From 0ef901195f4364ce818e624699196049fe5775d7 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 25 Apr 2021 23:14:23 +0500 Subject: [PATCH 01/46] Update hello-hybrid-aadj-sso-cert.md --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index da0e139923..3bcde4eec9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -679,6 +679,11 @@ Sign-in a workstation with access equivalent to a _domain user_. 10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. + + > [!Note] + > If the distinguished names contain scpecial characters ("+", ",", ";" or "="), put quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. + > If the distinguished names length is more than 64 characters, name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement) + 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile. @@ -712,4 +717,4 @@ You have successfully completed the configuration. Add users that need to enrol > * Install and Configure the NDES Role > * Configure Network Device Enrollment Services to work with Microsoft Intune > * Download, Install, and Configure the Intune Certificate Connector -> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) \ No newline at end of file +> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile) From 33f51de4962c7468947f1f9e030ebba2a2eae5e6 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 27 Apr 2021 14:09:24 +0500 Subject: [PATCH 02/46] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 3bcde4eec9..37b51d0f58 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -680,7 +680,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. - > [!Note] + > [!NOTE] > If the distinguished names contain scpecial characters ("+", ",", ";" or "="), put quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. > If the distinguished names length is more than 64 characters, name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement) From 84a64b71fa3ab330f7bdb7927e92720ea32277a4 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 27 Apr 2021 14:09:33 +0500 Subject: [PATCH 03/46] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 37b51d0f58..ef4f0465c4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -681,7 +681,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. > [!NOTE] - > If the distinguished names contain scpecial characters ("+", ",", ";" or "="), put quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. + > If the distinguished name contains special characters like plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. > If the distinguished names length is more than 64 characters, name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement) 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. From 8cf38b6fcac09a95c54e88fc9976c2b91111410f Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 27 Apr 2021 14:09:38 +0500 Subject: [PATCH 04/46] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index ef4f0465c4..090085514e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -682,7 +682,7 @@ Sign-in a workstation with access equivalent to a _domain user_. > [!NOTE] > If the distinguished name contains special characters like plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. - > If the distinguished names length is more than 64 characters, name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement) + > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement). 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. From f0bd7db771eb2d52427039cfa8d6184d9e61689c Mon Sep 17 00:00:00 2001 From: Reza Tavakoli <9096461+tavrez@users.noreply.github.com> Date: Sun, 18 Jul 2021 21:16:27 +0430 Subject: [PATCH 05/46] Small typo fixes --- .../deploy-windows-mdt/create-a-windows-10-reference-image.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index 2150a2ab0c..92bdcde554 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -72,7 +72,7 @@ To monitor the task sequence as it happens, right-click the **MDT Build Lab** de ### Configure permissions for the deployment share -In order to read files in the deployment share and write the reference image back to it, you need to assign NTSF and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder +In order to read files in the deployment share and write the reference image back to it, you need to assign NTFS and SMB permissions to the MDT Build Account (MDT\_BA) for the **D:\\MDTBuildLab** folder On **MDT01**: @@ -679,4 +679,4 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully [Build a distributed environment for Windows 10 deployment](build-a-distributed-environment-for-windows-10-deployment.md)
[Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md)
[Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md)
-[Configure MDT settings](configure-mdt-settings.md) \ No newline at end of file +[Configure MDT settings](configure-mdt-settings.md) From 6a9a6be184810050decf71da11624e084ab94694 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 23 Jul 2021 23:14:52 +0530 Subject: [PATCH 06/46] added manage Insider Preview builds org link this is my own PR, i added Manage Insider Preview builds across your organization link and its explanation (not own explanation ) I copied and pasted from below article **https://docs.microsoft.com/windows-insider/business/manage-builds** I need help from @JohanFreelancer9 to verify . So please assist me with your suggestions. Thanking you --- windows/whats-new/windows-11.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md index 699a271b9f..bd540d2145 100644 --- a/windows/whats-new/windows-11.md +++ b/windows/whats-new/windows-11.md @@ -47,6 +47,8 @@ For more information about device eligibility, see [Windows 11 requirements](win If you are interested in testing Windows 11 before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows 11 by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). +If you're an administrator, you can manage installations of Windows 11 Insider Preview Builds across multiple devices in your organization using Group Policy, MDM solutions such as Intune, Configuration Manager, or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS).For more informinformation see [Manage Insider Preview builds across your organization](https://docs.microsoft.com/windows-insider/business/manage-builds). + ## Before you begin The following sections provide a quick summary of licensing, compatibility, management, and servicing considerations to help you get started with Windows 11. @@ -86,4 +88,4 @@ When Windows 11 reaches general availability, important servicing-related announ ## Also see -[What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows)
\ No newline at end of file +[What's new in Windows 11](/windows-hardware/get-started/what-s-new-in-windows)
From 41208fe04262afccc5c775e70616f9e72f04b6ad Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sat, 24 Jul 2021 09:25:42 +0530 Subject: [PATCH 07/46] Update windows/whats-new/windows-11.md acceptec Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/whats-new/windows-11.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11.md b/windows/whats-new/windows-11.md index bd540d2145..d7f3653761 100644 --- a/windows/whats-new/windows-11.md +++ b/windows/whats-new/windows-11.md @@ -47,7 +47,7 @@ For more information about device eligibility, see [Windows 11 requirements](win If you are interested in testing Windows 11 before general availability, you can join the [Windows Insider Program](https://insider.windows.com) or [Windows Insider Program for Business](https://insider.windows.com/for-business). You can also preview Windows 11 by enabling pre-release Windows 10 feature updates in [Microsoft Endpoint Configuration Manager](/mem/configmgr/core/servers/manage/pre-release-features) or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). -If you're an administrator, you can manage installations of Windows 11 Insider Preview Builds across multiple devices in your organization using Group Policy, MDM solutions such as Intune, Configuration Manager, or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS).For more informinformation see [Manage Insider Preview builds across your organization](https://docs.microsoft.com/windows-insider/business/manage-builds). +If you are an administrator, you can manage installations of Windows 11 Insider Preview Builds across multiple devices in your organization using Group Policy, MDM solutions such as Intune, Configuration Manager, or [Windows Server Update Services](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/publishing-pre-release-windows-10-feature-updates-to-wsus/ba-p/845054) (WSUS). For more information, see [Manage Insider Preview builds across your organization](/windows-insider/business/manage-builds). ## Before you begin From 61270ecfed2161180818a7098aadb9deeb96d670 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 26 Jul 2021 17:40:56 -0700 Subject: [PATCH 08/46] Edited select-type and event-id documents. - select-type-of-rules-to-create: added option 20 to table 1. - event-id-explanations: Added a new System Integrity Policy Options table for event ID 3099. --- .../event-id-explanations.md | 29 +++++++++++++++++++ .../select-types-of-rules-to-create.md | 1 + 2 files changed, 30 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 6ac3422250..2d450b1c94 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -86,6 +86,35 @@ To enable 3090 allow events, and 3091 and 3092 events, you must instead create a reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300 ``` +## System Integrity Policy Options +Below are the policy options in event 3099. + +| Bit Address | Policy Rule Option | +|-------|------| +| 2 | Enabled:UMCI | +| 3 | Enabled:Boot Menu Protection | +| 4 | Enabled:Intelligent Security Graph Authorization | +| 5 | Enabled:Invalidate EAs on Reboot | +| 7 |Required:WHQL | +| 8 | Enabled:Developer Dynamic Code Security | +| 9 | Enabled: No Revalidation Upon Refresh | +| 10 | Enabled:Allow Supplemental Policies | +| 11 | Disabled:Runtime FilePath Rule Protection | +| 13 | Enabled: Revoked Expired As Unsigned | +| 16 |Enabled:Audit Mode (Default) | +| 17 | Disabled:Flight Signing | +| 18 | Enabled:Inherit Default Policy | +| 19 | Enabled:Unsigned System Integrity Policy (Default) | +| 20 | Enabled:Dynamic Code Security | +| 21 | Required:EV Signers | +| 22 | Enabled:Boot Audit on Failure | +| 23 | Enabled:Advanced Boot Options Menu | +| 24 | Disabled:Script Enforcement | +| 25 | Required:Enforce Store Applications | +| 26 | Enabled: Host Policy Enforcement | +| 27 |Enabled:Managed Installer | +| 28 |Enabled:Update Policy No Reboot | + ## Appendix A list of other relevant event IDs and their corresponding description. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 794cefca57..0d7b426112 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No | | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No | +| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with an expired and/or revoked certificates as "Unsigned binaries" for user mode process/components under enterprise signing scenarios. | No | ## Windows Defender Application Control file rule levels From 5a52a3bd439485aaaea3ae0095582ec5d2db1186 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 27 Jul 2021 16:20:28 -0700 Subject: [PATCH 09/46] Added the suggested feedback to select-types-of-rules and event-id-explanations documents. --- .../event-id-explanations.md | 16 ++++++++-------- .../select-types-of-rules-to-create.md | 2 +- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 2d450b1c94..e3ae7a65ba 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -87,7 +87,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ``` ## System Integrity Policy Options -Below are the policy options in event 3099. +The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options). | Bit Address | Policy Rule Option | |-------|------| @@ -95,13 +95,13 @@ Below are the policy options in event 3099. | 3 | Enabled:Boot Menu Protection | | 4 | Enabled:Intelligent Security Graph Authorization | | 5 | Enabled:Invalidate EAs on Reboot | -| 7 |Required:WHQL | +| 7 | Required:WHQL | | 8 | Enabled:Developer Dynamic Code Security | -| 9 | Enabled: No Revalidation Upon Refresh | +| 9 | Enabled:No Revalidation Upon Refresh | | 10 | Enabled:Allow Supplemental Policies | | 11 | Disabled:Runtime FilePath Rule Protection | -| 13 | Enabled: Revoked Expired As Unsigned | -| 16 |Enabled:Audit Mode (Default) | +| 13 | Enabled:Revoked Expired As Unsigned | +| 16 | Enabled:Audit Mode (Default) | | 17 | Disabled:Flight Signing | | 18 | Enabled:Inherit Default Policy | | 19 | Enabled:Unsigned System Integrity Policy (Default) | @@ -111,9 +111,9 @@ Below are the policy options in event 3099. | 23 | Enabled:Advanced Boot Options Menu | | 24 | Disabled:Script Enforcement | | 25 | Required:Enforce Store Applications | -| 26 | Enabled: Host Policy Enforcement | -| 27 |Enabled:Managed Installer | -| 28 |Enabled:Update Policy No Reboot | +| 26 | Enabled:Host Policy Enforcement | +| 27 | Enabled:Managed Installer | +| 28 | Enabled:Update Policy No Reboot | ## Appendix A list of other relevant event IDs and their corresponding description. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 0d7b426112..8f9b6ac45d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -70,7 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No | | **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No | -| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with an expired and/or revoked certificates as "Unsigned binaries" for user mode process/components under enterprise signing scenarios. | No | +| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with expired and/or revoked certificates as "Unsigned binaries" for user-mode process/components under enterprise signing scenarios. | No | ## Windows Defender Application Control file rule levels From 20f3b55c1616b754a0a1fd8620bfd30511831146 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 2 Aug 2021 10:07:49 -0700 Subject: [PATCH 10/46] Updated the last of the suggestions. --- .../event-id-explanations.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index e3ae7a65ba..ff7f78475a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -96,8 +96,6 @@ The WDAC policy rule-option values can be derived from the "Options" field in th | 4 | Enabled:Intelligent Security Graph Authorization | | 5 | Enabled:Invalidate EAs on Reboot | | 7 | Required:WHQL | -| 8 | Enabled:Developer Dynamic Code Security | -| 9 | Enabled:No Revalidation Upon Refresh | | 10 | Enabled:Allow Supplemental Policies | | 11 | Disabled:Runtime FilePath Rule Protection | | 13 | Enabled:Revoked Expired As Unsigned | @@ -111,7 +109,6 @@ The WDAC policy rule-option values can be derived from the "Options" field in th | 23 | Enabled:Advanced Boot Options Menu | | 24 | Disabled:Script Enforcement | | 25 | Required:Enforce Store Applications | -| 26 | Enabled:Host Policy Enforcement | | 27 | Enabled:Managed Installer | | 28 | Enabled:Update Policy No Reboot | From a1bf5c0280eeb670b19aa412cdd719f2036801fe Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 3 Aug 2021 15:25:24 +0530 Subject: [PATCH 11/46] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 166 ++++++++++++++++++ 1 file changed, 166 insertions(+) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index c66d28ae30..8546b958f3 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -35,6 +35,18 @@ Defender ------------InitialDetectionTime ------------LastThreatStatusChangeTime ------------NumberOfDetections +----EnableNetworkProtection +--------AllowNetworkProtectionDownLevel +--------AllowNetworkProtectionOnWinServer +--------DisableNetworkProtectionPerfTelemetry +--------DisableDatagramProcessing +--------DisableInboundConnectionFiltering +--------EnableDnsSinkhole +--------DisableDnsOverTcpParsing +--------DisableHttpParsing +--------DisableRdpParsing +--------DisableSshParsing +--------DisableTlsParsing ----Health --------ProductStatus (Added in Windows 10 version 1809) --------ComputerState @@ -189,6 +201,27 @@ The following list shows the supported values: Supported operation is Get. +**Detections/*ThreatId*/CurrentStatus** +Information about the current status of the threat. + +The data type is integer. + +The following list shows the supported values: + +- 0 = Active +- 1 = Action failed +- 2 = Manual steps required +- 3 = Full scan required +- 4 = Reboot required +- 5 = Remediated with noncritical failures +- 6 = Quarantined +- 7 = Removed +- 8 = Cleaned +- 9 = Allowed +- 10 = No Status ( Cleared) + +Supported operation is Get. + **Detections/*ThreatId*/ExecutionStatus** Information about the execution status of the threat. @@ -217,6 +250,139 @@ The data type is integer. Supported operation is Get. +**EnableNetworkProtection** + +The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources. +The acceptable values for this parameter are: +- 0: Disabled. The Network Protection service will not block navigations to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections. +- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service. +- 2: AuditMode. As above, but the Network Protection service will not block connections to malicious websites, but will instead log the access to the event log. + +Accepted values: Disabled, Enabled, and AuditMode +Position: Named +Default value: Disabled +Accept pipeline input: False +Accept wildcard characters: False + +**EnableNetworkProtection/AllowNetworkProtectionDownLevel** + +By default, network protection is not allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. +- Type: Boolean +- Position: Named +- Default value: False +- Accept pipeline input: False +- Accept wildcard characters: False + +**EnableNetworkProtection/AllowNetworkProtectionOnWinServer** + +By default, network protection is not allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. + +- Type: Boolean +- Position: Named +- Default value: False +- Accept pipeline input: False +- Accept wildcard characters: False + +**EnableNetworkProtection/DisableNetworkProtectionPerfTelemetry** + +Network Protection sends up anonymized performance statistics about its connection monitoring to improve our product and help to find bugs. You can disable this behavior by setting this configuration to "$true". + +- Type: Boolean +- Position: Named +- Default value: False +- Accept pipeline input: False +- Accept wildcard characters: False + +**EnableNetworkProtection/DisableDatagramProcessing** + +Network Protection inspects UDP connections allowing us to find malicious DNS or other UDP Traffic. To disable this functionality, set this configuration to "$true". + +- Type: Boolean +- Position: Named +- Default value: False +- Accept pipeline input: False +- Accept wildcard characters: False + +**EnableNetworkProtection/DisableInboundConnectionFiltering** + +Network Protection inspects and can block both connections that originates from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true". + +- Type: Boolean +- Position: Named +- Default value: False +- Accept pipeline input: False +- Accept wildcard characters: False + +**EnableNetworkProtection/EnableDnsSinkhole** + +Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sinkhole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature. + +- Type: Boolean +- Position: Named +- Default value: False +- Accept pipeline input: False +- Accept wildcard characters: False + +**EnableNetworkProtection/DisableDnsOverTcpParsing** + +Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS Sinkholing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true". + +- Type: Boolean +- Position: Named +- Default value: False +- Accept pipeline input: False +- Accept wildcard characters: False + +**EnableNetworkProtection/DisableDnsParsing** + +Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS Sinkholing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true". + +- Type: Boolean +- Position: Named +- Default value: False +- Accept pipeline input: False +- Accept wildcard characters: False + +**EnableNetworkProtection/DisableHttpParsing** + +Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". + +- Type: Boolean +- Position: Named +- Default value: False +- Accept pipeline input: False +- Accept wildcard characters: False + +**EnableNetworkProtection/DisableRdpParsing** + +Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true". + +- Type: Boolean +- Position: Named +- Default value: False +- Accept pipeline input: False +- Accept wildcard characters: False + +**EnableNetworkProtection/DisableSshParsing** + +Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. if -EnableNetworkProtection is set to enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true". + +- Type: Boolean +- Position: Named +- Default value: False +- Accept pipeline input: False +- Accept wildcard characters: False + +**EnableNetworkProtection/DisableTlsParsing** + +Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". + +- Type: Boolean +- Position: Named +- Default value: False +- Accept pipeline input: False +- Accept wildcard characters: False + **Health** An interior node to group information about Windows Defender health status. From aaf41ed62fe38999860050bb8d44e7a699552867 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 3 Aug 2021 15:50:28 +0530 Subject: [PATCH 12/46] Updated --- windows/client-management/mdm/defender-csp.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 8546b958f3..3acf1cca00 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -137,7 +137,7 @@ The following table describes the supported values: | 7 | Remote access Trojan | | 8 | Trojan | | 9 | Email flooder | -| 10 | Keylogger | +| 10 | Key logger | | 11 | Dialer | | 12 | Monitoring software | | 13 | Browser modifier | @@ -197,7 +197,7 @@ The following list shows the supported values: - 7 = Removed - 8 = Cleaned - 9 = Allowed -- 10 = No Status ( Cleared) +- 10 = No Status (Cleared) Supported operation is Get. @@ -218,7 +218,7 @@ The following list shows the supported values: - 7 = Removed - 8 = Cleaned - 9 = Allowed -- 10 = No Status ( Cleared) +- 10 = No Status (Cleared) Supported operation is Get. @@ -254,7 +254,7 @@ Supported operation is Get. The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources. The acceptable values for this parameter are: -- 0: Disabled. The Network Protection service will not block navigations to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections. +- 0: Disabled. The Network Protection service will not block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections. - 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service. - 2: AuditMode. As above, but the Network Protection service will not block connections to malicious websites, but will instead log the access to the event log. @@ -305,7 +305,7 @@ Network Protection inspects UDP connections allowing us to find malicious DNS or **EnableNetworkProtection/DisableInboundConnectionFiltering** -Network Protection inspects and can block both connections that originates from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true". +Network Protection inspects and can block both connections that originate from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true". - Type: Boolean - Position: Named @@ -315,7 +315,7 @@ Network Protection inspects and can block both connections that originates from **EnableNetworkProtection/EnableDnsSinkhole** -Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sinkhole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature. +Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature. - Type: Boolean - Position: Named @@ -325,7 +325,7 @@ Network Protection can inspect the DNS traffic of a machine and, in conjunction **EnableNetworkProtection/DisableDnsOverTcpParsing** -Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS Sinkholing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true". +Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -335,7 +335,7 @@ Network Protection inspects DNS traffic that occurs over a TCP channel, to provi **EnableNetworkProtection/DisableDnsParsing** -Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS Sinkholing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true". +Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -355,7 +355,7 @@ Network Protection inspects HTTP traffic to see if a connection is being made to **EnableNetworkProtection/DisableRdpParsing** -Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true". +Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -365,7 +365,7 @@ Network Protection inspects RDP traffic so that it can block connections from kn **EnableNetworkProtection/DisableSshParsing** -Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. if -EnableNetworkProtection is set to enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true". +Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -414,7 +414,7 @@ Supported product status values: - Service is shutting down as part of system shutdown = 1 << 16 - Threat remediation failed critically = 1 << 17 - Threat remediation failed non-critically = 1 << 18 -- No status flags set (well initialized state) = 1 << 19 +- No status flags set (well-initialized state) = 1 << 19 - Platform is out of date = 1 << 20 - Platform update is in progress = 1 << 21 - Platform is about to be outdated = 1 << 22 @@ -698,7 +698,7 @@ Beta Channel: Devices set to this channel will be the first to receive new updat Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. -Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). +Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%). Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). @@ -727,7 +727,7 @@ Beta Channel: Devices set to this channel will be the first to receive new updat Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments. -Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%). +Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%). Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). From c7af8e096b46e39d7ba938dd948513e9aa6dd1a9 Mon Sep 17 00:00:00 2001 From: Steve DiAcetis Date: Tue, 3 Aug 2021 12:21:31 -0700 Subject: [PATCH 13/46] Update media-dynamic-update.md --- .../deployment/update/media-dynamic-update.md | 56 +++++++++++++++++-- 1 file changed, 52 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 2664d3f9d8..1e449b3202 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -178,8 +178,6 @@ The script assumes that only a single edition is being updated, indicated by Ind It finishes by cleaning and exporting the image to reduce the image size. -> [!NOTE] -> Skip adding the latest cumulative update to Winre.wim because it contains unnecessary components in the recovery environment. The components that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small. ```powershell # Mount the main operating system, used throughout the script @@ -194,8 +192,33 @@ Write-Output "$(Get-TS): Mounting WinRE" Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null # Add servicing stack update + +# Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required +# This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update. + +# Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month) +# There is a known issue where the servicing stack update is installed, but the cumulative update will fail. +# This error should be caught and ignored, as the last step will be to apply the cumulative update (or in this case the combined cumulative update) +# and thus the image will be left with the correct packages installed. + Write-Output "$(Get-TS): Adding package $SSU_PATH" -Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null + +try +{ + Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null +} +Catch +{ + $theError = $_ + Write-Output "$(Get-TS): $theError" + + if ($theError.Exception -like "*0x8007007e*") { + Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore." + } + else { + throw + } +} # # Optional: Add the language to recovery environment @@ -278,8 +301,33 @@ Foreach ($IMAGE in $WINPE_IMAGES) { Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\boot.wim" -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null # Add SSU + + # Note: If you are using a combined cumulative update, there may be a prerequisite servicing stack update required + # This is where you'd add the prerequisite SSU, before applying the latest combined cumulative update. + + # Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month) + # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. + # This error should be caught and ignored, as the last step will be to apply the cumulative update (or in this case the combined cumulative update) + # and thus the image will be left with the correct packages installed. + Write-Output "$(Get-TS): Adding package $SSU_PATH" - Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null + + try + { + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null + } + Catch + { + $theError = $_ + Write-Output "$(Get-TS): $theError" + + if ($theError.Exception -like "*0x8007007e*") { + Write-Output "$(Get-TS): This failure is a known issue with combined cumulative update, we can ignore." + } + else { + throw + } + } # Install lp.cab cab Write-Output "$(Get-TS): Adding package $WINPE_OC_LP_PATH" From ee685f35b42a0c0ea2c4b108e78ffb5ad01b6ad5 Mon Sep 17 00:00:00 2001 From: Steve DiAcetis Date: Tue, 3 Aug 2021 12:30:31 -0700 Subject: [PATCH 14/46] Update media-dynamic-update.md --- windows/deployment/update/media-dynamic-update.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index 1e449b3202..e81a36becc 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -198,8 +198,8 @@ Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim" -Index 1 -Path $WINRE_MO # Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month) # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. -# This error should be caught and ignored, as the last step will be to apply the cumulative update (or in this case the combined cumulative update) -# and thus the image will be left with the correct packages installed. +# This error should be caught and ignored, as the last step will be to apply the cumulative update +# (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed. Write-Output "$(Get-TS): Adding package $SSU_PATH" @@ -307,8 +307,8 @@ Foreach ($IMAGE in $WINPE_IMAGES) { # Note: If you are applying a combined cumulative update to a previously updated image (e.g. an image you updated last month) # There is a known issue where the servicing stack update is installed, but the cumulative update will fail. - # This error should be caught and ignored, as the last step will be to apply the cumulative update (or in this case the combined cumulative update) - # and thus the image will be left with the correct packages installed. + # This error should be caught and ignored, as the last step will be to apply the cumulative update + # (or in this case the combined cumulative update) and thus the image will be left with the correct packages installed. Write-Output "$(Get-TS): Adding package $SSU_PATH" From 93664e8fc9f13eece2527424ad70aa17ff946229 Mon Sep 17 00:00:00 2001 From: Steve DiAcetis Date: Tue, 3 Aug 2021 16:45:54 -0700 Subject: [PATCH 15/46] Update media-dynamic-update.md --- .../deployment/update/media-dynamic-update.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index e81a36becc..49943752c3 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -1,5 +1,5 @@ --- -title: Update Windows 10 media with Dynamic Update +title: Update Windows installation media with Dynamic Update description: Learn how to deploy feature updates to your mission critical devices ms.prod: w10 ms.mktglfcycl: manage @@ -14,17 +14,17 @@ ms.collection: M365-modern-desktop ms.topic: article --- -# Update Windows 10 media with Dynamic Update +# Update Windows installation media with Dynamic Update -**Applies to**: Windows 10 +**Applies to**: Windows 10, Windows 11 -This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process. +This topic explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process. -Volume-licensed media is available for each release of Windows 10 in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows 10 devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process. +Volume-licensed media is available for each release of Windows in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process. ## Dynamic Update -Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows 10 Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages include the following kinds of updates: +Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages include the following kinds of updates: - Updates to Setup.exe binaries or other files that Setup uses for feature updates - Updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment @@ -53,14 +53,14 @@ The various Dynamic Update packages might not all be present in the results from If you want to customize the image with additional languages or Features on Demand, download supplemental media ISO files from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). For example, since Dynamic Update will be disabled for your devices, and if users require specific Features on Demand, you can preinstall these into the image. -## Update Windows 10 installation media +## Update Windows installation media Properly updating the installation media involves a large number of actions operating on several different targets (image files). Some actions are repeated on different targets. The target images files include: - Windows Preinstallation Environment (WinPE): a small operating system used to install, deploy, and repair Windows operating systems - Windows Recovery Environment (WinRE): repairs common causes of unbootable operating systems. WinRE is based on WinPE and can be customized with additional drivers, languages, optional packages, and other troubleshooting or diagnostic tools. -- Windows operating system: one or more editions of Windows 10 stored in \sources\install.wim -- Windows installation media: the complete collection of files and folders in the Windows 10 installation media. For example, \sources folder, \boot folder, Setup.exe, and so on. +- Windows operating system: one or more editions of Windows stored in \sources\install.wim +- Windows installation media: the complete collection of files and folders in the Windows installation media. For example, \sources folder, \boot folder, Setup.exe, and so on. This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding the Dynamic Update for Setup to the new media (26). @@ -89,7 +89,7 @@ This table shows the correct sequence for applying the various tasks to the file ### Multiple Windows editions -The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last. +The main operating system file (install.wim) contains multiple editions of Windows. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last. ### Additional languages and features @@ -205,7 +205,7 @@ Write-Output "$(Get-TS): Adding package $SSU_PATH" try { - Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null + Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH | Out-Null } Catch { @@ -314,7 +314,7 @@ Foreach ($IMAGE in $WINPE_IMAGES) { try { - Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null + Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH | Out-Null } Catch { From f78007dfe9c82c90c5cdb508db71b05b8ccdf9b5 Mon Sep 17 00:00:00 2001 From: julihooper <65675989+julihooper@users.noreply.github.com> Date: Wed, 4 Aug 2021 12:17:26 -0700 Subject: [PATCH 16/46] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index ae2739b076..22820a3680 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -453,6 +453,26 @@ Valid values are: - 1 – Enable. - 0 (default) – Disable. +**Configuration/HideExclusionsFromLocalAdmins**
+This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled. + +If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App and via PowerShell. + +If you enable this setting, Local Admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell. + +> [!NOTE] +> Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**. + +Supported OS versions: Windows 10 + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +- 1 – Enable. +- 0 (default) – Disable. + **Configuration/DisableCpuThrottleOnIdleScans**
Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. From 461a48151d72a6ba0208018fcfba88fd21e809d3 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 5 Aug 2021 10:08:41 -0700 Subject: [PATCH 17/46] replace references to Windows 10 with Windows client --- windows/client-management/index.yml | 2 +- windows/configuration/index.yml | 20 ++++++++++---------- windows/hub/index.yml | 2 ++ 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 3731f3f13d..1396acc86a 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -4,7 +4,7 @@ title: Client management # < 60 chars summary: Find out how to apply custom configurations to Windows client devices. Windows provides a number of features and methods to help you configure or lock down specific parts of the Windows interface. # < 160 chars metadata: - title: Configure Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars. + title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. description: Learn about the administrative tools, tasks and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index 30c052cbfe..66e42dca78 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing -title: Configure Windows 10 # < 60 chars -summary: Find out how to apply custom configurations to Windows 10 devices. Windows 10 provides a number of features and methods to help you configure or lock down specific parts of Windows 10. # < 160 chars +title: Configure Windows client # < 60 chars +summary: Find out how to apply custom configurations to Windows 10 and Windows 11 devices. Windows 10 provides a number of features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars metadata: - title: Configure Windows 10 # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Find out how to apply custom configurations to Windows 10 devices. # Required; article description that is displayed in search results. < 160 chars. + title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Find out how to apply custom configurations to Windows client devices. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice @@ -13,7 +13,7 @@ metadata: ms.collection: windows-10 author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 03/23/2021 #Required; mm/dd/yyyy format. + ms.date: 08/05/2021 #Required; mm/dd/yyyy format. localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new @@ -22,7 +22,7 @@ landingContent: # Cards and links should be based on top customer tasks or top subjects # Start card title with a verb # Card (optional) - - title: Manage Windows 10 settings + - title: Manage Windows client settings linkLists: - linkListType: overview links: @@ -35,7 +35,7 @@ landingContent: # Card (optional) - - title: Configure a Windows 10 kiosk + - title: Configure a Windows kiosk linkLists: - linkListType: overview links: @@ -48,7 +48,7 @@ landingContent: # Card (optional) - - title: Windows 10 provisioning packages + - title: Windows client provisioning packages linkLists: - linkListType: overview links: @@ -70,7 +70,7 @@ landingContent: url: wcd/wcd-oobe.md # Card (optional) - - title: Configure Cortana in Windows 10 + - title: Configure Cortana in Windows client linkLists: - linkListType: overview links: @@ -80,7 +80,7 @@ landingContent: url: cortana-at-work/cortana-at-work-voice-commands.md # Card (optional) - - title: User Experience Virtualization (UE-V) for Windows 10 + - title: User Experience Virtualization (UE-V) for Windows client linkLists: - linkListType: overview links: diff --git a/windows/hub/index.yml b/windows/hub/index.yml index f61c3a9861..2d7fb5bca4 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -95,6 +95,8 @@ landingContent: url: /windows/client-management/mandatory-user-profile - text: New policies for Windows 10 url: /windows/client-management/new-policies-for-windows-10 + - text: Configuration service provider reference + url: /windows/client-management/mdm/configuration-service-provider-reference.md # Card (optional) - title: Security and Privacy From fec96c6fc0d29c42e704c789fd85ad1b1d7fb085 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 5 Aug 2021 10:13:09 -0700 Subject: [PATCH 18/46] fix link --- windows/hub/index.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/hub/index.yml b/windows/hub/index.yml index 2d7fb5bca4..e3a2448009 100644 --- a/windows/hub/index.yml +++ b/windows/hub/index.yml @@ -96,7 +96,7 @@ landingContent: - text: New policies for Windows 10 url: /windows/client-management/new-policies-for-windows-10 - text: Configuration service provider reference - url: /windows/client-management/mdm/configuration-service-provider-reference.md + url: /windows/client-management/mdm/configuration-service-provider-reference # Card (optional) - title: Security and Privacy From 819bfc97c08d8677a50db9f1892fa6ef4dd1ffd5 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 5 Aug 2021 10:16:22 -0700 Subject: [PATCH 19/46] replace more references to 10 --- windows/client-management/toc.yml | 2 +- windows/configuration/TOC.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 633a032f7c..633939454a 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -36,7 +36,7 @@ items: items: - name: CSP reference href: mdm/configuration-service-provider-reference.md - - name: Troubleshoot Windows 10 clients + - name: Troubleshoot Windows clients items: - name: Windows 10 support solutions href: windows-10-support-solutions.md diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index 867a205b26..c27d976f52 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -1,4 +1,4 @@ -- name: Configure Windows 10 +- name: Configure Windows client href: index.yml - name: Configure appearance settings items: From 9f8d0c7368d6ea19391fd6d65803e60fb979cd30 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Thu, 5 Aug 2021 10:29:15 -0700 Subject: [PATCH 20/46] a couple acrolynx suggestions --- windows/client-management/index.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 1396acc86a..e5ae09ccb3 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -1,11 +1,11 @@ ### YamlMime:Landing title: Client management # < 60 chars -summary: Find out how to apply custom configurations to Windows client devices. Windows provides a number of features and methods to help you configure or lock down specific parts of the Windows interface. # < 160 chars +summary: Find out how to apply custom configurations to Windows client devices. Windows provides many features and methods to help you configure or lock down specific parts of the Windows interface. # < 160 chars metadata: title: Manage Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about the administrative tools, tasks and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars. + description: Learn about the administrative tools, tasks, and best practices for managing Windows clients across your enterprise. # Required; article description that is displayed in search results. < 160 chars. services: windows-10 ms.service: windows-10 #Required; service per approved list. service slug assigned to your service by ACOM. ms.subservice: subservice @@ -13,7 +13,7 @@ metadata: ms.collection: windows-10 author: greg-lindsay #Required; your GitHub user alias, with correct capitalization. ms.author: greglin #Required; microsoft alias of author; optional team alias. - ms.date: 04/30/2021 #Required; mm/dd/yyyy format. + ms.date: 08/05/2021 #Required; mm/dd/yyyy format. localization_priority: medium # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new From 5ca32aff1f40ae80781c269877e6c9842162cb43 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 5 Aug 2021 11:12:14 -0700 Subject: [PATCH 21/46] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 22820a3680..befd212478 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -10,7 +10,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 07/23/2021 +ms.date: 08/05/2021 --- # Defender CSP From 5de716ef7cf6b761f0f1b709b59c7b063e87adce Mon Sep 17 00:00:00 2001 From: Sudeep Kumar <16726119+sudeepku@users.noreply.github.com> Date: Thu, 5 Aug 2021 14:05:26 -0700 Subject: [PATCH 22/46] set recommendations flag in all docfx.json files --- bcs/docfx.json | 1 + browsers/edge/docfx.json | 1 + browsers/internet-explorer/docfx.json | 1 + devices/hololens/docfx.json | 1 + devices/surface-hub/docfx.json | 1 + devices/surface/docfx.json | 1 + education/docfx.json | 1 + gdpr/docfx.json | 1 + mdop/docfx.json | 1 + smb/docfx.json | 1 + store-for-business/docfx.json | 1 + windows/access-protection/docfx.json | 1 + windows/application-management/docfx.json | 1 + windows/client-management/docfx.json | 1 + windows/configuration/docfx.json | 1 + windows/configure/docfx.json | 1 + windows/deploy/docfx.json | 1 + windows/deployment/docfx.json | 1 + windows/device-security/docfx.json | 1 + windows/docfx.json | 1 + windows/eulas/docfx.json | 1 + windows/hub/docfx.json | 1 + windows/keep-secure/docfx.json | 1 + windows/known-issues/docfx.json | 1 + windows/manage/docfx.json | 1 + windows/plan/docfx.json | 1 + windows/privacy/docfx.json | 1 + windows/release-information/docfx.json | 1 + windows/security/docfx.json | 1 + windows/threat-protection/docfx.json | 1 + windows/update/docfx.json | 1 + windows/whats-new/docfx.json | 1 + 32 files changed, 32 insertions(+) diff --git a/bcs/docfx.json b/bcs/docfx.json index 8bb25b9c4c..f1384ac71a 100644 --- a/bcs/docfx.json +++ b/bcs/docfx.json @@ -35,6 +35,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json", "extendBreadcrumb": true, "contributors_to_exclude": [ diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index d77b68f7fb..bc99fd3bd8 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -27,6 +27,7 @@ } ], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.technology": "microsoft-edge", diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 927e4c51ac..9a7a5d7e4a 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -23,6 +23,7 @@ } ], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/internet-explorer/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", "audience": "ITPro", diff --git a/devices/hololens/docfx.json b/devices/hololens/docfx.json index 9b7317309d..464a472b2f 100644 --- a/devices/hololens/docfx.json +++ b/devices/hololens/docfx.json @@ -30,6 +30,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/hololens/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", diff --git a/devices/surface-hub/docfx.json b/devices/surface-hub/docfx.json index 8eba3c49b1..2e2fb12b63 100644 --- a/devices/surface-hub/docfx.json +++ b/devices/surface-hub/docfx.json @@ -24,6 +24,7 @@ } ], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/surface-hub/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.technology": "windows", diff --git a/devices/surface/docfx.json b/devices/surface/docfx.json index 42faacbcac..eba515451e 100644 --- a/devices/surface/docfx.json +++ b/devices/surface/docfx.json @@ -22,6 +22,7 @@ } ], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/surface/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.technology": "windows", diff --git a/education/docfx.json b/education/docfx.json index 8ba1394c6d..7cac8a75b9 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -26,6 +26,7 @@ } ], "globalMetadata": { + "recommendations": true, "ROBOTS": "INDEX, FOLLOW", "audience": "windows-education", "ms.topic": "article", diff --git a/gdpr/docfx.json b/gdpr/docfx.json index 1d092a902e..eaa6eba4eb 100644 --- a/gdpr/docfx.json +++ b/gdpr/docfx.json @@ -31,6 +31,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "author": "eross-msft", "ms.author": "lizross", "feedback_system": "GitHub", diff --git a/mdop/docfx.json b/mdop/docfx.json index abcead924c..dfa58fa007 100644 --- a/mdop/docfx.json +++ b/mdop/docfx.json @@ -22,6 +22,7 @@ } ], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json", "ROBOTS": "INDEX, FOLLOW", "ms.technology": "windows", diff --git a/smb/docfx.json b/smb/docfx.json index 379f9d6f3e..9b63f81cad 100644 --- a/smb/docfx.json +++ b/smb/docfx.json @@ -29,6 +29,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/smb/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "feedback_system": "None", diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index 2a30faf3ef..bf0a63a161 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -31,6 +31,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/microsoft-store/breadcrumb/toc.json", "ms.author": "trudyha", "audience": "ITPro", diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json index fff71782f2..35b82f4d89 100644 --- a/windows/access-protection/docfx.json +++ b/windows/access-protection/docfx.json @@ -32,6 +32,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "audience": "ITPro", diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 4d3e15e0a7..b5298397b7 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -32,6 +32,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index eb3917a794..450357dfba 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -32,6 +32,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 44006a3af5..d93337be79 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -32,6 +32,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", diff --git a/windows/configure/docfx.json b/windows/configure/docfx.json index 032a6cf7e4..3ecf9e6104 100644 --- a/windows/configure/docfx.json +++ b/windows/configure/docfx.json @@ -31,6 +31,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "feedback_system": "None", "hideEdit": true, "_op_documentIdPathDepotMapping": { diff --git a/windows/deploy/docfx.json b/windows/deploy/docfx.json index f8c535fddb..24a5e3b0ff 100644 --- a/windows/deploy/docfx.json +++ b/windows/deploy/docfx.json @@ -31,6 +31,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.windows-deploy", diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index cecc2b30b5..b33480ce11 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -34,6 +34,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json index fb05d45e14..ce2b043c43 100644 --- a/windows/device-security/docfx.json +++ b/windows/device-security/docfx.json @@ -32,6 +32,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", diff --git a/windows/docfx.json b/windows/docfx.json index 68d6d5933c..30f4698e66 100644 --- a/windows/docfx.json +++ b/windows/docfx.json @@ -14,6 +14,7 @@ } ], "globalMetadata": { + "recommendations": true, "ROBOTS": "INDEX, FOLLOW", "audience": "ITPro", "breadcrumb_path": "/itpro/windows/breadcrumb/toc.json", diff --git a/windows/eulas/docfx.json b/windows/eulas/docfx.json index 1dd02b74b2..2834682ce7 100644 --- a/windows/eulas/docfx.json +++ b/windows/eulas/docfx.json @@ -35,6 +35,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/eulas/breadcrumb/toc.json", "extendBreadcrumb": true, "feedback_system": "None", diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index ba6cb520ce..f8e5b9331d 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -34,6 +34,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "audience": "ITPro", "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", diff --git a/windows/keep-secure/docfx.json b/windows/keep-secure/docfx.json index d153310b25..aa250a2f5c 100644 --- a/windows/keep-secure/docfx.json +++ b/windows/keep-secure/docfx.json @@ -31,6 +31,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "feedback_system": "None", "_op_documentIdPathDepotMapping": { "./": { diff --git a/windows/known-issues/docfx.json b/windows/known-issues/docfx.json index 6c9c489c80..d331ee80d1 100644 --- a/windows/known-issues/docfx.json +++ b/windows/known-issues/docfx.json @@ -35,6 +35,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", diff --git a/windows/manage/docfx.json b/windows/manage/docfx.json index 904388daf4..c5275101bf 100644 --- a/windows/manage/docfx.json +++ b/windows/manage/docfx.json @@ -31,6 +31,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.windows-manage", diff --git a/windows/plan/docfx.json b/windows/plan/docfx.json index f226ea1fe0..9a47bdcced 100644 --- a/windows/plan/docfx.json +++ b/windows/plan/docfx.json @@ -31,6 +31,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.windows-plan", diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 29f46358f8..13d72f2e30 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -32,6 +32,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", diff --git a/windows/release-information/docfx.json b/windows/release-information/docfx.json index 111809e6f2..c5cbdfb50a 100644 --- a/windows/release-information/docfx.json +++ b/windows/release-information/docfx.json @@ -35,6 +35,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/release-information/breadcrumb/toc.json", "ms.prod": "w10", "ms.date": "4/30/2019", diff --git a/windows/security/docfx.json b/windows/security/docfx.json index e8accb5982..3a997cd1e9 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -33,6 +33,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.topic": "article", diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json index 7576fcf3df..5f30884997 100644 --- a/windows/threat-protection/docfx.json +++ b/windows/threat-protection/docfx.json @@ -32,6 +32,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "ms.technology": "windows", "ms.topic": "article", diff --git a/windows/update/docfx.json b/windows/update/docfx.json index 723941b24a..d577905730 100644 --- a/windows/update/docfx.json +++ b/windows/update/docfx.json @@ -31,6 +31,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "_op_documentIdPathDepotMapping": { "./": { "depot_name": "MSDN.windows-update", diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index fe5bc2fe98..e8a0332615 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -32,6 +32,7 @@ "overwrite": [], "externalReference": [], "globalMetadata": { + "recommendations": true, "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.topic": "article", From a9fdf5d97154bb900a979c19e8d0f69fedd2fe7c Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Thu, 5 Aug 2021 18:13:38 -0400 Subject: [PATCH 23/46] Simplifying layout and text --- windows/configuration/TOC.yml | 26 +- ...reens-by-using-mobile-device-management.md | 46 ++-- ...ws-10-start-layout-options-and-policies.md | 235 +++++++++++++----- 3 files changed, 204 insertions(+), 103 deletions(-) diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index c27d976f52..41ef9c66de 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -1,24 +1,26 @@ - name: Configure Windows client href: index.yml -- name: Configure appearance settings +- name: Customize the appearance items: - name: Windows 10 Start and taskbar items: - name: Manage Windows 10 Start and taskbar layout href: windows-10-start-layout-options-and-policies.md - - name: Configure Windows 10 taskbar - href: configure-windows-10-taskbar.md - - name: Customize and export Start layout - href: customize-and-export-start-layout.md - - name: Add image for secondary tiles - href: start-secondary-tiles.md - - name: Start layout XML for desktop editions of Windows 10 (reference) - href: start-layout-xml-desktop.md - - name: Customize Windows 10 Start and taskbar with Group Policy + - name: Use XML + items: + - name: Customize and export Start layout + href: customize-and-export-start-layout.md + - name: Customize the taskbar + href: configure-windows-10-taskbar.md + - name: Add image for secondary Microsoft Edge tiles + href: start-secondary-tiles.md + - name: Start layout XML for Windows 10 desktop editions (reference) + href: start-layout-xml-desktop.md + - name: Use group policy href: customize-windows-10-start-screens-by-using-group-policy.md - - name: Customize Windows 10 Start and taskbar with provisioning packages + - name: Use provisioning packages href: customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md - - name: Customize Windows 10 Start and taskbar with mobile device management (MDM) + - name: Use mobile device management (MDM) href: customize-windows-10-start-screens-by-using-mobile-device-management.md - name: Troubleshoot Start menu errors href: start-layout-troubleshoot.md diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 814515de59..c67395055b 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -1,6 +1,6 @@ --- -title: Alter Windows 10 Start and taskbar via mobile device management -description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. +title: Change the Windows 10 Start and taskbar using mobile device management | Microsoft Docs +description: In Windows 10, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. For example, use Microsoft Intune to configure the start menu layout and taskbar, and deploy the policy to your devices. ms.assetid: F487850D-8950-41FB-9B06-64240127C1E4 ms.reviewer: manager: dansimp @@ -12,7 +12,7 @@ author: greg-lindsay ms.topic: article ms.author: greglin ms.localizationpriority: medium -ms.date: 02/08/2018 +ms.date: 08/05/2021 --- # Customize Windows 10 Start and taskbar with mobile device management (MDM) @@ -25,7 +25,7 @@ ms.date: 02/08/2018 >**Looking for consumer information?** [Customize the Start menu](https://go.microsoft.com/fwlink/p/?LinkId=623630) -In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required, and the layout can be updated simply by overwriting the .xml file that contains the layout. This enables you to customize Start layouts for different departments or organizations, with minimal management overhead. +In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can use a mobile device management (MDM) policy to deploy a customized Start and taskbar layout to users. No reimaging is required. The layout can be updated simply by overwriting the `.xml` file that contains the layout. This feature enables you to customize Start layouts for different departments or organizations, with minimal management overhead. >[!NOTE] >Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. @@ -56,35 +56,39 @@ Two features enable Start layout control: ## Create a policy for your customized Start layout +The following example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout: -This example uses Microsoft Intune to configure an MDM policy that applies a customized Start layout. See the documentation for your MDM solution for help in applying the policy. +1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -1. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**. +2. Select **Devices** > **Configuration profiles** > **Create profile**. -2. Select **Device configuration**. +3. Enter the following properties: -3. Select **Profiles**. + - **Platform**: Select **Windows 10 and later**. + - **Profile type**: Select **Templates** > **Device restrictions** > **Create**. -4. Select **Create profile**. +4. In **Basics**, enter the following properties: -5. Enter a friendly name for the profile. + - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify it later. For example, a good profile name is **Customize Start menu and taskbar**. + - **Description**: Enter a description for the profile. This setting is optional, but recommended. -6. Select **Windows 10 and later** for the platform. +5. Select **Next**. -7. Select **Device restrictions for the profile type. +6. In **Configuration settings**, select **Start**: -8. Select **Start**. + - If you're using an XML file, select **Start menu layout**. Browse to and select your Start layout XML file. + - If you don't have an XML file, configure the others settings. For more information on these settings, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start). -9. In **Start menu layout**, browse to and select your Start layout XML File. +7. Select **Next**. +8. In **Scope tags**, select **Next**. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags). +9. In **Assignments**, select the user or groups that will receive your profile. Select **Next**. For more information on assigning profiles, see [Assign user and device profiles](device-profile-assign.md). +10. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list. -10. Select **OK** twice, and then select **Create**. - -11. Assign the profile to a device group. - -For other MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. +> [!NOTE] +> For third party partner MDM solutions, you may need to use an OMA-URI setting for Start layout, based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider). The OMA-URI setting is `./User/Vendor/MSFT/Policy/Config/Start/StartLayout`. -## Related topics +## Next steps - [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) @@ -95,5 +99,3 @@ For other MDM solutions, you may need to use an OMA-URI setting for Start layout - [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) - - diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index ce489cfec1..4dc9b66ae9 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -1,6 +1,6 @@ --- -title: Manage Windows 10 Start and taskbar layout (Windows 10) -description: Organizations might want to deploy a customized Start and taskbar layout to devices. +title: Customize and manage the Windows 10 Start and taskbar layout (Windows 10) | Microsoft Docs +description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more. ms.assetid: 2E94743B-6A49-463C-9448-B7DD19D9CD6A ms.reviewer: manager: dansimp @@ -12,119 +12,215 @@ author: greg-lindsay ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.date: 06/19/2018 +ms.date: 08/05/2021 --- -# Manage Windows 10 Start and taskbar layout +# Customize the Start menu and taskbar layout on Windows 10 and later devices +**Applies to**: -**Applies to** - -- Windows 10, Windows Server 2016 with Desktop Experience, Windows Server 2019 with Desktop Experience +- Windows 10 version 1607 and later +- Windows Server 2016 with Desktop Experience +- Windows Server 2019 with Desktop Experience > **Looking for consumer information?** [See what's on the Start menu](https://support.microsoft.com/help/17195/windows-10-see-whats-on-the-menu) +> +> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu). -Organizations might want to deploy a customized Start and taskbar configuration to devices running Windows 10 Pro, Enterprise, or Education. A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. +Your organization can deploy a customized Start and taskbar to Windows 10 Professional, Enterprise, or Education devices. Use a standard, customized Start layout on devices that are common to multiple users, and devices that are locked down. Configuring the taskbar allows you to pin useful apps for your users, and remove apps that are pinned by default. + +>[!NOTE] +>Support for applying a customized taskbar using MDM is added in Windows 10, version 1703. + +As administrator, you can use these features to customize Start and taskbar to meet your organization needs. This article describes the different ways you can customize Start and taskbar, and lists the Start policies. It also includes taskbar information on a clean operating system (OS) installation, and when an OS is upgraded. >[!NOTE] ->Taskbar configuration is available starting in Windows 10, version 1607. -> ->Start and taskbar configuration can be applied to devices running Windows 10 Pro, version 1703. -> >For information on using the layout modification XML to configure Start with roaming user profiles, see [Deploy Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-7-optionally-specify-a-start-layout-for-windows-10-pcs). > >Using CopyProfile for Start menu customization in Windows 10 isn't supported. For more information [Customize the Default User Profile by Using CopyProfile](/windows-hardware/manufacture/desktop/customize-the-default-user-profile-by-using-copyprofile) +## Use XML +On an existing Windows device, you can set up the **Start** screen, and then export the layout to an XML file. When you have the XML file, add this file to a group policy, a Windows Configuration Designer provisioning package, or a mobile device management (MDM) policy. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the layout configured in the XML file. -## Start options +For more information, see [Customize and export Start layout](customize-and-export-start-layout.md). + +For the **taskbar**, you can use the same XML file as the start screen. Or, you can create a new XML file. When you have the XML file, add this file to a group policy or a provisioning package. Using these methods, you can deploy the XML file to your devices. When the devices receive your policy, they'll use the taskbar settings you configured in the XML file. + +For more information, see [Configure Windows 10 taskbar](configure-windows-10-taskbar.md). + +## Use group policy + +Using group policy objects (GPO), you can manage different parts of the Start menu and taskbar. You don't need to reimage the devices. Using administrative templates, you configure settings in a policy, and then deploy this policy to your devices. [Start menu policy settings](#start-menu-policy-settings) (in this article) lists the policies you can configure. + +For more information, see [Use group policy to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-group-policy.md). + +## Use provisioning packages + +Provisioning packages are containers that include a set of configuration settings. They're designed to configure a device quickly, without installing a new image. For more information on what provisioning packages are, and what they do, see [Provisioning packages](./provisioning-packages/provisioning-packages.md). + +Using a provisioning package, you can customize the Start and taskbar. For more information, see [Use provisioning packages to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md). + +## Use a mobile device management (MDM) solution + +Using an MDM solution, you add an XML file to a policy, and then deploy this policy to your devices. + +If you use Microsoft Intune for your MDM solution, then you can use settings to configure Start and the taskbar. For more information on the settings you can configure, see [Start settings in Microsoft Intune](/mem/intune/configuration/device-restrictions-windows-10#start). + +For more information, see [Use MDM to customize Windows 10 Start and taskbar](customize-windows-10-start-screens-by-using-mobile-device-management.md). + +## Start menu policy settings ![start layout sections](images/startannotated.png) -Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy. +The following list includes the different Start options, and any policy or local settings. The settings in the list can also be used in a provisioning package. If you use a provisioning package, see the [Windows Configuration Designer reference](./wcd/wcd-policies.md#start). ->[!NOTE] ->The MDM policy settings in the table can also be configured [in a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) using **Policies** > **Start**. [See the reference for **Start** settings in Windows Configuration Designer.](./wcd/wcd-policies.md#start) +- **User tile** + - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove Logoff on the Start menu` + - **Local setting**: None + - **MDM policy**: + - Start/HideUserTile + - Start/HideSwitchAccount + - Start/HideSignOut + - Start/HideLock + - Start/HideChangeAccountSettings -The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table. +- **Most used** + - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove frequent programs from the Start menu` + - **Local setting**: Settings > Personalization > Start > Show most used apps + - **MDM policy**: Start/HideFrequentlyUsedApps -| Start | Policy | Local setting | -| --- | --- | --- | -| User tile | MDM: **Start/HideUserTile**
**Start/HideSwitchAccount**
**Start/HideSignOut**
**Start/HideLock**
**Start/HideChangeAccountSettings**

Group Policy: **Remove Logoff on the Start menu** | none | -| Most used | MDM: **Start/HideFrequentlyUsedApps**

Group Policy: **Remove frequent programs from the Start menu** | **Settings** > **Personalization** > **Start** > **Show most used apps** | -| Suggestions
-and-
Dynamically inserted app tile | MDM: **Allow Windows Consumer Features**

Group Policy: **Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences**

**Note:** This policy also enables or disables notifications for a user's Microsoft account and app tiles from Microsoft dynamically inserted in the default Start menu. | **Settings** > **Personalization** > **Start** > **Occasionally show suggestions in Start** | -| Recently added | MDM: **Start/HideRecentlyAddedApps**
Group Policy: **Computer configuration**\\**Administrative Template**\\**Start Menu and Taskbar**\\**Remove "Recently Added" list from Start Menu** (for Windows 10, version 1803) | **Settings** > **Personalization** > **Start** > **Show recently added apps** | -| Pinned folders | MDM: **AllowPinnedFolder** | **Settings** > **Personalization** > **Start** > **Choose which folders appear on Start** | -| Power | MDM: **Start/HidePowerButton**
**Start/HideHibernate**
**Start/HideRestart**
**Start/HideShutDown**
**Start/HideSleep**

Group Policy: **Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands** | none | -| Start layout | MDM: **Start layout**
**ImportEdgeAssets**

Group Policy: **Prevent users from customizing their Start screen**

**Note:** When a full Start screen layout is imported with Group Policy or MDM, the users cannot pin, unpin, or uninstall apps from the Start screen. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to the Start screen. When a partial Start screen layout is imported, users cannot change the tile groups applied by the partial layout, but can modify other tile groups and create their own.

**Start layout** policy can be used to pin apps to the taskbar based on an XML File that you provide. Users will be able to change the order of pinned apps, unpin apps, and pin additional apps to the taskbar. | none | -| Jump lists | MDM: **Start/HideRecentJumplists**

Group Policy: **Do not keep history of recently opened documents** | **Settings** > **Personalization** > **Start** > **Show recently opened items in Jump Lists on Start or the taskbar** | -| Start size | MDM: **Force Start size**

Group Policy: **Force Start to be either full screen size or menu size** | **Settings** > **Personalization** > **Start** > **Use Start full screen** | -| App list | MDM: **Start/HideAppList** | **Settings** > **Personalization** > **Start** > **Show app list in Start menu** | -| All Settings | Group Policy: **Prevent changes to Taskbar and Start Menu Settings** | none | -| Taskbar | MDM: **Start/NoPinningToTaskbar** | none | +- **Suggestions, Dynamically inserted app tile** + - **Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Cloud Content\Turn off Microsoft consumer experiences` ->[!NOTE] ->In local **Settings** > **Personalization** > **Start**, there is an option to **Show more tiles**. The default tile layout for Start tiles is 3 columns of medium sized tiles. **Show more tiles** enables 4 columns. To configure the 4-column layout when you [customize and export a Start layout](customize-and-export-start-layout.md), turn on the **Show more tiles** setting and then arrange your tiles. + This policy also enables or disables notifications for: -[Learn how to customize and export Start layout](customize-and-export-start-layout.md) + - A user's Microsoft account + - App tiles that Microsoft dynamically adds to the default Start menu - ## Taskbar options + - **Local setting**: Settings > Personalization > Start > Occasionally show suggestions in Start + - **MDM policy**: Allow Windows Consumer Features -Starting in Windows 10, version 1607, you can pin additional apps to the taskbar and remove default pinned apps from the taskbar. You can specify different taskbar configurations based on device locale or region. +- **Recently added** + - **Group policy**: `Computer configuration\Administrative Template\Start Menu and Taskbar\Remove "Recently Added" list from Start Menu` -There are three categories of apps that might be pinned to a taskbar: -* Apps pinned by the user -* Default Windows apps, pinned during operating system installation (Microsoft Edge, File Explorer, Store) -* Apps pinned by the enterprise, such as in an unattended Windows setup + This policy applies to: - >[!NOTE] - >We recommend using [the layoutmodification.xml method](configure-windows-10-taskbar.md) to configure taskbar options, rather than the earlier method of using [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks) in an unattended Windows setup file. + - Windows 10 version 1803 and later -The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). + - **Local setting**: Settings > Personalization > Start > Show recently added apps + - **MDM policy**: Start/HideRecentlyAddedApps + +- **Pinned folders** + - **Local setting**: Settings > Personalization > Start > Choose which folders appear on Start + - **MDM policy**: AllowPinnedFolder + +- **Power** + - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands` + - **Local setting**: None + - **MDM policy**: + - Start/HidePowerButton + - Start/HideHibernate + - Start/HideRestart + - Start/HideShutDown + - Start/HideSleep + +- **Start layout** + - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from customizing their Start screen` + + When a full Start screen layout is imported with Group Policy or MDM, users can't pin, unpin, or uninstall apps from the Start screen. Users can see and open all apps in the **All Apps** view, but they can't pin any apps to the Start screen. When a partial Start screen layout is imported, users can't change the tile groups applied by the partial layout. They can change other tile groups, and create their own tile groups. + + **Start layout** policy can be used to pin apps to the taskbar based on an XML File you provide. Users can change the order of pinned apps, unpin apps, and pin more apps to the taskbar. + + - **Local setting**: None + - **MDM policy**: + - Start layout + - ImportEdgeAssets + +- **Jump lists** + - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents` + - **Local setting**: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar + - **MDM policy**: Start/HideRecentJumplists + +- **Start size** + - **Group policy**: `User Configuration\Administrative Templates\Start Menu and Taskbar\Force Start to be either full screen size or menu size` + - **Local setting**: Settings > Personalization > Start > Use Start full screen + - **MDM policy**: Force Start size + +- **App list** + - **Local setting**: Settings > Personalization > Start > Show app list in Start menu + - **MDM policy**: Start/HideAppList + +- **All settings** + - **Group policy**: `User Configuration\Administrative Templates\Prevent changes to Taskbar and Start Menu Settings` + - **Local setting**: None + +- **Taskbar** + - **Local setting**: None + - **MDM policy**: Start/NoPinningToTaskbar + +> [!NOTE] +> In the **Settings** app > **Personalization** > **Start**, there is a **Show more tiles on Start** option. The default tile layout for Start tiles is 3 columns of medium sized tiles. **Show more tiles on Start** enables 4 columns. To configure the 4-column layout when you [customize and export a Start layout](customize-and-export-start-layout.md), turn on the **Show more tiles** setting, and then arrange your tiles. + +## Taskbar options + +Starting in Windows 10 version 1607, you can pin more apps to the taskbar, and remove default pinned apps from the taskbar. You can select different taskbar configurations based on device locale or region. + +There are three app categories that could be pinned to a taskbar: + +- Apps pinned by the user +- Default Windows apps pinned during the OS installation, such as Microsoft Edge, File Explorer, and Store +- Apps pinned by your organization, such as in an unattended Windows setup + + In an unattended Windows setup file, it's recommended to use the [layoutmodification.xml method](configure-windows-10-taskbar.md) to configure the taskbar options. It's not recommended to use [TaskbarLinks](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-taskbarlinks). + +The following example shows how apps are pinned. In OS configured to use a right-to-left language, the taskbar order is reversed: + +- Windows default apps to the left (blue circle) +- Apps pinned by the user in the center (orange triangle) +- Apps that you pin using XML to the right (green square) ![Windows left, user center, enterprise to the right](images/taskbar-generic.png) ->[!NOTE] ->In operating systems configured to use a right-to-left language, the taskbar order will be reversed. +If you apply the taskbar configuration to a clean install or an update, users can still: +- Pin more apps +- Change the order of pinned apps +- Unpin any app - -Whether you apply the taskbar configuration to a clean install or an update, users will still be able to: -* Pin additional apps -* Change the order of pinned apps -* Unpin any app - ->[!NOTE] ->In Windows 10, version 1703, you can apply an MDM policy, `Start/NoPinningToTaskbar`, to prevents users from pinning and unpinning apps on the taskbar. +> [!TIP] +> In Windows 10 version 1703, you can apply the `Start/NoPinningToTaskbar` MDM policy. This policy prevents users from pinning and unpinning apps on the taskbar. ### Taskbar configuration applied to clean install of Windows 10 -In a clean install, if you apply a taskbar layout, only the apps that you specify and default apps that you do not remove will be pinned to the taskbar. Users can pin additional apps to the taskbar after the layout is applied. +In a clean install, if you apply a taskbar layout, only the following apps are pinned to the taskbar: + +- Apps you specifically add +- Any default apps you don't remove + +After the layout is applied, users can pin more apps to the taskbar. ### Taskbar configuration applied to Windows 10 upgrades -When a device is upgraded to Windows 10, apps will be pinned to the taskbar already. Some apps may have been pinned to the taskbar by a user, and others may have been pinned to the taskbar through a customized base image or by using Windows Unattend setup. +When a device is upgraded to Windows 10, apps are already pinned to the taskbar. Some apps may have been pinned to the taskbar by a user, by a customized base image, or by using Windows unattended setup. -The new taskbar layout for upgrades to Windows 10, version 1607 or later, will apply the following behavior: -* If the user pinned the app to the taskbar, those pinned apps remain and new apps will be added to the right. -* If the user didn't pin the app (it was pinned during installation or by policy) and the app is not in updated layout file, the app will be unpinned. -* If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right. -* New apps specified in updated layout file are pinned to right of user's pinned apps. +On Windows 10 version 1607 and later, the new taskbar layout for upgrades apply the following behavior: + +- If users pinned apps to the taskbar, then those pinned apps remain. New apps are added to the right. +- If users didn't pin any apps (they're pinned during installation or by policy), and the apps aren't in an updated layout file, then the apps are unpinned. +- If a user didn't pin the app, and the app is in the updated layout file, then the app is pinned to the right. +- New apps specified in updated layout file are pinned to right of user's pinned apps. [Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md). ## Start layout configuration errors -If your Start layout customization is not applied as expected, open **Event Viewer** and navigate to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**, and check for one of the following events: +If your Start layout customization isn't applied as you expect, open the **Event Viewer**. Go to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**. Look for the following events: -- **Event 22** is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. This can occur if the file has extra spaces or unexpected characters, or if the file is not saved in the UTF8 format. -- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood, elements are not in [the required order](start-layout-xml-desktop.md#required-order), or source is not found, such as a missing or misspelled .lnk. - - - - -## Related topics +- **Event 22**: The XML is malformed. The specified file isn’t valid XML. This event can happen if the file has extra spaces or unexpected characters. Or, if the file isn't saved in the UTF8 format. +- **Event 64**: The XML is valid, and has unexpected values. This event can happen when the configuration isn't understood, elements aren't in [the required order](start-layout-xml-desktop.md#required-order), or source isn't found, such as a missing or misspelled `.lnk`. +## Next steps - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - [Customize and export Start layout](customize-and-export-start-layout.md) @@ -133,4 +229,5 @@ If your Start layout customization is not applied as expected, open **Event View - [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) -- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) \ No newline at end of file +- [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) +- \ No newline at end of file From f044a2085cd084a801051558c32ee01bde5f5053 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Thu, 5 Aug 2021 18:31:25 -0400 Subject: [PATCH 24/46] Fixed warning link, review updates --- windows/configuration/TOC.yml | 2 +- ...ndows-10-start-screens-by-using-mobile-device-management.md | 3 +-- .../windows-10-start-layout-options-and-policies.md | 1 - 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml index 41ef9c66de..f44d4cea07 100644 --- a/windows/configuration/TOC.yml +++ b/windows/configuration/TOC.yml @@ -4,7 +4,7 @@ items: - name: Windows 10 Start and taskbar items: - - name: Manage Windows 10 Start and taskbar layout + - name: Start layout and taskbar href: windows-10-start-layout-options-and-policies.md - name: Use XML items: diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index c67395055b..8dec3271ab 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -81,7 +81,7 @@ The following example uses Microsoft Intune to configure an MDM policy that appl 7. Select **Next**. 8. In **Scope tags**, select **Next**. For more information about scope tags, see [Use RBAC and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags). -9. In **Assignments**, select the user or groups that will receive your profile. Select **Next**. For more information on assigning profiles, see [Assign user and device profiles](device-profile-assign.md). +9. In **Assignments**, select the user or groups that will receive your profile. Select **Next**. For more information on assigning profiles, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign). 10. In **Review + create**, review your settings. When you select **Create**, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list. > [!NOTE] @@ -90,7 +90,6 @@ The following example uses Microsoft Intune to configure an MDM policy that appl ## Next steps - - [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) - [Configure Windows 10 taskbar](configure-windows-10-taskbar.md) - [Customize and export Start layout](customize-and-export-start-layout.md) diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index 4dc9b66ae9..e0816bbb6f 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -230,4 +230,3 @@ If your Start layout customization isn't applied as you expect, open the **Event - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) -- \ No newline at end of file From 98e137d6dace7002e6e71046c23e5ae0cd45d346 Mon Sep 17 00:00:00 2001 From: Dan Pandre <54847950+DanPandre@users.noreply.github.com> Date: Fri, 6 Aug 2021 19:38:48 -0400 Subject: [PATCH 25/46] Fix missing system CSP references --- .../mdm/policies-in-policy-csp-supported-by-surface-hub.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index 763534dad3..d3e0c23e6c 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -66,6 +66,9 @@ ms.date: 07/22/2020 - [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) - [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) - [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md) +- [System/AllowLocation](policy-csp-system#system-allowlocation) +- [System/AllowStorageCard](policy-csp-system#system-allowstoragecard) +- [System/AllowTelemetry](policy-csp-system#system-allowtelemetry) - [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging) - [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess) - [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel) @@ -95,4 +98,4 @@ ms.date: 07/22/2020 ## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file +[Policy CSP](policy-configuration-service-provider.md) From d4cda5c0b256edcf57bf124a527202b9a2ef3ce4 Mon Sep 17 00:00:00 2001 From: Dan Pandre <54847950+DanPandre@users.noreply.github.com> Date: Fri, 6 Aug 2021 19:41:50 -0400 Subject: [PATCH 26/46] Fix links --- .../mdm/policies-in-policy-csp-supported-by-surface-hub.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md index d3e0c23e6c..13c000e4f5 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md @@ -66,9 +66,9 @@ ms.date: 07/22/2020 - [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) - [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) - [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md) -- [System/AllowLocation](policy-csp-system#system-allowlocation) -- [System/AllowStorageCard](policy-csp-system#system-allowstoragecard) -- [System/AllowTelemetry](policy-csp-system#system-allowtelemetry) +- [System/AllowLocation](policy-csp-system.md#system-allowlocation) +- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) +- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) - [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging) - [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess) - [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel) From 9aa2be7ebddbdf0c9908a4db134eec8a4becacc5 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 9 Aug 2021 11:44:55 +0500 Subject: [PATCH 27/46] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 090085514e..aa4eeb348a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -681,7 +681,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. > [!NOTE] - > If the distinguished name contains special characters like plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. + > If the distinguished name contains special characters like a plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement). 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. From 036de85d1818004a91cde78ae0152d5fdda0ddd0 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 9 Aug 2021 11:45:03 +0500 Subject: [PATCH 28/46] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index aa4eeb348a..b8ce7af3da 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -682,7 +682,7 @@ Sign-in a workstation with access equivalent to a _domain user_. > [!NOTE] > If the distinguished name contains special characters like a plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”. - > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement). + > If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement). 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. From f15dc57cec8e7faf3b315edd31f31cbd39f81ec6 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 9 Aug 2021 11:56:00 -0600 Subject: [PATCH 29/46] Raise acro score sync PR: https://github.com/MicrosoftDocs/windows-docs-pr/pull/5480 --- .../event-id-explanations.md | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index ff7f78475a..185e7af3d1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -91,26 +91,26 @@ The WDAC policy rule-option values can be derived from the "Options" field in th | Bit Address | Policy Rule Option | |-------|------| -| 2 | Enabled:UMCI | -| 3 | Enabled:Boot Menu Protection | -| 4 | Enabled:Intelligent Security Graph Authorization | -| 5 | Enabled:Invalidate EAs on Reboot | -| 7 | Required:WHQL | -| 10 | Enabled:Allow Supplemental Policies | -| 11 | Disabled:Runtime FilePath Rule Protection | -| 13 | Enabled:Revoked Expired As Unsigned | -| 16 | Enabled:Audit Mode (Default) | -| 17 | Disabled:Flight Signing | -| 18 | Enabled:Inherit Default Policy | -| 19 | Enabled:Unsigned System Integrity Policy (Default) | -| 20 | Enabled:Dynamic Code Security | -| 21 | Required:EV Signers | -| 22 | Enabled:Boot Audit on Failure | -| 23 | Enabled:Advanced Boot Options Menu | -| 24 | Disabled:Script Enforcement | -| 25 | Required:Enforce Store Applications | -| 27 | Enabled:Managed Installer | -| 28 | Enabled:Update Policy No Reboot | +| 2 | `Enabled:UMCI` | +| 3 | `Enabled:Boot Menu Protection` | +| 4 | `Enabled:Intelligent Security Graph Authorization` | +| 5 | `Enabled:Invalidate EAs on Reboot` | +| 7 | `Required:WHQL` | +| 10 | `Enabled:Allow Supplemental Policies` | +| 11 | `Disabled:Runtime FilePath Rule Protection` | +| 13 | `Enabled:Revoked Expired As Unsigned` | +| 16 | `Enabled:Audit Mode (Default)` | +| 17 | `Disabled:Flight Signing` | +| 18 | `Enabled:Inherit Default Policy` | +| 19 | `Enabled:Unsigned System Integrity Policy (Default)` | +| 20 | `Enabled:Dynamic Code Security` | +| 21 | `Required:EV Signers` | +| 22 | `Enabled:Boot Audit on Failure` | +| 23 | `Enabled:Advanced Boot Options Menu` | +| 24 | `Disabled:Script Enforcement` | +| 25 | `Required:Enforce Store Applications` | +| 27 | `Enabled:Managed Installer` | +| 28 | `Enabled:Update Policy No Reboot` | ## Appendix A list of other relevant event IDs and their corresponding description. From b299fca18a551f536ccb9cbddf7a655ea4decfe6 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 9 Aug 2021 11:57:38 -0600 Subject: [PATCH 30/46] Fix Warning Sync PR https://github.com/MicrosoftDocs/windows-docs-pr/pull/5480 --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 185e7af3d1..d9a41c8eff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -87,7 +87,7 @@ reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x ``` ## System Integrity Policy Options -The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options). +The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options). | Bit Address | Policy Rule Option | |-------|------| From 948b041f1eb568b1961e715c01e127fb369d5b6a Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Mon, 9 Aug 2021 11:04:48 -0700 Subject: [PATCH 31/46] Update bulk-enrollment-using-windows-provisioning-tool.md Changed terms ICD -> WCD. Changed link from ADK to Microsoft Store Added Windows 11. Added bullet "Bulk Token creation is not supported with federated accounts." to notes --- ...ollment-using-windows-provisioning-tool.md | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index b9f88dc916..b3466dc27f 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,6 +1,6 @@ --- title: Bulk enrollment -description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10. +description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11. MS-HAID: - 'p\_phdevicemgmt.bulk\_enrollment' - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' @@ -18,7 +18,7 @@ ms.date: 06/26/2017 # Bulk enrollment -Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 desktop and mobile devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. +Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. ## Typical use cases @@ -37,12 +37,13 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro > - Bulk enrollment does not work in Intune standalone environment. > - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console. > - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. +> - Bulk Token creation is not supported with federated accounts. ## What you need - Windows 10 devices -- Windows Imaging and Configuration Designer (ICD) tool - To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows ICD](/windows/configuration/provisioning-packages/provisioning-install-icd). +- Windows Configuration Designer (WCD) tool + To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd). - Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.) - Wi-Fi credentials, computer name scheme, and anything else required by your organization. @@ -50,14 +51,14 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro ## Create and apply a provisioning package for on-premises authentication -Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. +Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. -1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open the WCD tool. 2. Click **Advanced Provisioning**. ![icd start page](images/bulk-enrollment7.png) 3. Enter a project name and click **Next**. -4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**. +4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**. 5. Skip **Import a provisioning package (optional)** and click **Finish**. 6. Expand **Runtime settings** > **Workplace**. 7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**. @@ -70,7 +71,7 @@ Using the ICD, create a provisioning package using the enrollment information re - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. - **Secret** - Password For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). - Here is the screenshot of the ICD at this point. + Here is the screenshot of the WCD at this point. ![bulk enrollment screenshot](images/bulk-enrollment.png) 9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). 10. When you are done adding all the settings, on the **File** menu, click **Save**. @@ -90,12 +91,12 @@ Using the ICD, create a provisioning package using the enrollment information re ## Create and apply a provisioning package for certificate authentication -Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. +Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. -1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +1. Open the WCD tool. 2. Click **Advanced Provisioning**. 3. Enter a project name and click **Next**. -4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions. +4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions. 5. Skip **Import a provisioning package (optional)** and click **Finish**. 6. Specify the certificate. 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. @@ -129,8 +130,7 @@ Using the ICD, create a provisioning package using the enrollment information re Here's the list of topics about applying a provisioning package: - [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) - topic in Technet. -- [Apply a package to a Windows 10 desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN -- [Apply a package to a Windows 10 Mobile image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN. +- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN - [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below ## Apply a package from the Settings menu From b901354412a69437adb848bf5df7ba6a1c3c7b50 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Mon, 9 Aug 2021 11:26:56 -0700 Subject: [PATCH 32/46] Update bulk-enrollment-using-windows-provisioning-tool.md --- .../mdm/bulk-enrollment-using-windows-provisioning-tool.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index b3466dc27f..4df0e51619 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -1,6 +1,6 @@ --- title: Bulk enrollment -description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11. +description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and Windows 11. MS-HAID: - 'p\_phdevicemgmt.bulk\_enrollment' - 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' From 5e7ce5d47057923098b21c8474b9b3f8745d1415 Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 9 Aug 2021 12:34:41 -0600 Subject: [PATCH 33/46] fix staging Sync PR: https://github.com/MicrosoftDocs/windows-docs-pr/pull/5487 --- .../mdm/bulk-enrollment-using-windows-provisioning-tool.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 4df0e51619..1b84316554 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -43,6 +43,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro - Windows 10 devices - Windows Configuration Designer (WCD) tool + To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd). - Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.) - Wi-Fi credentials, computer name scheme, and anything else required by your organization. From ed55b1a5eb132967fd09b50d5c86647a1df73b5e Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 9 Aug 2021 12:46:55 -0600 Subject: [PATCH 34/46] Fix formatting Sync PR https://github.com/MicrosoftDocs/windows-docs-pr/pull/5487 --- .../bulk-enrollment-using-windows-provisioning-tool.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index 1b84316554..4fabdbc971 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -41,11 +41,11 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro ## What you need -- Windows 10 devices -- Windows Configuration Designer (WCD) tool +- Windows 10 devices. +- Windows Configuration Designer (WCD) tool. To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd). -- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.) +- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.). - Wi-Fi credentials, computer name scheme, and anything else required by your organization. Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain. @@ -73,7 +73,8 @@ Using the WCD, create a provisioning package using the enrollment information re - **Secret** - Password For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). Here is the screenshot of the WCD at this point. - ![bulk enrollment screenshot](images/bulk-enrollment.png) + + ![bulk enrollment screenshot](images/bulk-enrollment.png) 9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). 10. When you are done adding all the settings, on the **File** menu, click **Save**. 11. On the main menu click **Export** > **Provisioning package**. From 067bc3fb90e579adc6822bff81fc04a0b92fe845 Mon Sep 17 00:00:00 2001 From: Linda Diefendorf Date: Mon, 9 Aug 2021 11:59:09 -0700 Subject: [PATCH 35/46] Update device-guard-signing-portal.md Updating to include v2 cmdlet descriptions --- .../device-guard-signing-portal.md | 125 +++++++++++++++++- 1 file changed, 124 insertions(+), 1 deletion(-) diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index c6c8eeb5e5..64da5a18ce 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -43,7 +43,7 @@ ms.date: 07/21/2021 - Windows 10 - Windows 10 Mobile -Device Guard signing is a Device Guard feature that is available in Microsoft Store for Business and Education. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files. +Device Guard signing is a Device Guard feature that gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files. Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). @@ -54,6 +54,129 @@ Device Guard is a feature set that consists of both hardware and software system | [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) | When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. | | [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) | Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. | +## Device Guard Signing Service (v2) PowerShell Commands + +_Note: [.. common ..] are parameters common across all commands that are documented below the command definitions._ + +**Get-DefaultPolicy** Gets the default .xml policy file associated with the current tenant. + +- Usage: + +``` +Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..] +``` + +- Parameters: + + **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first). + + **PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file. + +- Command running time: + + The average running time is under 20 seconds but may be up to 3 minutes. + +**Get-RootCertificate** Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate. + +- Usage: + + ``` + Get-RootCertificate -OutFile filename [-PassThru] [.. common ..] + ``` + +- Parameters: + + **OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten (note: create the folder first). + + **PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default + policy file. + +- Command running time: + + The average running time is under 20 seconds but may be up to 3 minutes. + +**Get-SigningHistory** Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent). + +- Usage: + + ``` + Get-SigningHistory -OutFile filename [-PassThru] [.. common ..] + ``` + +- Parameters: + + **OutFile** - string, mandatory - The filename where the signing history file should be persisted to disk. The file name should be a .xml file. If the file already exists, it will be overwritten (note: create the folder first). + + **PassThru** - switch, optional - If present, returns XML objects returning the XML file. + +- Command running time: + + The average running time is under 10 seconds. + +**Submit-SigningJob** Submits a file to the service for signing and timestamping. The module supports valid file type for Authenticode signing is Catalog file (.cat). Valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the ConvertFrom-CiPolicy cmdlet. Otherwise, binary policy file may not be deployed properly. + +- Usage: + + ``` + Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..] + ``` + +- Parameters: + + **InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.cat or .bin). + + **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. (note: create the folder first) + + **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only. + + **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](https://docs.microsoft.com/en-us/windows/msix/package/signing-package-overview#timestamping). + + **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command. + +**Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy +signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration. + +- Usage: + + ``` + Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..] + ``` + +- Parameters: + + **InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.bin). + + **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten (note: create the folder first). + + **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only. + + **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](https://docs.microsoft.com/en-us/windows/msix/package/signing-package-overview#timestamping). + + **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command. + +- Command running time: + + The average running time is under 20 seconds but may be up to 3 minutes. + +**Common parameters [.. common ..]** + +In addition to cmdlet-specific parameters, each cmdlet understands the following common parameters. + +- Usage: + + ``` + ... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose] + ``` + +- Parameters: + + **NoPrompt** - switch, optional - If present, indicates that the script is running in a headless + environment and that all UI should be suppressed. If UI must be displayed (e.g., for + authentication) when the switch is set, the operation will instead fail. + + **Credential + AppId** - PSCredential - A login credential (username and password) and AppId. + + ## File and size limits When you're uploading files for Device Guard signing, there are a few limits for files and file size: From 1db546b1437fc6ff5c33315c34433ada3ada0505 Mon Sep 17 00:00:00 2001 From: Cern McAtee Date: Mon, 9 Aug 2021 13:16:02 -0700 Subject: [PATCH 36/46] Fixed !NOTES and added codeblock IDs --- .../device-guard-signing-portal.md | 33 ++++++++++--------- 1 file changed, 18 insertions(+), 15 deletions(-) diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index 64da5a18ce..f13413106a 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -17,6 +17,11 @@ ms.date: 07/21/2021 # Device Guard signing +**Applies to** + +- Windows 10 +- Windows 10 Mobile + > [!IMPORTANT] > Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution). @@ -37,12 +42,6 @@ ms.date: 07/21/2021 > > For any questions, please contact us at DGSSMigration@microsoft.com. - -**Applies to** - -- Windows 10 -- Windows 10 Mobile - Device Guard signing is a Device Guard feature that gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files. Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). @@ -56,16 +55,17 @@ Device Guard is a feature set that consists of both hardware and software system ## Device Guard Signing Service (v2) PowerShell Commands -_Note: [.. common ..] are parameters common across all commands that are documented below the command definitions._ +> [!NOTE] +> [.. common ..] are parameters common across all commands that are documented below the command definitions. **Get-DefaultPolicy** Gets the default .xml policy file associated with the current tenant. - Usage: -``` +```powershell Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..] ``` - + - Parameters: **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first). @@ -80,7 +80,7 @@ Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..] - Usage: - ``` + ```powershell Get-RootCertificate -OutFile filename [-PassThru] [.. common ..] ``` @@ -99,7 +99,7 @@ Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..] - Usage: - ``` + ```powershell Get-SigningHistory -OutFile filename [-PassThru] [.. common ..] ``` @@ -117,7 +117,7 @@ Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..] - Usage: - ``` + ```powershell Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..] ``` @@ -138,7 +138,7 @@ signing is binary policy files with the extension (.bin) that have been created - Usage: - ``` + ```powershell Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..] ``` @@ -146,7 +146,10 @@ signing is binary policy files with the extension (.bin) that have been created **InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.bin). - **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten (note: create the folder first). + **OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. + + > [!NOTE] + > Create the folder first. **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only. @@ -164,7 +167,7 @@ In addition to cmdlet-specific parameters, each cmdlet understands the following - Usage: - ``` + ```powershell ... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose] ``` From a78fbd5a5681f4b083526008ded57c768857c904 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 9 Aug 2021 18:11:28 -0700 Subject: [PATCH 37/46] Fixed hard-coded locales and absolute links This corrects links that were absolute, rather than site-relative, and/or that had hard-coded locales, adding in the public repo in commit https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9888/commits/067bc3fb90e579adc6822bff81fc04a0b92fe845 --- store-for-business/device-guard-signing-portal.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index f13413106a..433f0bb68a 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -129,12 +129,12 @@ Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..] **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only. - **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](https://docs.microsoft.com/en-us/windows/msix/package/signing-package-overview#timestamping). + **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping). **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command. **Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy -signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](https://docs.microsoft.com/en-us/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration. +signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration. - Usage: @@ -153,7 +153,7 @@ signing is binary policy files with the extension (.bin) that have been created **NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only. - **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](https://docs.microsoft.com/en-us/windows/msix/package/signing-package-overview#timestamping). + **TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping). **JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command. @@ -189,7 +189,7 @@ When you're uploading files for Device Guard signing, there are a few limits for | Maximum size for multiple files (uploaded in a group) | 4 MB | | Maximum number of files per upload | 15 files | - ## File types +## File types Catalog and policy files have required files types. | File | Required file type | @@ -197,7 +197,7 @@ Catalog and policy files have required files types. | catalog files | .cat | | policy files | .bin | - ## Store for Business roles and permissions +## Store for Business roles and permissions Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role. ## Device Guard signing certificates From 9eb9a04e036b1f7995acf044246f19ea6f318564 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 9 Aug 2021 18:36:12 -0700 Subject: [PATCH 38/46] Corrected indentation in preview; tidied indentation in source --- .../device-guard-signing-portal.md | 37 +++++++++---------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index 433f0bb68a..3c5210990f 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -62,46 +62,45 @@ Device Guard is a feature set that consists of both hardware and software system - Usage: -```powershell -Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..] -``` + ```powershell + Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..] + ``` - Parameters: - **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first). + **OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first). - **PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file. + **PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file. - Command running time: - The average running time is under 20 seconds but may be up to 3 minutes. + The average running time is under 20 seconds but may be up to 3 minutes. **Get-RootCertificate** Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate. - Usage: - ```powershell - Get-RootCertificate -OutFile filename [-PassThru] [.. common ..] - ``` + ```powershell + Get-RootCertificate -OutFile filename [-PassThru] [.. common ..] + ``` - Parameters: - **OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten (note: create the folder first). + **OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten (note: create the folder first). - **PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default - policy file. + **PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default policy file. - Command running time: - The average running time is under 20 seconds but may be up to 3 minutes. + The average running time is under 20 seconds but may be up to 3 minutes. **Get-SigningHistory** Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent). - Usage: - ```powershell - Get-SigningHistory -OutFile filename [-PassThru] [.. common ..] - ``` + ```powershell + Get-SigningHistory -OutFile filename [-PassThru] [.. common ..] + ``` - Parameters: @@ -117,9 +116,9 @@ Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..] - Usage: - ```powershell - Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..] - ``` + ```powershell + Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..] + ``` - Parameters: From 4225c226bb300ed6b8d5cd93331f24168a96d971 Mon Sep 17 00:00:00 2001 From: gkomatsu Date: Tue, 10 Aug 2021 08:14:28 -0700 Subject: [PATCH 39/46] Update index.md Removed Note on Intune MDM Security baseline coming soon. Removed "Preview" from Intune Security Baseline details. and updated link --- windows/client-management/mdm/index.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 4339466ef0..e39785e9f2 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -28,8 +28,6 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bu With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices. -> [!NOTE] ->Intune support for the MDM security baseline is coming soon. The MDM security baseline includes policies that cover the following areas: @@ -48,7 +46,7 @@ For more details about the MDM policies defined in the MDM security baseline and - [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) -For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](/intune/security-baseline-settings-windows). +For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-mdm-all). From 17bc597c3a8f028593b771a96d8a0b1a79f7522c Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 10 Aug 2021 10:57:47 -0700 Subject: [PATCH 40/46] Update index.md --- windows/client-management/mdm/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index e39785e9f2..1ba26c7c91 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -46,7 +46,7 @@ For more details about the MDM policies defined in the MDM security baseline and - [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) -For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](https://docs.microsoft.com/en-us/mem/intune/protect/security-baseline-settings-mdm-all). +For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](https://docs.microsoft.com/mem/intune/protect/security-baseline-settings-mdm-all). From cdf5b67974cb31aa23a673df58acb346ffe22c0e Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Tue, 10 Aug 2021 13:15:03 -0500 Subject: [PATCH 41/46] removing absolute link, changing to site-relative --- windows/client-management/mdm/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index 1ba26c7c91..a7236eea80 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -46,7 +46,7 @@ For more details about the MDM policies defined in the MDM security baseline and - [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) -For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](https://docs.microsoft.com/mem/intune/protect/security-baseline-settings-mdm-all). +For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all). From 01063e623a6271d263612f3adb292ccf0525aa9a Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Tue, 10 Aug 2021 16:30:56 -0400 Subject: [PATCH 42/46] Added sections to match article content --- windows/deployment/TOC.yml | 224 ++++++++++++++++++++----------------- 1 file changed, 122 insertions(+), 102 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 048a630323..2d99e3080b 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -321,57 +321,69 @@ - name: Active Directory-Based Activation Overview href: volume-activation/active-directory-based-activation-overview.md - name: Install and Configure VAMT - href: volume-activation/install-configure-vamt.md - - name: VAMT Requirements - href: volume-activation/vamt-requirements.md - - name: Install VAMT - href: volume-activation/install-vamt.md - - name: Configure Client Computers - href: volume-activation/configure-client-computers-vamt.md + items: + - name: Overview + href: volume-activation/install-configure-vamt.md + - name: VAMT Requirements + href: volume-activation/vamt-requirements.md + - name: Install VAMT + href: volume-activation/install-vamt.md + - name: Configure Client Computers + href: volume-activation/configure-client-computers-vamt.md - name: Add and Manage Products - href: volume-activation/add-manage-products-vamt.md - - name: Add and Remove Computers - href: volume-activation/add-remove-computers-vamt.md - - name: Update Product Status - href: volume-activation/update-product-status-vamt.md - - name: Remove Products - href: volume-activation/remove-products-vamt.md + items: + - name: Overview + href: volume-activation/add-manage-products-vamt.md + - name: Add and Remove Computers + href: volume-activation/add-remove-computers-vamt.md + - name: Update Product Status + href: volume-activation/update-product-status-vamt.md + - name: Remove Products + href: volume-activation/remove-products-vamt.md - name: Manage Product Keys - href: volume-activation/manage-product-keys-vamt.md - - name: Add and Remove a Product Key - href: volume-activation/add-remove-product-key-vamt.md - - name: Install a Product Key - href: volume-activation/install-product-key-vamt.md - - name: Install a KMS Client Key - href: volume-activation/install-kms-client-key-vamt.md + items: + - name: Overview + href: volume-activation/manage-product-keys-vamt.md + - name: Add and Remove a Product Key + href: volume-activation/add-remove-product-key-vamt.md + - name: Install a Product Key + href: volume-activation/install-product-key-vamt.md + - name: Install a KMS Client Key + href: volume-activation/install-kms-client-key-vamt.md - name: Manage Activations - href: volume-activation/manage-activations-vamt.md - - name: Perform Online Activation - href: volume-activation/online-activation-vamt.md - - name: Perform Proxy Activation - href: volume-activation/proxy-activation-vamt.md - - name: Perform KMS Activation - href: volume-activation/kms-activation-vamt.md - - name: Perform Local Reactivation - href: volume-activation/local-reactivation-vamt.md - - name: Activate an Active Directory Forest Online - href: volume-activation/activate-forest-vamt.md - - name: Activate by Proxy an Active Directory Forest - href: volume-activation/activate-forest-by-proxy-vamt.md + items: + - name: Overview + href: volume-activation/manage-activations-vamt.md + - name: Perform Online Activation + href: volume-activation/online-activation-vamt.md + - name: Perform Proxy Activation + href: volume-activation/proxy-activation-vamt.md + - name: Perform KMS Activation + href: volume-activation/kms-activation-vamt.md + - name: Perform Local Reactivation + href: volume-activation/local-reactivation-vamt.md + - name: Activate an Active Directory Forest Online + href: volume-activation/activate-forest-vamt.md + - name: Activate by Proxy an Active Directory Forest + href: volume-activation/activate-forest-by-proxy-vamt.md - name: Manage VAMT Data - href: volume-activation/manage-vamt-data.md - - name: Import and Export VAMT Data - href: volume-activation/import-export-vamt-data.md - - name: Use VAMT in Windows PowerShell - href: volume-activation/use-vamt-in-windows-powershell.md + items: + - name: Overview + href: volume-activation/manage-vamt-data.md + - name: Import and Export VAMT Data + href: volume-activation/import-export-vamt-data.md + - name: Use VAMT in Windows PowerShell + href: volume-activation/use-vamt-in-windows-powershell.md - name: VAMT Step-by-Step Scenarios - href: volume-activation/vamt-step-by-step.md - - name: "Scenario 1: Online Activation" - href: volume-activation/scenario-online-activation-vamt.md - - name: "Scenario 2: Proxy Activation" - href: volume-activation/scenario-proxy-activation-vamt.md - - name: "Scenario 3: KMS Client Activation" - href: volume-activation/scenario-kms-activation-vamt.md + items: + - name: Overview + href: volume-activation/vamt-step-by-step.md + - name: "Scenario 1: Online Activation" + href: volume-activation/scenario-online-activation-vamt.md + - name: "Scenario 2: Proxy Activation" + href: volume-activation/scenario-proxy-activation-vamt.md + - name: "Scenario 3: KMS Client Activation" + href: volume-activation/scenario-kms-activation-vamt.md - name: VAMT Known Issues href: volume-activation/vamt-known-issues.md @@ -486,67 +498,75 @@ - name: Application Compatibility Toolkit (ACT) Technical Reference items: - name: SUA User's Guide - href: planning/sua-users-guide.md - - name: Using the SUA Wizard - href: planning/using-the-sua-wizard.md - - name: Using the SUA Tool - href: planning/using-the-sua-tool.md - - name: Tabs on the SUA Tool Interface - href: planning/tabs-on-the-sua-tool-interface.md - - name: Showing Messages Generated by the SUA Tool - href: planning/showing-messages-generated-by-the-sua-tool.md - - name: Applying Filters to Data in the SUA Tool - href: planning/applying-filters-to-data-in-the-sua-tool.md - - name: Fixing Applications by Using the SUA Tool - href: planning/fixing-applications-by-using-the-sua-tool.md + items: + - name: Overview + href: planning/sua-users-guide.md + - name: Using the SUA Wizard + href: planning/using-the-sua-wizard.md + - name: Using the SUA Tool + href: planning/using-the-sua-tool.md + - name: Tabs on the SUA Tool Interface + href: planning/tabs-on-the-sua-tool-interface.md + - name: Showing Messages Generated by the SUA Tool + href: planning/showing-messages-generated-by-the-sua-tool.md + - name: Applying Filters to Data in the SUA Tool + href: planning/applying-filters-to-data-in-the-sua-tool.md + - name: Fixing Applications by Using the SUA Tool + href: planning/fixing-applications-by-using-the-sua-tool.md - name: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista href: planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md - name: Compatibility Administrator User's Guide - href: planning/compatibility-administrator-users-guide.md - - name: Using the Compatibility Administrator Tool - href: planning/using-the-compatibility-administrator-tool.md - - name: Available Data Types and Operators in Compatibility Administrator - href: planning/available-data-types-and-operators-in-compatibility-administrator.md - - name: Searching for Fixed Applications in Compatibility Administrator - href: planning/searching-for-fixed-applications-in-compatibility-administrator.md - - name: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator - href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md - - name: Creating a Custom Compatibility Fix in Compatibility Administrator - href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md - - name: Creating a Custom Compatibility Mode in Compatibility Administrator - href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md - - name: Creating an AppHelp Message in Compatibility Administrator - href: planning/creating-an-apphelp-message-in-compatibility-administrator.md - - name: Viewing the Events Screen in Compatibility Administrator - href: planning/viewing-the-events-screen-in-compatibility-administrator.md - - name: Enabling and Disabling Compatibility Fixes in Compatibility Administrator - href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md - - name: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator - href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md + items: + - name: Overview + href: planning/compatibility-administrator-users-guide.md + - name: Using the Compatibility Administrator Tool + href: planning/using-the-compatibility-administrator-tool.md + - name: Available Data Types and Operators in Compatibility Administrator + href: planning/available-data-types-and-operators-in-compatibility-administrator.md + - name: Searching for Fixed Applications in Compatibility Administrator + href: planning/searching-for-fixed-applications-in-compatibility-administrator.md + - name: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator + href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md + - name: Creating a Custom Compatibility Fix in Compatibility Administrator + href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md + - name: Creating a Custom Compatibility Mode in Compatibility Administrator + href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md + - name: Creating an AppHelp Message in Compatibility Administrator + href: planning/creating-an-apphelp-message-in-compatibility-administrator.md + - name: Viewing the Events Screen in Compatibility Administrator + href: planning/viewing-the-events-screen-in-compatibility-administrator.md + - name: Enabling and Disabling Compatibility Fixes in Compatibility Administrator + href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md + - name: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator + href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md - name: Managing Application-Compatibility Fixes and Custom Fix Databases - href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md - - name: Understanding and Using Compatibility Fixes - href: planning/understanding-and-using-compatibility-fixes.md - - name: Compatibility Fix Database Management Strategies and Deployment - href: planning/compatibility-fix-database-management-strategies-and-deployment.md - - name: Testing Your Application Mitigation Packages - href: planning/testing-your-application-mitigation-packages.md - - name: Using the Sdbinst.exe Command-Line Tool - href: planning/using-the-sdbinstexe-command-line-tool.md + items: + - name: Overview + href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md + - name: Understanding and Using Compatibility Fixes + href: planning/understanding-and-using-compatibility-fixes.md + - name: Compatibility Fix Database Management Strategies and Deployment + href: planning/compatibility-fix-database-management-strategies-and-deployment.md + - name: Testing Your Application Mitigation Packages + href: planning/testing-your-application-mitigation-packages.md + - name: Using the Sdbinst.exe Command-Line Tool + href: planning/using-the-sdbinstexe-command-line-tool.md - name: Volume Activation - href: volume-activation/volume-activation-windows-10.md - - name: Plan for volume activation - href: volume-activation/plan-for-volume-activation-client.md - - name: Activate using Key Management Service - href: volume-activation/activate-using-key-management-service-vamt.md - - name: Activate using Active Directory-based activation - href: volume-activation/activate-using-active-directory-based-activation-client.md - - name: Activate clients running Windows 10 - href: volume-activation/activate-windows-10-clients-vamt.md - - name: Monitor activation - href: volume-activation/monitor-activation-client.md - - name: Use the Volume Activation Management Tool - href: volume-activation/use-the-volume-activation-management-tool-client.md + items: + - name: Overview + href: volume-activation/volume-activation-windows-10.md + - name: Plan for volume activation + href: volume-activation/plan-for-volume-activation-client.md + - name: Activate using Key Management Service + href: volume-activation/activate-using-key-management-service-vamt.md + - name: Activate using Active Directory-based activation + href: volume-activation/activate-using-active-directory-based-activation-client.md + - name: Activate clients running Windows 10 + href: volume-activation/activate-windows-10-clients-vamt.md + - name: Monitor activation + href: volume-activation/monitor-activation-client.md + - name: Use the Volume Activation Management Tool + href: volume-activation/use-the-volume-activation-management-tool-client.md - name: "Appendix: Information sent to Microsoft during activation " href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md From 2eceffbb693ee8d757a4d18379ebd269da8acf06 Mon Sep 17 00:00:00 2001 From: MandiOhlinger Date: Tue, 10 Aug 2021 16:49:01 -0400 Subject: [PATCH 43/46] review updates --- windows/deployment/TOC.yml | 46 +++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml index 2d99e3080b..d61509c788 100644 --- a/windows/deployment/TOC.yml +++ b/windows/deployment/TOC.yml @@ -273,7 +273,7 @@ href: upgrade/windows-10-upgrade-paths.md - name: Deploy Windows 10 with Microsoft 365 href: deploy-m365.md - - name: Understanding the Unified Update Platform + - name: Understand the Unified Update Platform href: update/windows-update-overview.md - name: Servicing stack updates href: update/servicing-stack-updates.md @@ -354,13 +354,13 @@ items: - name: Overview href: volume-activation/manage-activations-vamt.md - - name: Perform Online Activation + - name: Run Online Activation href: volume-activation/online-activation-vamt.md - - name: Perform Proxy Activation + - name: Run Proxy Activation href: volume-activation/proxy-activation-vamt.md - - name: Perform KMS Activation + - name: Run KMS Activation href: volume-activation/kms-activation-vamt.md - - name: Perform Local Reactivation + - name: Run Local Reactivation href: volume-activation/local-reactivation-vamt.md - name: Activate an Active Directory Forest Online href: volume-activation/activate-forest-vamt.md @@ -501,17 +501,17 @@ items: - name: Overview href: planning/sua-users-guide.md - - name: Using the SUA Wizard + - name: Use the SUA Wizard href: planning/using-the-sua-wizard.md - - name: Using the SUA Tool + - name: Use the SUA Tool href: planning/using-the-sua-tool.md - name: Tabs on the SUA Tool Interface href: planning/tabs-on-the-sua-tool-interface.md - - name: Showing Messages Generated by the SUA Tool + - name: Show Messages Generated by the SUA Tool href: planning/showing-messages-generated-by-the-sua-tool.md - - name: Applying Filters to Data in the SUA Tool + - name: Apply Filters to Data in the SUA Tool href: planning/applying-filters-to-data-in-the-sua-tool.md - - name: Fixing Applications by Using the SUA Tool + - name: Fix apps using the SUA Tool href: planning/fixing-applications-by-using-the-sua-tool.md - name: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista href: planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md @@ -519,37 +519,37 @@ items: - name: Overview href: planning/compatibility-administrator-users-guide.md - - name: Using the Compatibility Administrator Tool + - name: Use the Compatibility Administrator Tool href: planning/using-the-compatibility-administrator-tool.md - name: Available Data Types and Operators in Compatibility Administrator href: planning/available-data-types-and-operators-in-compatibility-administrator.md - - name: Searching for Fixed Applications in Compatibility Administrator + - name: Search for Fixed Applications in Compatibility Administrator href: planning/searching-for-fixed-applications-in-compatibility-administrator.md - - name: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator + - name: Search for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md - - name: Creating a Custom Compatibility Fix in Compatibility Administrator + - name: Create a Custom Compatibility Fix in Compatibility Administrator href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md - - name: Creating a Custom Compatibility Mode in Compatibility Administrator + - name: Create a Custom Compatibility Mode in Compatibility Administrator href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md - - name: Creating an AppHelp Message in Compatibility Administrator + - name: Create an AppHelp Message in Compatibility Administrator href: planning/creating-an-apphelp-message-in-compatibility-administrator.md - - name: Viewing the Events Screen in Compatibility Administrator + - name: View the Events Screen in Compatibility Administrator href: planning/viewing-the-events-screen-in-compatibility-administrator.md - - name: Enabling and Disabling Compatibility Fixes in Compatibility Administrator + - name: Enable and Disable Compatibility Fixes in Compatibility Administrator href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md - - name: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator + - name: Install and Uninstall Custom Compatibility Databases in Compatibility Administrator href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md - - name: Managing Application-Compatibility Fixes and Custom Fix Databases + - name: Manage Application-Compatibility Fixes and Custom Fix Databases items: - name: Overview href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md - - name: Understanding and Using Compatibility Fixes + - name: Understand and Use Compatibility Fixes href: planning/understanding-and-using-compatibility-fixes.md - name: Compatibility Fix Database Management Strategies and Deployment href: planning/compatibility-fix-database-management-strategies-and-deployment.md - - name: Testing Your Application Mitigation Packages + - name: Test Your Application Mitigation Packages href: planning/testing-your-application-mitigation-packages.md - - name: Using the Sdbinst.exe Command-Line Tool + - name: Use the Sdbinst.exe Command-Line Tool href: planning/using-the-sdbinstexe-command-line-tool.md - name: Volume Activation items: From 89a32e3a8fbd106cdc17d8e7cd3293cf43a56aad Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 10 Aug 2021 17:28:07 -0700 Subject: [PATCH 44/46] updating applies To --- ...able-virtualization-based-protection-of-code-integrity.md | 3 ++- ...-for-virtualization-based-protection-of-code-integrity.md | 3 ++- .../configure-md-app-guard.md | 2 +- .../faq-md-app-guard.yml | 3 ++- .../install-md-app-guard.md | 2 +- .../md-app-guard-overview.md | 3 ++- .../reqs-md-app-guard.md | 5 +++-- .../test-scenarios-md-app-guard.md | 2 +- 8 files changed, 14 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 429cc12f93..1ede3ef4ed 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -17,7 +17,8 @@ ms.technology: mde # Enable virtualization-based protection of code integrity -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to** +- Windows 10 This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index 21b9780bc2..4065b2122a 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -18,7 +18,8 @@ ms.technology: mde # Baseline protections and additional qualifications for virtualization-based protection of code integrity -**Applies to** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to** +- Windows 10 Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 593984f0dc..d2ee8b1f7a 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -19,7 +19,7 @@ ms.technology: mde **Applies to:** -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) +- Windows 10 Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 7a2cd61939..f9e4018321 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -17,7 +17,8 @@ metadata: title: Frequently asked questions - Microsoft Defender Application Guard summary: | - **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) + **Applies to** +- Windows 10 This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md index f3cbd518da..994ade09de 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md @@ -18,7 +18,7 @@ ms.technology: mde # Prepare to install Microsoft Defender Application Guard **Applies to:** -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) +- - Windows 10 ## Review system requirements diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md index 83850f5a21..de798293db 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md @@ -17,7 +17,8 @@ ms.technology: mde # Microsoft Defender Application Guard overview -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to** +- Windows 10 Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index a54f8667cd..fb162b5632 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -1,5 +1,5 @@ --- -title: System requirements for Microsoft Defender Application Guard (Windows 10) +title: System requirements for Microsoft Defender Application Guard description: Learn about the system requirements for installing and running Microsoft Defender Application Guard. ms.prod: m365-security ms.mktglfcycl: manage @@ -17,7 +17,8 @@ ms.technology: mde # System requirements for Microsoft Defender Application Guard -**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559) +**Applies to** +- Windows 10 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md index 9baa7baa78..74525211f8 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md @@ -19,7 +19,7 @@ ms.technology: mde **Applies to:** -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) +- Windows 10 We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization. From d24bdc73626de3a3dfb506915c006e87927a3fd1 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 10 Aug 2021 17:33:51 -0700 Subject: [PATCH 45/46] fixing yml --- .../microsoft-defender-application-guard/faq-md-app-guard.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index f9e4018321..9ad53a26f5 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -17,8 +17,7 @@ metadata: title: Frequently asked questions - Microsoft Defender Application Guard summary: | - **Applies to** -- Windows 10 + This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration. From c05ee20c3ab1efa5fa3f7f3ba0592b35274287ce Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 10 Aug 2021 17:46:10 -0700 Subject: [PATCH 46/46] Corrected horizontal presentation of bulleted list --- windows/client-management/mdm/defender-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 614c91e54a..73237ce6c0 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -803,8 +803,8 @@ The data type is integer. Supported operations are Add, Delete, Get, Replace. Valid values are: -• 1 – Enabled. -• 0 (default) – Not Configured. +- 1 – Enabled. +- 0 (default) – Not Configured. More details: