13,7 @@ metadata:
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
- ms.date: 03/23/2021 #Required; mm/dd/yyyy format.
+ ms.date: 08/05/2021 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -22,7 +22,7 @@ landingContent:
# Cards and links should be based on top customer tasks or top subjects
# Start card title with a verb
# Card (optional)
- - title: Manage Windows 10 settings
+ - title: Manage Windows client settings
linkLists:
- linkListType: overview
links:
@@ -35,7 +35,7 @@ landingContent:
# Card (optional)
- - title: Configure a Windows 10 kiosk
+ - title: Configure a Windows kiosk
linkLists:
- linkListType: overview
links:
@@ -48,7 +48,7 @@ landingContent:
# Card (optional)
- - title: Windows 10 provisioning packages
+ - title: Windows client provisioning packages
linkLists:
- linkListType: overview
links:
@@ -70,7 +70,7 @@ landingContent:
url: wcd/wcd-oobe.md
# Card (optional)
- - title: Configure Cortana in Windows 10
+ - title: Configure Cortana in Windows client
linkLists:
- linkListType: overview
links:
@@ -80,7 +80,7 @@ landingContent:
url: cortana-at-work/cortana-at-work-voice-commands.md
# Card (optional)
- - title: User Experience Virtualization (UE-V) for Windows 10
+ - title: User Experience Virtualization (UE-V) for Windows client
linkLists:
- linkListType: overview
links:
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index f61c3a9861..2d7fb5bca4 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -95,6 +95,8 @@ landingContent:
url: /windows/client-management/mandatory-user-profile
- text: New policies for Windows 10
url: /windows/client-management/new-policies-for-windows-10
+ - text: Configuration service provider reference
+ url: /windows/client-management/mdm/configuration-service-provider-reference.md
# Card (optional)
- title: Security and Privacy
From fec96c6fc0d29c42e704c789fd85ad1b1d7fb085 Mon Sep 17 00:00:00 2001
From: greg-lindsay
Date: Thu, 5 Aug 2021 10:13:09 -0700
Subject: [PATCH 33/68] fix link
---
windows/hub/index.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 2d7fb5bca4..e3a2448009 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -96,7 +96,7 @@ landingContent:
- text: New policies for Windows 10
url: /windows/client-management/new-policies-for-windows-10
- text: Configuration service provider reference
- url: /windows/client-management/mdm/configuration-service-provider-reference.md
+ url: /windows/client-management/mdm/configuration-service-provider-reference
# Card (optional)
- title: Security and Privacy
From 819bfc97c08d8677a50db9f1892fa6ef4dd1ffd5 Mon Sep 17 00:00:00 2001
From: greg-lindsay
Date: Thu, 5 Aug 2021 10:16:22 -0700
Subject: [PATCH 34/68] replace more references to 10
---
windows/client-management/toc.yml | 2 +-
windows/configuration/TOC.yml | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml
index 633a032f7c..633939454a 100644
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@@ -36,7 +36,7 @@ items:
items:
- name: CSP reference
href: mdm/configuration-service-provider-reference.md
- - name: Troubleshoot Windows 10 clients
+ - name: Troubleshoot Windows clients
items:
- name: Windows 10 support solutions
href: windows-10-support-solutions.md
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index 867a205b26..c27d976f52 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -1,4 +1,4 @@
-- name: Configure Windows 10
+- name: Configure Windows client
href: index.yml
- name: Configure appearance settings
items:
From 9f8d0c7368d6ea19391fd6d65803e60fb979cd30 Mon Sep 17 00:00:00 2001
From: greg-lindsay
Date: Thu, 5 Aug 2021 10:29:15 -0700
Subject: [PATCH 35/68] a couple acrolynx suggestions
---
windows/client-management/index.yml | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml
index 1396acc86a..e5ae09ccb3 100644
--- a/windows/client-management/index.yml
+++ b/windows/client-management/index.yml
@@ -1,11 +1,11 @@
### YamlMime:Landing
title: Client management # < 60 chars
-summary: Find out how to apply custom configurations to Windows client devices. Windows provides a number of features and methods to help you configure or lock down specific parts of the Windows interface. # < 160 chars
+summary: Find out how to apply custom configurations to Windows client devices. Windows provides many features and methods to help you configure or lock down specific parts of the Windows interface. # < 160 chars
metadata:
title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars.
- description: Learn about the administrative tools, tasks and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars.
+ description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars.
services: windows-10
ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM.
ms.subservice: subservice
@@ -13,7 +13,7 @@ metadata:
ms.collection: windows-10
author: greg-lindsay #Required; your GitHub user alias, with correct capitalization.
ms.author: greglin #Required; microsoft alias of author; optional team alias.
- ms.date: 04/30/2021 #Required; mm/dd/yyyy format.
+ ms.date: 08/05/2021 #Required; mm/dd/yyyy format.
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
From 5ca32aff1f40ae80781c269877e6c9842162cb43 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 5 Aug 2021 11:12:14 -0700
Subject: [PATCH 36/68] Update defender-csp.md
---
windows/client-management/mdm/defender-csp.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 22820a3680..befd212478 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -10,7 +10,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
-ms.date: 07/23/2021
+ms.date: 08/05/2021
---
# Defender CSP
From 5de716ef7cf6b761f0f1b709b59c7b063e87adce Mon Sep 17 00:00:00 2001
From: Sudeep Kumar <16726119+sudeepku@users.noreply.github.com>
Date: Thu, 5 Aug 2021 14:05:26 -0700
Subject: [PATCH 37/68] set recommendations flag in all docfx.json files
---
bcs/docfx.json | 1 +
browsers/edge/docfx.json | 1 +
browsers/internet-explorer/docfx.json | 1 +
devices/hololens/docfx.json | 1 +
devices/surface-hub/docfx.json | 1 +
devices/surface/docfx.json | 1 +
education/docfx.json | 1 +
gdpr/docfx.json | 1 +
mdop/docfx.json | 1 +
smb/docfx.json | 1 +
store-for-business/docfx.json | 1 +
windows/access-protection/docfx.json | 1 +
windows/application-management/docfx.json | 1 +
windows/client-management/docfx.json | 1 +
windows/configuration/docfx.json | 1 +
windows/configure/docfx.json | 1 +
windows/deploy/docfx.json | 1 +
windows/deployment/docfx.json | 1 +
windows/device-security/docfx.json | 1 +
windows/docfx.json | 1 +
windows/eulas/docfx.json | 1 +
windows/hub/docfx.json | 1 +
windows/keep-secure/docfx.json | 1 +
windows/known-issues/docfx.json | 1 +
windows/manage/docfx.json | 1 +
windows/plan/docfx.json | 1 +
windows/privacy/docfx.json | 1 +
windows/release-information/docfx.json | 1 +
windows/security/docfx.json | 1 +
windows/threat-protection/docfx.json | 1 +
windows/update/docfx.json | 1 +
windows/whats-new/docfx.json | 1 +
32 files changed, 32 insertions(+)
diff --git a/bcs/docfx.json b/bcs/docfx.json
index 8bb25b9c4c..f1384ac71a 100644
--- a/bcs/docfx.json
+++ b/bcs/docfx.json
@@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json",
"extendBreadcrumb": true,
"contributors_to_exclude": [
diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json
index d77b68f7fb..bc99fd3bd8 100644
--- a/browsers/edge/docfx.json
+++ b/browsers/edge/docfx.json
@@ -27,6 +27,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "microsoft-edge",
diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json
index 927e4c51ac..9a7a5d7e4a 100644
--- a/browsers/internet-explorer/docfx.json
+++ b/browsers/internet-explorer/docfx.json
@@ -23,6 +23,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/internet-explorer/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"audience": "ITPro",
diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json
index 9b7317309d..464a472b2f 100644
--- a/devices/hololens/docfx.json
+++ b/devices/hololens/docfx.json
@@ -30,6 +30,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/hololens/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json
index 8eba3c49b1..2e2fb12b63 100644
--- a/devices/surface-hub/docfx.json
+++ b/devices/surface-hub/docfx.json
@@ -24,6 +24,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json
index 42faacbcac..eba515451e 100644
--- a/devices/surface/docfx.json
+++ b/devices/surface/docfx.json
@@ -22,6 +22,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/surface/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
diff --git a/education/docfx.json b/education/docfx.json
index 8ba1394c6d..7cac8a75b9 100644
--- a/education/docfx.json
+++ b/education/docfx.json
@@ -26,6 +26,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"ROBOTS": "INDEX, FOLLOW",
"audience": "windows-education",
"ms.topic": "article",
diff --git a/gdpr/docfx.json b/gdpr/docfx.json
index 1d092a902e..eaa6eba4eb 100644
--- a/gdpr/docfx.json
+++ b/gdpr/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"author": "eross-msft",
"ms.author": "lizross",
"feedback_system": "GitHub",
diff --git a/mdop/docfx.json b/mdop/docfx.json
index abcead924c..dfa58fa007 100644
--- a/mdop/docfx.json
+++ b/mdop/docfx.json
@@ -22,6 +22,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",
diff --git a/smb/docfx.json b/smb/docfx.json
index 379f9d6f3e..9b63f81cad 100644
--- a/smb/docfx.json
+++ b/smb/docfx.json
@@ -29,6 +29,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/smb/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"feedback_system": "None",
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
index 2a30faf3ef..bf0a63a161 100644
--- a/store-for-business/docfx.json
+++ b/store-for-business/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
"ms.author": "trudyha",
"audience": "ITPro",
diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json
index fff71782f2..35b82f4d89 100644
--- a/windows/access-protection/docfx.json
+++ b/windows/access-protection/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"audience": "ITPro",
diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json
index 4d3e15e0a7..b5298397b7 100644
--- a/windows/application-management/docfx.json
+++ b/windows/application-management/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json
index eb3917a794..450357dfba 100644
--- a/windows/client-management/docfx.json
+++ b/windows/client-management/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 44006a3af5..d93337be79 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json
index 032a6cf7e4..3ecf9e6104 100644
--- a/windows/configure/docfx.json
+++ b/windows/configure/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {
diff --git a/windows/deploy/docfx.json b/windows/deploy/docfx.json
index f8c535fddb..24a5e3b0ff 100644
--- a/windows/deploy/docfx.json
+++ b/windows/deploy/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-deploy",
diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json
index cecc2b30b5..b33480ce11 100644
--- a/windows/deployment/docfx.json
+++ b/windows/deployment/docfx.json
@@ -34,6 +34,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json
index fb05d45e14..ce2b043c43 100644
--- a/windows/device-security/docfx.json
+++ b/windows/device-security/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
diff --git a/windows/docfx.json b/windows/docfx.json
index 68d6d5933c..30f4698e66 100644
--- a/windows/docfx.json
+++ b/windows/docfx.json
@@ -14,6 +14,7 @@
}
],
"globalMetadata": {
+ "recommendations": true,
"ROBOTS": "INDEX, FOLLOW",
"audience": "ITPro",
"breadcrumb_path": "/itpro/windows/breadcrumb/toc.json",
diff --git a/windows/eulas/docfx.json b/windows/eulas/docfx.json
index 1dd02b74b2..2834682ce7 100644
--- a/windows/eulas/docfx.json
+++ b/windows/eulas/docfx.json
@@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/eulas/breadcrumb/toc.json",
"extendBreadcrumb": true,
"feedback_system": "None",
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index ba6cb520ce..f8e5b9331d 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -34,6 +34,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"audience": "ITPro",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json
index d153310b25..aa250a2f5c 100644
--- a/windows/keep-secure/docfx.json
+++ b/windows/keep-secure/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"feedback_system": "None",
"_op_documentIdPathDepotMapping": {
"./": {
diff --git a/windows/known-issues/docfx.json b/windows/known-issues/docfx.json
index 6c9c489c80..d331ee80d1 100644
--- a/windows/known-issues/docfx.json
+++ b/windows/known-issues/docfx.json
@@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json
index 904388daf4..c5275101bf 100644
--- a/windows/manage/docfx.json
+++ b/windows/manage/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-manage",
diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json
index f226ea1fe0..9a47bdcced 100644
--- a/windows/plan/docfx.json
+++ b/windows/plan/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-plan",
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index 29f46358f8..13d72f2e30 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",
diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json
index 111809e6f2..c5cbdfb50a 100644
--- a/windows/release-information/docfx.json
+++ b/windows/release-information/docfx.json
@@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/release-information/breadcrumb/toc.json",
"ms.prod": "w10",
"ms.date": "4/30/2019",
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index e8accb5982..3a997cd1e9 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -33,6 +33,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",
diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json
index 7576fcf3df..5f30884997 100644
--- a/windows/threat-protection/docfx.json
+++ b/windows/threat-protection/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",
diff --git a/windows/update/docfx.json b/windows/update/docfx.json
index 723941b24a..d577905730 100644
--- a/windows/update/docfx.json
+++ b/windows/update/docfx.json
@@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-update",
diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json
index fe5bc2fe98..e8a0332615 100644
--- a/windows/whats-new/docfx.json
+++ b/windows/whats-new/docfx.json
@@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
+ "recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",
From a9fdf5d97154bb900a979c19e8d0f69fedd2fe7c Mon Sep 17 00:00:00 2001
From: MandiOhlinger
Date: Thu, 5 Aug 2021 18:13:38 -0400
Subject: [PATCH 38/68] Simplifying layout and text
---
windows/configuration/TOC.yml | 26 +-
...reens-by-using-mobile-device-management.md | 46 ++--
...ws-10-start-layout-options-and-policies.md | 235 +++++++++++++-----
3 files changed, 204 insertions(+), 103 deletions(-)
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index c27d976f52..41ef9c66de 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -1,24 +1,26 @@
- name: Configure Windows client
href: index.yml
-- name: Configure appearance settings
+- name: Customize the appearance
items:
- name: Windows 10 Start and taskbar
items:
- name: Manage Windows 10 Start and taskbar layout
href: windows-10-start-layout-options-and-policies.md
- - name: Configure Windows 10 taskbar
- href: configure-windows-10-taskbar.md
- - name: Customize and export Start layout
- href: customize-and-export-start-layout.md
- - name: Add image for secondary tiles
- href: start-secondary-tiles.md
- - name: Start layout XML for desktop editions of Windows 10 (reference)
- href: start-layout-xml-desktop.md
- - name: Customize Windows 10 Start and taskbar with Group Policy
+ - name: Use XML
+ items:
+ - name: Customize and export Start layout
+ href: customize-and-export-start-layout.md
+ - name: Customize the taskbar
+ href: configure-windows-10-taskbar.md
+ - name: Add image for secondary Microsoft Edge tiles
+ href: start-secondary-tiles.md
+ - name: Start layout XML for Windows 10 desktop editions (reference)
+ href: start-layout-xml-desktop.md
+ - name: Use group policy
href: customize-windows-10-start-screens-by-using-group-policy.md
- - name: Customize Windows 10 Start and taskbar with provisioning packages
+ - name: Use provisioning packages
href: customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
- - name: Customize Windows 10 Start and taskbar with mobile device management (MDM)
+ - name: Use mobile device management (MDM)
href: customize-windows-10-start-screens-by-using-mobile-device-management.md
- name: Troubleshoot Start menu errors
href: start-layout-troubleshoot.md
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 814515de59..c67395055b 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -1,6 +1,6 @@
---
-title: Alter Windows 10 Start and taskbar via mobile device management
-description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users.
+title: Change the Windows 10 Start and taskbar using mobile device management | Microsoft Docs
+description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices.
ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4
ms.reviewer:
manager: dansimp
@@ -12,7 +12,7 @@ author: greg-lindsay
ms.topic: article
ms.author: greglin
ms.localizationpriority: medium
-ms.date: 02/08/2018
+ms.date: 08/05/2021
---
# Customize Windows 10 Start and taskbar with mobile device management (MDM)
@@ -25,7 +25,7 @@ ms.date: 02/08/2018
>**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630)
-In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
+In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required. The layout can be updated simply by overwriting the `.xml` file that contains the layout. This feature enables you to customize Start layouts for different departments or organizations, with minimal management overhead.
>[!NOTE]
>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
@@ -56,35 +56,39 @@ Two features enable Start layout control:
## Create a policy for your customized Start layout
+The following example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout:
-This example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout. See the documentation for your MDM solution for help in applying the policy.
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-1. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
+2. Select **Devices** > **Configuration profiles** > **Create profile**.
-2. Select **Device configuration**.
+3. Enter the following properties:
-3. Select **Profiles**.
+ - **Platform**: Select **Windows 10 and later**.
+ - **Profile type**: Select **Templates** > **Device restrictions** > **Create**.
-4. Select **Create profile**.
+4. In **Basics**, enter the following properties:
-5. Enter a friendly name for the profile.
+ - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Customize Start menu and taskbar**.
+ - **Description**: Enter a description for the profile. This setting is optional, but recommended.
-6. Select **Windows 10 and later** for the platform.
+5. Select **Next**.
-7. Select **Device restrictions for the profile type.
+6. In **Configuration settings**, select **Start**:
-8. Select **Start**.
+ - If you're using an XML file, select **Start menu layout**. Browse to and select your Start layout XML file.
+ - If you don't have an XML file, configure the others settings. For more information on these settings, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start).
-9. In **Start menu layout**, browse to and select your Start layout XML File.
+7. Select **Next**.
+8. In **Scope tags**, select **Next**. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
+9. In **Assignments**, select the user or groups that will receive your profile. Select **Next**. For more information on assigning profiles, see [Assign user and device profiles](device-profile-assign.md).
+10. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
-10. Select **OK** twice, and then select **Create**.
-
-11. Assign the profile to a device group.
-
-For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
+> [!NOTE]
+> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`.
-## Related topics
+## Next steps
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
@@ -95,5 +99,3 @@ For other MDM solutions, you may need to use an OMA-URI setting for Start layout
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
-
-
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index ce489cfec1..4dc9b66ae9 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -1,6 +1,6 @@
---
-title: Manage Windows 10 Start and taskbar layout (Windows 10)
-description: Organizations might want to deploy a customized Start and taskbar layout to devices.
+title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs
+description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more.
ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A
ms.reviewer:
manager: dansimp
@@ -12,119 +12,215 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 06/19/2018
+ms.date: 08/05/2021
---
-# Manage Windows 10 Start and taskbar layout
+# Customize the Start menu and taskbar layout on Windows 10 and later devices
+**Applies to**:
-**Applies to**
-
-- Windows 10, Windows Server 2016 with Desktop Experience, Windows Server 2019 with Desktop Experience
+- Windows 10 version 1607 and later
+- Windows Server 2016 with Desktop Experience
+- Windows Server 2019 with Desktop Experience
> **Looking for consumer information?** [See what's on the Start menu](https://support.microsoft.com/help/17195/windows-10-see-whats-on-the-menu)
+>
+> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
-Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Pro, Enterprise, or Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default.
+Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default.
+
+>[!NOTE]
+>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
+
+As administrator, you can use these features to customize Start and taskbar to meet your organization needs. This article describes the different ways you can customize Start and taskbar, and lists the Start policies. It also includes taskbar information on a clean operating system (OS) installation, and when an OS is upgraded.
>[!NOTE]
->Taskbar configuration is available starting in Windows 10, version 1607.
->
->Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703.
->
>For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs).
>
>Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile)
+## Use XML
+On an existing Windows device, you can set up the **Start** screen, and then export the layout to an XML file. When you have the XML file, add this file to a group policy, a Windows Configuration Designer provisioning package, or a mobile device management (MDM) policy. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the layout configured in the XML file.
-## Start options
+For more information, see [Customize and export Start layout](customize-and-export-start-layout.md).
+
+For the **taskbar**, you can use the same XML file as the start screen. Or, you can create a new XML file. When you have the XML file, add this file to a group policy or a provisioning package. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the taskbar settings you configured in the XML file.
+
+For more information, see [Configure Windows 10 taskbar](configure-windows-10-taskbar.md).
+
+## Use group policy
+
+Using group policy objects (GPO), you can manage different parts of the Start menu and taskbar. You don't need to reimage the devices. Using administrative templates, you configure settings in a policy, and then deploy this policy to your devices. [Start menu policy settings](#start-menu-policy-settings) (in this article) lists the policies you can configure.
+
+For more information, see [Use group policy to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-group-policy.md).
+
+## Use provisioning packages
+
+Provisioning packages are containers that include a set of configuration settings. They're designed to configure a device quickly, without installing a new image. For more information on what provisioning packages are, and what they do, see [Provisioning packages](./provisioning-packages/provisioning-packages.md).
+
+Using a provisioning package, you can customize the Start and taskbar. For more information, see [Use provisioning packages to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md).
+
+## Use a mobile device management (MDM) solution
+
+Using an MDM solution, you add an XML file to a policy, and then deploy this policy to your devices.
+
+If you use Microsoft Intune for your MDM solution, then you can use settings to configure Start and the taskbar. For more information on the settings you can configure, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start).
+
+For more information, see [Use MDM to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-mobile-device-management.md).
+
+## Start menu policy settings
-Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy.
+The following list includes the different Start options, and any policy or local settings. The settings in the list can also be used in a provisioning package. If you use a provisioning package, see the [Windows Configuration Designer reference](./wcd/wcd-policies.md#start).
->[!NOTE]
->The MDM policy settings in the table can also be configured [in a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) using **Policies** > **Start**. [See the reference for **Start** settings in Windows Configuration Designer.](./wcd/wcd-policies.md#start)
+- **User tile**
+ - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove Logoff on the Start menu`
+ - **Local setting**: None
+ - **MDM policy**:
+ - Start/HideUserTile
+ - Start/HideSwitchAccount
+ - Start/HideSignOut
+ - Start/HideLock
+ - Start/HideChangeAccountSettings
-The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table.
+- **Most used**
+ - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove frequent programs from the Start menu`
+ - **Local setting**: Settings > Personalization > Start > Show most used apps
+ - **MDM policy**: Start/HideFrequentlyUsedApps
-| Start | Policy | Local setting |
-| --- | --- | --- |
-| User tile | MDM: **Start/HideUserTile****Start/HideSwitchAccount****Start/HideSignOut****Start/HideLock****Start/HideChangeAccountSettings**Group Policy: **Remove Logoff on the Start menu** | none |
-| Most used | MDM: **Start/HideFrequentlyUsedApps**Group Policy: **Remove frequent programs from the Start menu** | **Settings** > **Personalization** > **Start** > **Show most used apps** |
-| Suggestions-and-Dynamically inserted app tile | MDM: **Allow Windows Consumer Features**Group Policy: **Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences****Note:** This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu. | **Settings** > **Personalization** > **Start** > **Occasionally show suggestions in Start** |
-| Recently added | MDM: **Start/HideRecentlyAddedApps**
Group Policy: **Computer configuration**\\**Administrative Template**\\**Start Menu and Taskbar**\\**Remove "Recently Added" list from Start Menu** (for Windows 10, version 1803) | **Settings** > **Personalization** > **Start** > **Show recently added apps** |
-| Pinned folders | MDM: **AllowPinnedFolder** | **Settings** > **Personalization** > **Start** > **Choose which folders appear on Start** |
-| Power | MDM: **Start/HidePowerButton****Start/HideHibernate****Start/HideRestart****Start/HideShutDown****Start/HideSleep**Group Policy: **Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands** | none |
-| Start layout | MDM: **Start layout****ImportEdgeAssets**Group Policy: **Prevent users from customizing their Start screen****Note:** When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.**Start layout** policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. | none |
-| Jump lists | MDM: **Start/HideRecentJumplists**Group Policy: **Do not keep history of recently opened documents** | **Settings** > **Personalization** > **Start** > **Show recently opened items in Jump Lists on Start or the taskbar** |
-| Start size | MDM: **Force Start size**Group Policy: **Force Start to be either full screen size or menu size** | **Settings** > **Personalization** > **Start** > **Use Start full screen** |
-| App list | MDM: **Start/HideAppList** | **Settings** > **Personalization** > **Start** > **Show app list in Start menu** |
-| All Settings | Group Policy: **Prevent changes to Taskbar and Start Menu Settings** | none |
-| Taskbar | MDM: **Start/NoPinningToTaskbar** | none |
+- **Suggestions, Dynamically inserted app tile**
+ - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences`
->[!NOTE]
->In local **Settings** > **Personalization** > **Start**, there is an option to **Show more tiles**. The default tile layout for Start tiles is 3 columns of medium sized tiles. **Show more tiles** enables 4 columns. To configure the 4-column layout when you [customize and export a Start layout](customize-and-export-start-layout.md), turn on the **Show more tiles** setting and then arrange your tiles.
+ This policy also enables or disables notifications for:
-[Learn how to customize and export Start layout](customize-and-export-start-layout.md)
+ - A user's Microsoft account
+ - App tiles that Microsoft dynamically adds to the default Start menu
- ## Taskbar options
+ - **Local setting**: Settings > Personalization > Start > Occasionally show suggestions in Start
+ - **MDM policy**: Allow Windows Consumer Features
-Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region.
+- **Recently added**
+ - **Group policy**: `Computer configuration\Administrative Template\Start Menu and Taskbar\Remove "Recently Added" list from Start Menu`
-There are three categories of apps that might be pinned to a taskbar:
-* Apps pinned by the user
-* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store)
-* Apps pinned by the enterprise, such as in an unattended Windows setup
+ This policy applies to:
- >[!NOTE]
- >We recommend using [the layoutmodification.xml method](configure-windows-10-taskbar.md) to configure taskbar options, rather than the earlier method of using [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks) in an unattended Windows setup file.
+ - Windows 10 version 1803 and later
-The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square).
+ - **Local setting**: Settings > Personalization > Start > Show recently added apps
+ - **MDM policy**: Start/HideRecentlyAddedApps
+
+- **Pinned folders**
+ - **Local setting**: Settings > Personalization > Start > Choose which folders appear on Start
+ - **MDM policy**: AllowPinnedFolder
+
+- **Power**
+ - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`
+ - **Local setting**: None
+ - **MDM policy**:
+ - Start/HidePowerButton
+ - Start/HideHibernate
+ - Start/HideRestart
+ - Start/HideShutDown
+ - Start/HideSleep
+
+- **Start layout**
+ - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from customizing their Start screen`
+
+ When a full Start screen layout is imported with Group Policy or MDM, users can't pin, unpin, or uninstall apps from the Start screen. Users can see and open all apps in the **All Apps** view, but they can't pin any apps to the Start screen. When a partial Start screen layout is imported, users can't change the tile groups applied by the partial layout. They can change other tile groups, and create their own tile groups.
+
+ **Start layout** policy can be used to pin apps to the taskbar based on an XML File you provide. Users can change the order of pinned apps, unpin apps, and pin more apps to the taskbar.
+
+ - **Local setting**: None
+ - **MDM policy**:
+ - Start layout
+ - ImportEdgeAssets
+
+- **Jump lists**
+ - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`
+ - **Local setting**: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
+ - **MDM policy**: Start/HideRecentJumplists
+
+- **Start size**
+ - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Force Start to be either full screen size or menu size`
+ - **Local setting**: Settings > Personalization > Start > Use Start full screen
+ - **MDM policy**: Force Start size
+
+- **App list**
+ - **Local setting**: Settings > Personalization > Start > Show app list in Start menu
+ - **MDM policy**: Start/HideAppList
+
+- **All settings**
+ - **Group policy**: `User Configuration\Administrative Templates\Prevent changes to Taskbar and Start Menu Settings`
+ - **Local setting**: None
+
+- **Taskbar**
+ - **Local setting**: None
+ - **MDM policy**: Start/NoPinningToTaskbar
+
+> [!NOTE]
+> In the **Settings** app > **Personalization** > **Start**, there is a **Show more tiles on Start** option. The default tile layout for Start tiles is 3 columns of medium sized tiles. **Show more tiles on Start** enables 4 columns. To configure the 4-column layout when you [customize and export a Start layout](customize-and-export-start-layout.md), turn on the **Show more tiles** setting, and then arrange your tiles.
+
+## Taskbar options
+
+Starting in Windows 10 version 1607, you can pin more apps to the taskbar, and remove default pinned apps from the taskbar. You can select different taskbar configurations based on device locale or region.
+
+There are three app categories that could be pinned to a taskbar:
+
+- Apps pinned by the user
+- Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Store
+- Apps pinned by your organization, such as in an unattended Windows setup
+
+ In an unattended Windows setup file, it's recommended to use the [layoutmodification.xml method](configure-windows-10-taskbar.md) to configure the taskbar options. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks).
+
+The following example shows how apps are pinned. In OS configured to use a right-to-left language, the taskbar order is reversed:
+
+- Windows default apps to the left (blue circle)
+- Apps pinned by the user in the center (orange triangle)
+- Apps that you pin using XML to the right (green square)
->[!NOTE]
->In operating systems configured to use a right-to-left language, the taskbar order will be reversed.
+If you apply the taskbar configuration to a clean install or an update, users can still:
+- Pin more apps
+- Change the order of pinned apps
+- Unpin any app
-
-Whether you apply the taskbar configuration to a clean install or an update, users will still be able to:
-* Pin additional apps
-* Change the order of pinned apps
-* Unpin any app
-
->[!NOTE]
->In Windows 10, version 1703, you can apply an MDM policy, `Start/NoPinningToTaskbar`, to prevents users from pinning and unpinning apps on the taskbar.
+> [!TIP]
+> In Windows 10 version 1703, you can apply the `Start/NoPinningToTaskbar` MDM policy. This policy prevents users from pinning and unpinning apps on the taskbar.
### Taskbar configuration applied to clean install of Windows 10
-In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied.
+In a clean install, if you apply a taskbar layout, only the following apps are pinned to the taskbar:
+
+- Apps you specifically add
+- Any default apps you don't remove
+
+After the layout is applied, users can pin more apps to the taskbar.
### Taskbar configuration applied to Windows 10 upgrades
-When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup.
+When a device is upgraded to Windows 10, apps are already pinned to the taskbar. Some apps may have been pinned to the taskbar by a user, by a customized base image, or by using Windows unattended setup.
-The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior:
-* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right.
-* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned.
-* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right.
-* New apps specified in updated layout file are pinned to right of user's pinned apps.
+On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply the following behavior:
+
+- If users pinned apps to the taskbar, then those pinned apps remain. New apps are added to the right.
+- If users didn't pin any apps (they're pinned during installation or by policy), and the apps aren't in an updated layout file, then the apps are unpinned.
+- If a user didn't pin the app, and the app is in the updated layout file, then the app is pinned to the right.
+- New apps specified in updated layout file are pinned to right of user's pinned apps.
[Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md).
## Start layout configuration errors
-If your Start layout customization is not applied as expected, open **Event Viewer** and navigate to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**, and check for one of the following events:
+If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events:
-- **Event 22** is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. This can occur if the file has extra spaces or unexpected characters, or if the file is not saved in the UTF8 format.
-- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood, elements are not in [the required order](start-layout-xml-desktop.md#required-order), or source is not found, such as a missing or misspelled .lnk.
-
-
-
-
-## Related topics
+- **Event 22**: The XML is malformed. The specified file isn’t valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format.
+- **Event 64**: The XML is valid, and has unexpected values. This event can happen when the configuration isn't understood, elements aren't in [the required order](start-layout-xml-desktop.md#required-order), or source isn't found, such as a missing or misspelled `.lnk`.
+## Next steps
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
- [Customize and export Start layout](customize-and-export-start-layout.md)
@@ -133,4 +229,5 @@ If your Start layout customization is not applied as expected, open **Event View
- [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
\ No newline at end of file
+- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
+-
\ No newline at end of file
From f044a2085cd084a801051558c32ee01bde5f5053 Mon Sep 17 00:00:00 2001
From: MandiOhlinger
Date: Thu, 5 Aug 2021 18:31:25 -0400
Subject: [PATCH 39/68] Fixed warning link, review updates
---
windows/configuration/TOC.yml | 2 +-
...ndows-10-start-screens-by-using-mobile-device-management.md | 3 +--
.../windows-10-start-layout-options-and-policies.md | 1 -
3 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index 41ef9c66de..f44d4cea07 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -4,7 +4,7 @@
items:
- name: Windows 10 Start and taskbar
items:
- - name: Manage Windows 10 Start and taskbar layout
+ - name: Start layout and taskbar
href: windows-10-start-layout-options-and-policies.md
- name: Use XML
items:
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index c67395055b..8dec3271ab 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -81,7 +81,7 @@ The following example uses Microsoft Intune to configure an MDM policy that appl
7. Select **Next**.
8. In **Scope tags**, select **Next**. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
-9. In **Assignments**, select the user or groups that will receive your profile. Select **Next**. For more information on assigning profiles, see [Assign user and device profiles](device-profile-assign.md).
+9. In **Assignments**, select the user or groups that will receive your profile. Select **Next**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
10. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.
> [!NOTE]
@@ -90,7 +90,6 @@ The following example uses Microsoft Intune to configure an MDM policy that appl
## Next steps
-
- [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
- [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
- [Customize and export Start layout](customize-and-export-start-layout.md)
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index 4dc9b66ae9..e0816bbb6f 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -230,4 +230,3 @@ If your Start layout customization isn't applied as you expect, open the **Event
- [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
--
\ No newline at end of file
From d87e2064a67955cfb4dfec85e80dcedb50642ed2 Mon Sep 17 00:00:00 2001
From: Anna-Li <70676128+v-lianna@users.noreply.github.com>
Date: Fri, 6 Aug 2021 09:55:53 +0800
Subject: [PATCH 40/68] Update credential-guard-known-issues.md
---
.../credential-guard/credential-guard-known-issues.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 4aa8190429..310e1ceb6d 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -28,8 +28,8 @@ Windows Defender Credential Guard has certain application requirements. Windows
The following known issue has been fixed in the [Cumulative Security Update for November 2017](https://support.microsoft.com/help/4051033):
- Scheduled tasks with domain user stored credentials fail to run when Credential Guard is enabled. The task fails and reports Event ID 104 with the following message:
- "Task Scheduler failed to log on ‘\Test’ .
- Failure occurred in ‘LogonUserExEx’ .
+ "Task Scheduler failed to log on ‘\Test’.
+ Failure occurred in ‘LogonUserExEx’.
User Action: Ensure the credentials for the task are correctly specified.
Additional Data: Error Value: 2147943726. 2147943726 : ERROR\_LOGON\_FAILURE (The user name or password is incorrect)."
- When enabling NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. For example:
From dfd6e8298d586031631a8c782ef515a3fcb906c8 Mon Sep 17 00:00:00 2001
From: Anna-Li <70676128+v-lianna@users.noreply.github.com>
Date: Fri, 6 Aug 2021 10:01:13 +0800
Subject: [PATCH 41/68] Update credential-guard-known-issues.md
---
.../credential-guard/credential-guard-known-issues.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 310e1ceb6d..8333c51074 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -31,7 +31,7 @@ The following known issue has been fixed in the [Cumulative Security Update for
"Task Scheduler failed to log on ‘\Test’.
Failure occurred in ‘LogonUserExEx’.
User Action: Ensure the credentials for the task are correctly specified.
- Additional Data: Error Value: 2147943726. 2147943726 : ERROR\_LOGON\_FAILURE (The user name or password is incorrect)."
+ Additional Data: Error Value: 2147943726. 2147943726: ERROR\_LOGON\_FAILURE (The user name or password is incorrect)."
- When enabling NTLM audit on the domain controller, an Event ID 8004 with an indecipherable username format is logged. For example:
> Log Name: Microsoft-Windows-NTLM/Operational
Source: Microsoft-Windows-Security-Netlogon
From 199619b596d875344723b496fd26bc7891db7e8f Mon Sep 17 00:00:00 2001
From: Anna-Li <70676128+v-lianna@users.noreply.github.com>
Date: Fri, 6 Aug 2021 10:04:26 +0800
Subject: [PATCH 42/68] Update credential-guard-known-issues.md
---
.../credential-guard/credential-guard-known-issues.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 8333c51074..e53c4a5315 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -45,9 +45,9 @@ The following known issue has been fixed in the [Cumulative Security Update for
@@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
Domain name: NULL
- - This event stems from a scheduled task running under local user context with the Cumulative Security Update for November 2017 or later and happens when Credential Guard is enabled.
- - The username appears in an unusual format because local accounts aren’t protected by Credential Guard. The task also fails to execute.
- - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
+ - This event stems from a scheduled task running under local user context with the Cumulative Security Update for November 2017 or later and happens when Credential Guard is enabled.
+ - The username appears in an unusual format because local accounts aren’t protected by Credential Guard. The task also fails to execute.
+ - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
From dd0aef630113becb2bad7c9a6bd099af1c61aada Mon Sep 17 00:00:00 2001
From: Anna-Li <70676128+v-lianna@users.noreply.github.com>
Date: Fri, 6 Aug 2021 10:06:32 +0800
Subject: [PATCH 43/68] Update credential-guard-known-issues.md
---
.../credential-guard/credential-guard-known-issues.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index e53c4a5315..06cd090471 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -45,9 +45,9 @@ The following known issue has been fixed in the [Cumulative Security Update for
@@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
Domain name: NULL
- - This event stems from a scheduled task running under local user context with the Cumulative Security Update for November 2017 or later and happens when Credential Guard is enabled.
- - The username appears in an unusual format because local accounts aren’t protected by Credential Guard. The task also fails to execute.
- - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
+ - This event stems from a scheduled task running under local user context with the Cumulative Security Update for November 2017 or later and happens when Credential Guard is enabled.
+ - The username appears in an unusual format because local accounts aren’t protected by Credential Guard. The task also fails to execute.
+ - As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
From 126366ef5f210122052db4d957beb02dd5903083 Mon Sep 17 00:00:00 2001
From: Anna-Li <70676128+v-lianna@users.noreply.github.com>
Date: Fri, 6 Aug 2021 10:12:19 +0800
Subject: [PATCH 44/68] Update credential-guard-known-issues.md
---
.../credential-guard/credential-guard-known-issues.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
index 06cd090471..5d76d6be7c 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md
@@ -40,12 +40,12 @@ The following known issue has been fixed in the [Cumulative Security Update for
Level: Information
Description:
Domain Controller Blocked Audit: Audit NTLM authentication to this domain controller.
- Secure Channel name: \
+ Secure Channel name: \
User name:
@@CyBAAAAUBQYAMHArBwUAMGAoBQZAQGA1BAbAUGAyBgOAQFAhBwcAsGA6AweAgDA2AQQAMEAwAANAgDA1AQLAIEADBQRAADAtAANAYEA1AwQA0CA5AAOAMEAyAQLAYDAxAwQAEDAEBwMAMEAwAgMAMDACBgRA0HA
Domain name: NULL
- - This event stems from a scheduled task running under local user context with the Cumulative Security Update for November 2017 or later and happens when Credential Guard is enabled.
+ - This event stems from a scheduled task running under local user context with the [Cumulative Security Update for November 2017](https://support.microsoft.com/topic/november-27-2017-kb4051033-os-build-14393-1914-447b6b88-e75d-0a24-9ab9-5dcda687aaf4) or later and happens when Credential Guard is enabled.
- The username appears in an unusual format because local accounts aren’t protected by Credential Guard. The task also fails to execute.
- As a workaround, run the scheduled task under a domain user or the computer's SYSTEM account.
From 933f9505c5ec297338632ad41dca9de4fd46fce1 Mon Sep 17 00:00:00 2001
From: v-lianna
Date: Fri, 6 Aug 2021 17:39:55 +0800
Subject: [PATCH 45/68] CI_153058_update TOC
---
windows/client-management/toc.yml | 6 ++++++
windows/client-management/troubleshoot-tcpip.md | 3 +++
2 files changed, 9 insertions(+)
diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml
index 633a032f7c..29e2a5af47 100644
--- a/windows/client-management/toc.yml
+++ b/windows/client-management/toc.yml
@@ -55,6 +55,12 @@ items:
items:
- name: Collect data using Network Monitor
href: troubleshoot-tcpip-netmon.md
+ - name: "Part 1: TCP/IP performance overview"
+ href: /troubleshoot/windows-server/networking/overview-of-tcpip-performance
+ - name: "Part 2: TCP/IP performance underlying network issues"
+ href: /troubleshoot/windows-server/networking/troubleshooting-tcpip-performance-underlying-network
+ - name: "Part 3: TCP/IP performance known issues"
+ href: /troubleshoot/windows-server/networking/tcpip-performance-known-issues
- name: Troubleshoot TCP/IP connectivity
href: troubleshoot-tcpip-connectivity.md
- name: Troubleshoot port exhaustion
diff --git a/windows/client-management/troubleshoot-tcpip.md b/windows/client-management/troubleshoot-tcpip.md
index 48a95cd4e0..1ffd3f1dc2 100644
--- a/windows/client-management/troubleshoot-tcpip.md
+++ b/windows/client-management/troubleshoot-tcpip.md
@@ -17,6 +17,9 @@ manager: dansimp
In these topics, you will learn how to troubleshoot common problems in a TCP/IP network environment.
- [Collect data using Network Monitor](troubleshoot-tcpip-netmon.md)
+- [Part 1: TCP/IP performance overview](/troubleshoot/windows-server/networking/overview-of-tcpip-performance)
+- [Part 2: TCP/IP performance underlying network issues](/troubleshoot/windows-server/networking/troubleshooting-tcpip-performance-underlying-network)
+- [Part 3: TCP/IP performance known issues](/troubleshoot/windows-server/networking/tcpip-performance-known-issues)
- [Troubleshoot TCP/IP connectivity](troubleshoot-tcpip-connectivity.md)
- [Troubleshoot port exhaustion issues](troubleshoot-tcpip-port-exhaust.md)
- [Troubleshoot Remote Procedure Call (RPC) errors](troubleshoot-tcpip-rpc-errors.md)
From 98e137d6dace7002e6e71046c23e5ae0cd45d346 Mon Sep 17 00:00:00 2001
From: Dan Pandre <54847950+DanPandre@users.noreply.github.com>
Date: Fri, 6 Aug 2021 19:38:48 -0400
Subject: [PATCH 46/68] Fix missing system CSP references
---
.../mdm/policies-in-policy-csp-supported-by-surface-hub.md | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index 763534dad3..d3e0c23e6c 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -66,6 +66,9 @@ ms.date: 07/22/2020
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md)
+- [System/AllowLocation](policy-csp-system#system-allowlocation)
+- [System/AllowStorageCard](policy-csp-system#system-allowstoragecard)
+- [System/AllowTelemetry](policy-csp-system#system-allowtelemetry)
- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel)
@@ -95,4 +98,4 @@ ms.date: 07/22/2020
## Related topics
-[Policy CSP](policy-configuration-service-provider.md)
\ No newline at end of file
+[Policy CSP](policy-configuration-service-provider.md)
From d4cda5c0b256edcf57bf124a527202b9a2ef3ce4 Mon Sep 17 00:00:00 2001
From: Dan Pandre <54847950+DanPandre@users.noreply.github.com>
Date: Fri, 6 Aug 2021 19:41:50 -0400
Subject: [PATCH 47/68] Fix links
---
.../mdm/policies-in-policy-csp-supported-by-surface-hub.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index d3e0c23e6c..13c000e4f5 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -66,9 +66,9 @@ ms.date: 07/22/2020
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md)
-- [System/AllowLocation](policy-csp-system#system-allowlocation)
-- [System/AllowStorageCard](policy-csp-system#system-allowstoragecard)
-- [System/AllowTelemetry](policy-csp-system#system-allowtelemetry)
+- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
+- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
+- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel)
From 9aa2be7ebddbdf0c9908a4db134eec8a4becacc5 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Mon, 9 Aug 2021 11:44:55 +0500
Subject: [PATCH 48/68] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index 090085514e..aa4eeb348a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -681,7 +681,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
> [!NOTE]
- > If the distinguished name contains special characters like plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”.
+ > If the distinguished name contains special characters like a plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”.
> If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
From 036de85d1818004a91cde78ae0152d5fdda0ddd0 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Mon, 9 Aug 2021 11:45:03 +0500
Subject: [PATCH 49/68] Update
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
.../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index aa4eeb348a..b8ce7af3da 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -682,7 +682,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
> [!NOTE]
> If the distinguished name contains special characters like a plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”.
- > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
+ > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
From f15dc57cec8e7faf3b315edd31f31cbd39f81ec6 Mon Sep 17 00:00:00 2001
From: Diana Hanson
Date: Mon, 9 Aug 2021 11:56:00 -0600
Subject: [PATCH 50/68] Raise acro score
sync PR: https://github.com/MicrosoftDocs/windows-docs-pr/pull/5480
---
.../event-id-explanations.md | 40 +++++++++----------
1 file changed, 20 insertions(+), 20 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index ff7f78475a..185e7af3d1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -91,26 +91,26 @@ The WDAC policy rule-option values can be derived from the "Options" field in th
| Bit Address | Policy Rule Option |
|-------|------|
-| 2 | Enabled:UMCI |
-| 3 | Enabled:Boot Menu Protection |
-| 4 | Enabled:Intelligent Security Graph Authorization |
-| 5 | Enabled:Invalidate EAs on Reboot |
-| 7 | Required:WHQL |
-| 10 | Enabled:Allow Supplemental Policies |
-| 11 | Disabled:Runtime FilePath Rule Protection |
-| 13 | Enabled:Revoked Expired As Unsigned |
-| 16 | Enabled:Audit Mode (Default) |
-| 17 | Disabled:Flight Signing |
-| 18 | Enabled:Inherit Default Policy |
-| 19 | Enabled:Unsigned System Integrity Policy (Default) |
-| 20 | Enabled:Dynamic Code Security |
-| 21 | Required:EV Signers |
-| 22 | Enabled:Boot Audit on Failure |
-| 23 | Enabled:Advanced Boot Options Menu |
-| 24 | Disabled:Script Enforcement |
-| 25 | Required:Enforce Store Applications |
-| 27 | Enabled:Managed Installer |
-| 28 | Enabled:Update Policy No Reboot |
+| 2 | `Enabled:UMCI` |
+| 3 | `Enabled:Boot Menu Protection` |
+| 4 | `Enabled:Intelligent Security Graph Authorization` |
+| 5 | `Enabled:Invalidate EAs on Reboot` |
+| 7 | `Required:WHQL` |
+| 10 | `Enabled:Allow Supplemental Policies` |
+| 11 | `Disabled:Runtime FilePath Rule Protection` |
+| 13 | `Enabled:Revoked Expired As Unsigned` |
+| 16 | `Enabled:Audit Mode (Default)` |
+| 17 | `Disabled:Flight Signing` |
+| 18 | `Enabled:Inherit Default Policy` |
+| 19 | `Enabled:Unsigned System Integrity Policy (Default)` |
+| 20 | `Enabled:Dynamic Code Security` |
+| 21 | `Required:EV Signers` |
+| 22 | `Enabled:Boot Audit on Failure` |
+| 23 | `Enabled:Advanced Boot Options Menu` |
+| 24 | `Disabled:Script Enforcement` |
+| 25 | `Required:Enforce Store Applications` |
+| 27 | `Enabled:Managed Installer` |
+| 28 | `Enabled:Update Policy No Reboot` |
## Appendix
A list of other relevant event IDs and their corresponding description.
From b299fca18a551f536ccb9cbddf7a655ea4decfe6 Mon Sep 17 00:00:00 2001
From: Diana Hanson
Date: Mon, 9 Aug 2021 11:57:38 -0600
Subject: [PATCH 51/68] Fix Warning
Sync PR https://github.com/MicrosoftDocs/windows-docs-pr/pull/5480
---
.../event-id-explanations.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
index 185e7af3d1..d9a41c8eff 100644
--- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
+++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
@@ -87,7 +87,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x
```
## System Integrity Policy Options
-The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options).
+The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options).
| Bit Address | Policy Rule Option |
|-------|------|
From 948b041f1eb568b1961e715c01e127fb369d5b6a Mon Sep 17 00:00:00 2001
From: gkomatsu
Date: Mon, 9 Aug 2021 11:04:48 -0700
Subject: [PATCH 52/68] Update
bulk-enrollment-using-windows-provisioning-tool.md
Changed terms ICD -> WCD.
Changed link from ADK to Microsoft Store
Added Windows 11.
Added bullet "Bulk Token creation is not supported with federated accounts." to notes
---
...ollment-using-windows-provisioning-tool.md | 26 +++++++++----------
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index b9f88dc916..b3466dc27f 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -1,6 +1,6 @@
---
title: Bulk enrollment
-description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10.
+description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11.
MS-HAID:
- 'p\_phdevicemgmt.bulk\_enrollment'
- 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
@@ -18,7 +18,7 @@ ms.date: 06/26/2017
# Bulk enrollment
-Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 desktop and mobile devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
+Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
## Typical use cases
@@ -37,12 +37,13 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
> - Bulk enrollment does not work in Intune standalone environment.
> - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console.
> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
+> - Bulk Token creation is not supported with federated accounts.
## What you need
- Windows 10 devices
-- Windows Imaging and Configuration Designer (ICD) tool
- To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows ICD](/windows/configuration/provisioning-packages/provisioning-install-icd).
+- Windows Configuration Designer (WCD) tool
+ To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd).
- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.)
- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
@@ -50,14 +51,14 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
## Create and apply a provisioning package for on-premises authentication
-Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
+Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
-1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+1. Open the WCD tool.
2. Click **Advanced Provisioning**.
3. Enter a project name and click **Next**.
-4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**.
+4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Expand **Runtime settings** > **Workplace**.
7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
@@ -70,7 +71,7 @@ Using the ICD, create a provisioning package using the enrollment information re
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
- Here is the screenshot of the ICD at this point.
+ Here is the screenshot of the WCD at this point.
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
10. When you are done adding all the settings, on the **File** menu, click **Save**.
@@ -90,12 +91,12 @@ Using the ICD, create a provisioning package using the enrollment information re
## Create and apply a provisioning package for certificate authentication
-Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
+Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
-1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
+1. Open the WCD tool.
2. Click **Advanced Provisioning**.
3. Enter a project name and click **Next**.
-4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions.
+4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Specify the certificate.
1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**.
@@ -129,8 +130,7 @@ Using the ICD, create a provisioning package using the enrollment information re
Here's the list of topics about applying a provisioning package:
- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) - topic in Technet.
-- [Apply a package to a Windows 10 desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
-- [Apply a package to a Windows 10 Mobile image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN.
+- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below
## Apply a package from the Settings menu
From b901354412a69437adb848bf5df7ba6a1c3c7b50 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Mon, 9 Aug 2021 11:26:56 -0700
Subject: [PATCH 53/68] Update
bulk-enrollment-using-windows-provisioning-tool.md
---
.../mdm/bulk-enrollment-using-windows-provisioning-tool.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index b3466dc27f..4df0e51619 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -1,6 +1,6 @@
---
title: Bulk enrollment
-description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11.
+description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and Windows 11.
MS-HAID:
- 'p\_phdevicemgmt.bulk\_enrollment'
- 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
From 5e7ce5d47057923098b21c8474b9b3f8745d1415 Mon Sep 17 00:00:00 2001
From: Diana Hanson
Date: Mon, 9 Aug 2021 12:34:41 -0600
Subject: [PATCH 54/68] fix staging
Sync PR: https://github.com/MicrosoftDocs/windows-docs-pr/pull/5487
---
.../mdm/bulk-enrollment-using-windows-provisioning-tool.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index 4df0e51619..1b84316554 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -43,6 +43,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
- Windows 10 devices
- Windows Configuration Designer (WCD) tool
+
To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd).
- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.)
- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
From ed55b1a5eb132967fd09b50d5c86647a1df73b5e Mon Sep 17 00:00:00 2001
From: Diana Hanson
Date: Mon, 9 Aug 2021 12:46:55 -0600
Subject: [PATCH 55/68] Fix formatting
Sync PR https://github.com/MicrosoftDocs/windows-docs-pr/pull/5487
---
.../bulk-enrollment-using-windows-provisioning-tool.md | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index 1b84316554..4fabdbc971 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -41,11 +41,11 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
## What you need
-- Windows 10 devices
-- Windows Configuration Designer (WCD) tool
+- Windows 10 devices.
+- Windows Configuration Designer (WCD) tool.
To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd).
-- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.)
+- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).
- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
@@ -73,7 +73,8 @@ Using the WCD, create a provisioning package using the enrollment information re
- **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
Here is the screenshot of the WCD at this point.
- 
+
+ 
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
10. When you are done adding all the settings, on the **File** menu, click **Save**.
11. On the main menu click **Export** > **Provisioning package**.
From 067bc3fb90e579adc6822bff81fc04a0b92fe845 Mon Sep 17 00:00:00 2001
From: Linda Diefendorf
Date: Mon, 9 Aug 2021 11:59:09 -0700
Subject: [PATCH 56/68] Update device-guard-signing-portal.md
Updating to include v2 cmdlet descriptions
---
.../device-guard-signing-portal.md | 125 +++++++++++++++++-
1 file changed, 124 insertions(+), 1 deletion(-)
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index c6c8eeb5e5..64da5a18ce 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -43,7 +43,7 @@ ms.date: 07/21/2021
- Windows 10
- Windows 10 Mobile
-Device Guard signing is a Device Guard feature that is available in Microsoft Store for Business and Education. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
+Device Guard signing is a Device Guard feature that gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
@@ -54,6 +54,129 @@ Device Guard is a feature set that consists of both hardware and software system
| [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) | When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. |
| [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) | Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. |
+## Device Guard Signing Service (v2) PowerShell Commands
+
+_Note: [.. common ..] are parameters common across all commands that are documented below the command definitions._
+
+**Get-DefaultPolicy** Gets the default .xml policy file associated with the current tenant.
+
+- Usage:
+
+```
+Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
+```
+
+- Parameters:
+
+ **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first).
+
+ **PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file.
+
+- Command running time:
+
+ The average running time is under 20 seconds but may be up to 3 minutes.
+
+**Get-RootCertificate** Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate.
+
+- Usage:
+
+ ```
+ Get-RootCertificate -OutFile filename [-PassThru] [.. common ..]
+ ```
+
+- Parameters:
+
+ **OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten (note: create the folder first).
+
+ **PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default
+ policy file.
+
+- Command running time:
+
+ The average running time is under 20 seconds but may be up to 3 minutes.
+
+**Get-SigningHistory** Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent).
+
+- Usage:
+
+ ```
+ Get-SigningHistory -OutFile filename [-PassThru] [.. common ..]
+ ```
+
+- Parameters:
+
+ **OutFile** - string, mandatory - The filename where the signing history file should be persisted to disk. The file name should be a .xml file. If the file already exists, it will be overwritten (note: create the folder first).
+
+ **PassThru** - switch, optional - If present, returns XML objects returning the XML file.
+
+- Command running time:
+
+ The average running time is under 10 seconds.
+
+**Submit-SigningJob** Submits a file to the service for signing and timestamping. The module supports valid file type for Authenticode signing is Catalog file (.cat). Valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the ConvertFrom-CiPolicy cmdlet. Otherwise, binary policy file may not be deployed properly.
+
+- Usage:
+
+ ```
+ Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
+ ```
+
+- Parameters:
+
+ **InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.cat or .bin).
+
+ **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. (note: create the folder first)
+
+ **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
+
+ **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](https://docs.microsoft.com/en-us/windows/msix/package/signing-package-overview#timestamping).
+
+ **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
+
+**Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy
+signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
+
+- Usage:
+
+ ```
+ Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
+ ```
+
+- Parameters:
+
+ **InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.bin).
+
+ **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten (note: create the folder first).
+
+ **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
+
+ **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](https://docs.microsoft.com/en-us/windows/msix/package/signing-package-overview#timestamping).
+
+ **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
+
+- Command running time:
+
+ The average running time is under 20 seconds but may be up to 3 minutes.
+
+**Common parameters [.. common ..]**
+
+In addition to cmdlet-specific parameters, each cmdlet understands the following common parameters.
+
+- Usage:
+
+ ```
+ ... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose]
+ ```
+
+- Parameters:
+
+ **NoPrompt** - switch, optional - If present, indicates that the script is running in a headless
+ environment and that all UI should be suppressed. If UI must be displayed (e.g., for
+ authentication) when the switch is set, the operation will instead fail.
+
+ **Credential + AppId** - PSCredential - A login credential (username and password) and AppId.
+
+
## File and size limits
When you're uploading files for Device Guard signing, there are a few limits for files and file size:
From 1db546b1437fc6ff5c33315c34433ada3ada0505 Mon Sep 17 00:00:00 2001
From: Cern McAtee
Date: Mon, 9 Aug 2021 13:16:02 -0700
Subject: [PATCH 57/68] Fixed !NOTES and added codeblock IDs
---
.../device-guard-signing-portal.md | 33 ++++++++++---------
1 file changed, 18 insertions(+), 15 deletions(-)
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index 64da5a18ce..f13413106a 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -17,6 +17,11 @@ ms.date: 07/21/2021
# Device Guard signing
+**Applies to**
+
+- Windows 10
+- Windows 10 Mobile
+
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@@ -37,12 +42,6 @@ ms.date: 07/21/2021
>
> For any questions, please contact us at DGSSMigration@microsoft.com.
-
-**Applies to**
-
-- Windows 10
-- Windows 10 Mobile
-
Device Guard signing is a Device Guard feature that gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
@@ -56,16 +55,17 @@ Device Guard is a feature set that consists of both hardware and software system
## Device Guard Signing Service (v2) PowerShell Commands
-_Note: [.. common ..] are parameters common across all commands that are documented below the command definitions._
+> [!NOTE]
+> [.. common ..] are parameters common across all commands that are documented below the command definitions.
**Get-DefaultPolicy** Gets the default .xml policy file associated with the current tenant.
- Usage:
-```
+```powershell
Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
```
-
+
- Parameters:
**OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first).
@@ -80,7 +80,7 @@ Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
- Usage:
- ```
+ ```powershell
Get-RootCertificate -OutFile filename [-PassThru] [.. common ..]
```
@@ -99,7 +99,7 @@ Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
- Usage:
- ```
+ ```powershell
Get-SigningHistory -OutFile filename [-PassThru] [.. common ..]
```
@@ -117,7 +117,7 @@ Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
- Usage:
- ```
+ ```powershell
Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
```
@@ -138,7 +138,7 @@ signing is binary policy files with the extension (.bin) that have been created
- Usage:
- ```
+ ```powershell
Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
```
@@ -146,7 +146,10 @@ signing is binary policy files with the extension (.bin) that have been created
**InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.bin).
- **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten (note: create the folder first).
+ **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten.
+
+ > [!NOTE]
+ > Create the folder first.
**NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
@@ -164,7 +167,7 @@ In addition to cmdlet-specific parameters, each cmdlet understands the following
- Usage:
- ```
+ ```powershell
... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose]
```
From a78fbd5a5681f4b083526008ded57c768857c904 Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Mon, 9 Aug 2021 18:11:28 -0700
Subject: [PATCH 58/68] Fixed hard-coded locales and absolute links
This corrects links that were absolute, rather than site-relative, and/or that had hard-coded locales, adding in the public repo in commit https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9888/commits/067bc3fb90e579adc6822bff81fc04a0b92fe845
---
store-for-business/device-guard-signing-portal.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index f13413106a..433f0bb68a 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -129,12 +129,12 @@ Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
**NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
- **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](https://docs.microsoft.com/en-us/windows/msix/package/signing-package-overview#timestamping).
+ **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
**JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
**Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy
-signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
+signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
- Usage:
@@ -153,7 +153,7 @@ signing is binary policy files with the extension (.bin) that have been created
**NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
- **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](https://docs.microsoft.com/en-us/windows/msix/package/signing-package-overview#timestamping).
+ **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
**JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
@@ -189,7 +189,7 @@ When you're uploading files for Device Guard signing, there are a few limits for
| Maximum size for multiple files (uploaded in a group) | 4 MB |
| Maximum number of files per upload | 15 files |
- ## File types
+## File types
Catalog and policy files have required files types.
| File | Required file type |
@@ -197,7 +197,7 @@ Catalog and policy files have required files types.
| catalog files | .cat |
| policy files | .bin |
- ## Store for Business roles and permissions
+## Store for Business roles and permissions
Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role.
## Device Guard signing certificates
From 9eb9a04e036b1f7995acf044246f19ea6f318564 Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Mon, 9 Aug 2021 18:36:12 -0700
Subject: [PATCH 59/68] Corrected indentation in preview; tidied indentation in
source
---
.../device-guard-signing-portal.md | 37 +++++++++----------
1 file changed, 18 insertions(+), 19 deletions(-)
diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md
index 433f0bb68a..3c5210990f 100644
--- a/store-for-business/device-guard-signing-portal.md
+++ b/store-for-business/device-guard-signing-portal.md
@@ -62,46 +62,45 @@ Device Guard is a feature set that consists of both hardware and software system
- Usage:
-```powershell
-Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
-```
+ ```powershell
+ Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
+ ```
- Parameters:
- **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first).
+ **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first).
- **PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file.
+ **PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file.
- Command running time:
- The average running time is under 20 seconds but may be up to 3 minutes.
+ The average running time is under 20 seconds but may be up to 3 minutes.
**Get-RootCertificate** Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate.
- Usage:
- ```powershell
- Get-RootCertificate -OutFile filename [-PassThru] [.. common ..]
- ```
+ ```powershell
+ Get-RootCertificate -OutFile filename [-PassThru] [.. common ..]
+ ```
- Parameters:
- **OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten (note: create the folder first).
+ **OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten (note: create the folder first).
- **PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default
- policy file.
+ **PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default policy file.
- Command running time:
- The average running time is under 20 seconds but may be up to 3 minutes.
+ The average running time is under 20 seconds but may be up to 3 minutes.
**Get-SigningHistory** Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent).
- Usage:
- ```powershell
- Get-SigningHistory -OutFile filename [-PassThru] [.. common ..]
- ```
+ ```powershell
+ Get-SigningHistory -OutFile filename [-PassThru] [.. common ..]
+ ```
- Parameters:
@@ -117,9 +116,9 @@ Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
- Usage:
- ```powershell
- Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
- ```
+ ```powershell
+ Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
+ ```
- Parameters:
From 4225c226bb300ed6b8d5cd93331f24168a96d971 Mon Sep 17 00:00:00 2001
From: gkomatsu
Date: Tue, 10 Aug 2021 08:14:28 -0700
Subject: [PATCH 60/68] Update index.md
Removed Note on Intune MDM Security baseline coming soon.
Removed "Preview" from Intune Security Baseline details. and updated link
---
windows/client-management/mdm/index.md | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index 4339466ef0..e39785e9f2 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -28,8 +28,6 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bu
With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices.
-> [!NOTE]
->Intune support for the MDM security baseline is coming soon.
The MDM security baseline includes policies that cover the following areas:
@@ -48,7 +46,7 @@ For more details about the MDM policies defined in the MDM security baseline and
- [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip)
-For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](/intune/security-baseline-settings-windows).
+For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-mdm-all).
From 17bc597c3a8f028593b771a96d8a0b1a79f7522c Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Tue, 10 Aug 2021 10:57:47 -0700
Subject: [PATCH 61/68] Update index.md
---
windows/client-management/mdm/index.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index e39785e9f2..1ba26c7c91 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -46,7 +46,7 @@ For more details about the MDM policies defined in the MDM security baseline and
- [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip)
-For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-mdm-all).
+For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](https://docs.microsoft.com/mem/intune/protect/security-baseline-settings-mdm-all).
From cdf5b67974cb31aa23a673df58acb346ffe22c0e Mon Sep 17 00:00:00 2001
From: Rebecca Agiewich
Date: Tue, 10 Aug 2021 13:15:03 -0500
Subject: [PATCH 62/68] removing absolute link, changing to site-relative
---
windows/client-management/mdm/index.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index 1ba26c7c91..a7236eea80 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -46,7 +46,7 @@ For more details about the MDM policies defined in the MDM security baseline and
- [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip)
-For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](https://docs.microsoft.com/mem/intune/protect/security-baseline-settings-mdm-all).
+For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
From 01063e623a6271d263612f3adb292ccf0525aa9a Mon Sep 17 00:00:00 2001
From: MandiOhlinger
Date: Tue, 10 Aug 2021 16:30:56 -0400
Subject: [PATCH 63/68] Added sections to match article content
---
windows/deployment/TOC.yml | 224 ++++++++++++++++++++-----------------
1 file changed, 122 insertions(+), 102 deletions(-)
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 048a630323..2d99e3080b 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -321,57 +321,69 @@
- name: Active Directory-Based Activation Overview
href: volume-activation/active-directory-based-activation-overview.md
- name: Install and Configure VAMT
- href: volume-activation/install-configure-vamt.md
- - name: VAMT Requirements
- href: volume-activation/vamt-requirements.md
- - name: Install VAMT
- href: volume-activation/install-vamt.md
- - name: Configure Client Computers
- href: volume-activation/configure-client-computers-vamt.md
+ items:
+ - name: Overview
+ href: volume-activation/install-configure-vamt.md
+ - name: VAMT Requirements
+ href: volume-activation/vamt-requirements.md
+ - name: Install VAMT
+ href: volume-activation/install-vamt.md
+ - name: Configure Client Computers
+ href: volume-activation/configure-client-computers-vamt.md
- name: Add and Manage Products
- href: volume-activation/add-manage-products-vamt.md
- - name: Add and Remove Computers
- href: volume-activation/add-remove-computers-vamt.md
- - name: Update Product Status
- href: volume-activation/update-product-status-vamt.md
- - name: Remove Products
- href: volume-activation/remove-products-vamt.md
+ items:
+ - name: Overview
+ href: volume-activation/add-manage-products-vamt.md
+ - name: Add and Remove Computers
+ href: volume-activation/add-remove-computers-vamt.md
+ - name: Update Product Status
+ href: volume-activation/update-product-status-vamt.md
+ - name: Remove Products
+ href: volume-activation/remove-products-vamt.md
- name: Manage Product Keys
- href: volume-activation/manage-product-keys-vamt.md
- - name: Add and Remove a Product Key
- href: volume-activation/add-remove-product-key-vamt.md
- - name: Install a Product Key
- href: volume-activation/install-product-key-vamt.md
- - name: Install a KMS Client Key
- href: volume-activation/install-kms-client-key-vamt.md
+ items:
+ - name: Overview
+ href: volume-activation/manage-product-keys-vamt.md
+ - name: Add and Remove a Product Key
+ href: volume-activation/add-remove-product-key-vamt.md
+ - name: Install a Product Key
+ href: volume-activation/install-product-key-vamt.md
+ - name: Install a KMS Client Key
+ href: volume-activation/install-kms-client-key-vamt.md
- name: Manage Activations
- href: volume-activation/manage-activations-vamt.md
- - name: Perform Online Activation
- href: volume-activation/online-activation-vamt.md
- - name: Perform Proxy Activation
- href: volume-activation/proxy-activation-vamt.md
- - name: Perform KMS Activation
- href: volume-activation/kms-activation-vamt.md
- - name: Perform Local Reactivation
- href: volume-activation/local-reactivation-vamt.md
- - name: Activate an Active Directory Forest Online
- href: volume-activation/activate-forest-vamt.md
- - name: Activate by Proxy an Active Directory Forest
- href: volume-activation/activate-forest-by-proxy-vamt.md
+ items:
+ - name: Overview
+ href: volume-activation/manage-activations-vamt.md
+ - name: Perform Online Activation
+ href: volume-activation/online-activation-vamt.md
+ - name: Perform Proxy Activation
+ href: volume-activation/proxy-activation-vamt.md
+ - name: Perform KMS Activation
+ href: volume-activation/kms-activation-vamt.md
+ - name: Perform Local Reactivation
+ href: volume-activation/local-reactivation-vamt.md
+ - name: Activate an Active Directory Forest Online
+ href: volume-activation/activate-forest-vamt.md
+ - name: Activate by Proxy an Active Directory Forest
+ href: volume-activation/activate-forest-by-proxy-vamt.md
- name: Manage VAMT Data
- href: volume-activation/manage-vamt-data.md
- - name: Import and Export VAMT Data
- href: volume-activation/import-export-vamt-data.md
- - name: Use VAMT in Windows PowerShell
- href: volume-activation/use-vamt-in-windows-powershell.md
+ items:
+ - name: Overview
+ href: volume-activation/manage-vamt-data.md
+ - name: Import and Export VAMT Data
+ href: volume-activation/import-export-vamt-data.md
+ - name: Use VAMT in Windows PowerShell
+ href: volume-activation/use-vamt-in-windows-powershell.md
- name: VAMT Step-by-Step Scenarios
- href: volume-activation/vamt-step-by-step.md
- - name: "Scenario 1: Online Activation"
- href: volume-activation/scenario-online-activation-vamt.md
- - name: "Scenario 2: Proxy Activation"
- href: volume-activation/scenario-proxy-activation-vamt.md
- - name: "Scenario 3: KMS Client Activation"
- href: volume-activation/scenario-kms-activation-vamt.md
+ items:
+ - name: Overview
+ href: volume-activation/vamt-step-by-step.md
+ - name: "Scenario 1: Online Activation"
+ href: volume-activation/scenario-online-activation-vamt.md
+ - name: "Scenario 2: Proxy Activation"
+ href: volume-activation/scenario-proxy-activation-vamt.md
+ - name: "Scenario 3: KMS Client Activation"
+ href: volume-activation/scenario-kms-activation-vamt.md
- name: VAMT Known Issues
href: volume-activation/vamt-known-issues.md
@@ -486,67 +498,75 @@
- name: Application Compatibility Toolkit (ACT) Technical Reference
items:
- name: SUA User's Guide
- href: planning/sua-users-guide.md
- - name: Using the SUA Wizard
- href: planning/using-the-sua-wizard.md
- - name: Using the SUA Tool
- href: planning/using-the-sua-tool.md
- - name: Tabs on the SUA Tool Interface
- href: planning/tabs-on-the-sua-tool-interface.md
- - name: Showing Messages Generated by the SUA Tool
- href: planning/showing-messages-generated-by-the-sua-tool.md
- - name: Applying Filters to Data in the SUA Tool
- href: planning/applying-filters-to-data-in-the-sua-tool.md
- - name: Fixing Applications by Using the SUA Tool
- href: planning/fixing-applications-by-using-the-sua-tool.md
+ items:
+ - name: Overview
+ href: planning/sua-users-guide.md
+ - name: Using the SUA Wizard
+ href: planning/using-the-sua-wizard.md
+ - name: Using the SUA Tool
+ href: planning/using-the-sua-tool.md
+ - name: Tabs on the SUA Tool Interface
+ href: planning/tabs-on-the-sua-tool-interface.md
+ - name: Showing Messages Generated by the SUA Tool
+ href: planning/showing-messages-generated-by-the-sua-tool.md
+ - name: Applying Filters to Data in the SUA Tool
+ href: planning/applying-filters-to-data-in-the-sua-tool.md
+ - name: Fixing Applications by Using the SUA Tool
+ href: planning/fixing-applications-by-using-the-sua-tool.md
- name: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
href: planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
- name: Compatibility Administrator User's Guide
- href: planning/compatibility-administrator-users-guide.md
- - name: Using the Compatibility Administrator Tool
- href: planning/using-the-compatibility-administrator-tool.md
- - name: Available Data Types and Operators in Compatibility Administrator
- href: planning/available-data-types-and-operators-in-compatibility-administrator.md
- - name: Searching for Fixed Applications in Compatibility Administrator
- href: planning/searching-for-fixed-applications-in-compatibility-administrator.md
- - name: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
- href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
- - name: Creating a Custom Compatibility Fix in Compatibility Administrator
- href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
- - name: Creating a Custom Compatibility Mode in Compatibility Administrator
- href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
- - name: Creating an AppHelp Message in Compatibility Administrator
- href: planning/creating-an-apphelp-message-in-compatibility-administrator.md
- - name: Viewing the Events Screen in Compatibility Administrator
- href: planning/viewing-the-events-screen-in-compatibility-administrator.md
- - name: Enabling and Disabling Compatibility Fixes in Compatibility Administrator
- href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
- - name: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
- href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
+ items:
+ - name: Overview
+ href: planning/compatibility-administrator-users-guide.md
+ - name: Using the Compatibility Administrator Tool
+ href: planning/using-the-compatibility-administrator-tool.md
+ - name: Available Data Types and Operators in Compatibility Administrator
+ href: planning/available-data-types-and-operators-in-compatibility-administrator.md
+ - name: Searching for Fixed Applications in Compatibility Administrator
+ href: planning/searching-for-fixed-applications-in-compatibility-administrator.md
+ - name: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
+ href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
+ - name: Creating a Custom Compatibility Fix in Compatibility Administrator
+ href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
+ - name: Creating a Custom Compatibility Mode in Compatibility Administrator
+ href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
+ - name: Creating an AppHelp Message in Compatibility Administrator
+ href: planning/creating-an-apphelp-message-in-compatibility-administrator.md
+ - name: Viewing the Events Screen in Compatibility Administrator
+ href: planning/viewing-the-events-screen-in-compatibility-administrator.md
+ - name: Enabling and Disabling Compatibility Fixes in Compatibility Administrator
+ href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
+ - name: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
+ href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
- name: Managing Application-Compatibility Fixes and Custom Fix Databases
- href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
- - name: Understanding and Using Compatibility Fixes
- href: planning/understanding-and-using-compatibility-fixes.md
- - name: Compatibility Fix Database Management Strategies and Deployment
- href: planning/compatibility-fix-database-management-strategies-and-deployment.md
- - name: Testing Your Application Mitigation Packages
- href: planning/testing-your-application-mitigation-packages.md
- - name: Using the Sdbinst.exe Command-Line Tool
- href: planning/using-the-sdbinstexe-command-line-tool.md
+ items:
+ - name: Overview
+ href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
+ - name: Understanding and Using Compatibility Fixes
+ href: planning/understanding-and-using-compatibility-fixes.md
+ - name: Compatibility Fix Database Management Strategies and Deployment
+ href: planning/compatibility-fix-database-management-strategies-and-deployment.md
+ - name: Testing Your Application Mitigation Packages
+ href: planning/testing-your-application-mitigation-packages.md
+ - name: Using the Sdbinst.exe Command-Line Tool
+ href: planning/using-the-sdbinstexe-command-line-tool.md
- name: Volume Activation
- href: volume-activation/volume-activation-windows-10.md
- - name: Plan for volume activation
- href: volume-activation/plan-for-volume-activation-client.md
- - name: Activate using Key Management Service
- href: volume-activation/activate-using-key-management-service-vamt.md
- - name: Activate using Active Directory-based activation
- href: volume-activation/activate-using-active-directory-based-activation-client.md
- - name: Activate clients running Windows 10
- href: volume-activation/activate-windows-10-clients-vamt.md
- - name: Monitor activation
- href: volume-activation/monitor-activation-client.md
- - name: Use the Volume Activation Management Tool
- href: volume-activation/use-the-volume-activation-management-tool-client.md
+ items:
+ - name: Overview
+ href: volume-activation/volume-activation-windows-10.md
+ - name: Plan for volume activation
+ href: volume-activation/plan-for-volume-activation-client.md
+ - name: Activate using Key Management Service
+ href: volume-activation/activate-using-key-management-service-vamt.md
+ - name: Activate using Active Directory-based activation
+ href: volume-activation/activate-using-active-directory-based-activation-client.md
+ - name: Activate clients running Windows 10
+ href: volume-activation/activate-windows-10-clients-vamt.md
+ - name: Monitor activation
+ href: volume-activation/monitor-activation-client.md
+ - name: Use the Volume Activation Management Tool
+ href: volume-activation/use-the-volume-activation-management-tool-client.md
- name: "Appendix: Information sent to Microsoft during activation "
href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md
From 2eceffbb693ee8d757a4d18379ebd269da8acf06 Mon Sep 17 00:00:00 2001
From: MandiOhlinger
Date: Tue, 10 Aug 2021 16:49:01 -0400
Subject: [PATCH 64/68] review updates
---
windows/deployment/TOC.yml | 46 +++++++++++++++++++-------------------
1 file changed, 23 insertions(+), 23 deletions(-)
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 2d99e3080b..d61509c788 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -273,7 +273,7 @@
href: upgrade/windows-10-upgrade-paths.md
- name: Deploy Windows 10 with Microsoft 365
href: deploy-m365.md
- - name: Understanding the Unified Update Platform
+ - name: Understand the Unified Update Platform
href: update/windows-update-overview.md
- name: Servicing stack updates
href: update/servicing-stack-updates.md
@@ -354,13 +354,13 @@
items:
- name: Overview
href: volume-activation/manage-activations-vamt.md
- - name: Perform Online Activation
+ - name: Run Online Activation
href: volume-activation/online-activation-vamt.md
- - name: Perform Proxy Activation
+ - name: Run Proxy Activation
href: volume-activation/proxy-activation-vamt.md
- - name: Perform KMS Activation
+ - name: Run KMS Activation
href: volume-activation/kms-activation-vamt.md
- - name: Perform Local Reactivation
+ - name: Run Local Reactivation
href: volume-activation/local-reactivation-vamt.md
- name: Activate an Active Directory Forest Online
href: volume-activation/activate-forest-vamt.md
@@ -501,17 +501,17 @@
items:
- name: Overview
href: planning/sua-users-guide.md
- - name: Using the SUA Wizard
+ - name: Use the SUA Wizard
href: planning/using-the-sua-wizard.md
- - name: Using the SUA Tool
+ - name: Use the SUA Tool
href: planning/using-the-sua-tool.md
- name: Tabs on the SUA Tool Interface
href: planning/tabs-on-the-sua-tool-interface.md
- - name: Showing Messages Generated by the SUA Tool
+ - name: Show Messages Generated by the SUA Tool
href: planning/showing-messages-generated-by-the-sua-tool.md
- - name: Applying Filters to Data in the SUA Tool
+ - name: Apply Filters to Data in the SUA Tool
href: planning/applying-filters-to-data-in-the-sua-tool.md
- - name: Fixing Applications by Using the SUA Tool
+ - name: Fix apps using the SUA Tool
href: planning/fixing-applications-by-using-the-sua-tool.md
- name: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
href: planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
@@ -519,37 +519,37 @@
items:
- name: Overview
href: planning/compatibility-administrator-users-guide.md
- - name: Using the Compatibility Administrator Tool
+ - name: Use the Compatibility Administrator Tool
href: planning/using-the-compatibility-administrator-tool.md
- name: Available Data Types and Operators in Compatibility Administrator
href: planning/available-data-types-and-operators-in-compatibility-administrator.md
- - name: Searching for Fixed Applications in Compatibility Administrator
+ - name: Search for Fixed Applications in Compatibility Administrator
href: planning/searching-for-fixed-applications-in-compatibility-administrator.md
- - name: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
+ - name: Search for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
- - name: Creating a Custom Compatibility Fix in Compatibility Administrator
+ - name: Create a Custom Compatibility Fix in Compatibility Administrator
href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
- - name: Creating a Custom Compatibility Mode in Compatibility Administrator
+ - name: Create a Custom Compatibility Mode in Compatibility Administrator
href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
- - name: Creating an AppHelp Message in Compatibility Administrator
+ - name: Create an AppHelp Message in Compatibility Administrator
href: planning/creating-an-apphelp-message-in-compatibility-administrator.md
- - name: Viewing the Events Screen in Compatibility Administrator
+ - name: View the Events Screen in Compatibility Administrator
href: planning/viewing-the-events-screen-in-compatibility-administrator.md
- - name: Enabling and Disabling Compatibility Fixes in Compatibility Administrator
+ - name: Enable and Disable Compatibility Fixes in Compatibility Administrator
href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
- - name: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
+ - name: Install and Uninstall Custom Compatibility Databases in Compatibility Administrator
href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
- - name: Managing Application-Compatibility Fixes and Custom Fix Databases
+ - name: Manage Application-Compatibility Fixes and Custom Fix Databases
items:
- name: Overview
href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
- - name: Understanding and Using Compatibility Fixes
+ - name: Understand and Use Compatibility Fixes
href: planning/understanding-and-using-compatibility-fixes.md
- name: Compatibility Fix Database Management Strategies and Deployment
href: planning/compatibility-fix-database-management-strategies-and-deployment.md
- - name: Testing Your Application Mitigation Packages
+ - name: Test Your Application Mitigation Packages
href: planning/testing-your-application-mitigation-packages.md
- - name: Using the Sdbinst.exe Command-Line Tool
+ - name: Use the Sdbinst.exe Command-Line Tool
href: planning/using-the-sdbinstexe-command-line-tool.md
- name: Volume Activation
items:
From 89a32e3a8fbd106cdc17d8e7cd3293cf43a56aad Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Tue, 10 Aug 2021 17:28:07 -0700
Subject: [PATCH 65/68] updating applies To
---
...able-virtualization-based-protection-of-code-integrity.md | 3 ++-
...-for-virtualization-based-protection-of-code-integrity.md | 3 ++-
.../configure-md-app-guard.md | 2 +-
.../faq-md-app-guard.yml | 3 ++-
.../install-md-app-guard.md | 2 +-
.../md-app-guard-overview.md | 3 ++-
.../reqs-md-app-guard.md | 5 +++--
.../test-scenarios-md-app-guard.md | 2 +-
8 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 429cc12f93..1ede3ef4ed 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -17,7 +17,8 @@ ms.technology: mde
# Enable virtualization-based protection of code integrity
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to**
+- Windows 10
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
Some applications, including device drivers, may be incompatible with HVCI.
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 21b9780bc2..4065b2122a 100644
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -18,7 +18,8 @@ ms.technology: mde
# Baseline protections and additional qualifications for virtualization-based protection of code integrity
-**Applies to** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to**
+- Windows 10
Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
index 593984f0dc..d2ee8b1f7a 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@@ -19,7 +19,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- Windows 10
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index 7a2cd61939..f9e4018321 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -17,7 +17,8 @@ metadata:
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
- **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+ **Applies to**
+- Windows 10
This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index f3cbd518da..994ade09de 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -18,7 +18,7 @@ ms.technology: mde
# Prepare to install Microsoft Defender Application Guard
**Applies to:**
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- - Windows 10
## Review system requirements
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 83850f5a21..de798293db 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -17,7 +17,8 @@ ms.technology: mde
# Microsoft Defender Application Guard overview
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to**
+- Windows 10
Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index a54f8667cd..fb162b5632 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -1,5 +1,5 @@
---
-title: System requirements for Microsoft Defender Application Guard (Windows 10)
+title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
ms.prod: m365-security
ms.mktglfcycl: manage
@@ -17,7 +17,8 @@ ms.technology: mde
# System requirements for Microsoft Defender Application Guard
-**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+**Applies to**
+- Windows 10
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index 9baa7baa78..74525211f8 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -19,7 +19,7 @@ ms.technology: mde
**Applies to:**
-- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
+- Windows 10
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
From d24bdc73626de3a3dfb506915c006e87927a3fd1 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Tue, 10 Aug 2021 17:33:51 -0700
Subject: [PATCH 66/68] fixing yml
---
.../microsoft-defender-application-guard/faq-md-app-guard.yml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
index f9e4018321..9ad53a26f5 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
@@ -17,8 +17,7 @@ metadata:
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
- **Applies to**
-- Windows 10
+
This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
From c05ee20c3ab1efa5fa3f7f3ba0592b35274287ce Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Tue, 10 Aug 2021 17:46:10 -0700
Subject: [PATCH 67/68] Corrected horizontal presentation of bulleted list
---
windows/client-management/mdm/defender-csp.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 614c91e54a..73237ce6c0 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -803,8 +803,8 @@ The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
-• 1 – Enabled.
-• 0 (default) – Not Configured.
+- 1 – Enabled.
+- 0 (default) – Not Configured.
More details:
From 492a885e63e626e87947100b26f994e18585d52b Mon Sep 17 00:00:00 2001
From: Sinead O'Sullivan
Date: Wed, 11 Aug 2021 18:06:47 +0100
Subject: [PATCH 68/68] Update changes-to-windows-diagnostic-data-collection.md
---
.../privacy/changes-to-windows-diagnostic-data-collection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 86e8ebcf13..826c5527fe 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -52,7 +52,7 @@ Starting in Windows 10, version 1903 and newer, both the **Out-of-Box-Experience
In an upcoming release of Windows 10, we’re simplifying your diagnostic data controls by moving from four diagnostic data controls to three: **Diagnostic data off**, **Required**, and **Optional**. If your devices are set to **Enhanced** when they are upgraded, the device settings will be evaluated to be at the more privacy-preserving setting of **Required diagnostic data**, which means that analytic services that leverage enhanced data collection may not work properly. For a list of services, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data). Administrators should read through the details and determine whether to apply these new policies to restore the same collection settings as they had before this change. For a list of steps, see [Configure a Windows 11 device to limit crash dumps and logs](#configure-a-windows-11-device-to-limit-crash-dumps-and-logs). For more information on services that rely on Enhanced diagnostic data, see [Services that rely on Enhanced diagnostic data](#services-that-rely-on-enhanced-diagnostic-data).
-Additionally, you will see the following policy changes in an upcoming release of Windows 10:
+Additionally, you will see the following policy changes in an upcoming release of Windows Holographic, version 21H1 (HoloLens 2), Windows Server 2022 and Windows 11:
| Policy type | Current policy | Renamed policy |
| --- | --- | --- |