diff --git a/.acrolinx-config.edn b/.acrolinx-config.edn
index 64354d7a64..9f8eac523b 100644
--- a/.acrolinx-config.edn
+++ b/.acrolinx-config.edn
@@ -1,4 +1,4 @@
-{:allowed-branchname-matches ["master" "main"]
+{:allowed-branchname-matches ["main"]
:allowed-filename-matches ["windows/"]
:targets
diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json
index f9ebdac192..389a789ca5 100644
--- a/.openpublishing.publish.config.json
+++ b/.openpublishing.publish.config.json
@@ -405,13 +405,13 @@
{
"path_to_root": "_themes.pdf",
"url": "https://github.com/Microsoft/templates.docs.msft.pdf",
- "branch": "master",
+ "branch": "main",
"branch_mapping": {}
},
{
"path_to_root": "_themes",
"url": "https://github.com/Microsoft/templates.docs.msft",
- "branch": "master",
+ "branch": "main",
"branch_mapping": {}
}
],
@@ -420,7 +420,7 @@
"Publish",
"Pdf"
],
- "master": [
+ "main": [
"Publish",
"Pdf"
]
diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index f505c1d9de..1c4202d44b 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -19306,6 +19306,31 @@
"source_path": "windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md",
"redirect_url": "/legal/windows/license-terms-windows-diagnostic-data-for-powershell",
"redirect_document_id": false
+ },
+ {
+ "source_path": "windows/privacy/windows-endpoints-1709-non-enterprise-editions.md",
+ "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/privacy/windows-endpoints-1803-non-enterprise-editions.md",
+ "redirect_url": "/windows/privacy/windows-endpoints-21h1-non-enterprise-editions",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/privacy/manage-windows-1709-endpoints.md",
+ "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints",
+ "redirect_document_id": true
+ },
+ {
+ "source_path": "windows/privacy/manage-windows-1803-endpoints.md",
+ "redirect_url": "/windows/privacy/manage-windows-21h2-endpoints",
+ "redirect_document_id": false
+ },
+ {
+ "source_path": "windows/whats-new/windows-11-whats-new.md",
+ "redirect_url": "/windows/whats-new/windows-11-overview",
+ "redirect_document_id": false
}
]
}
diff --git a/windows/client-management/mdm/Language-pack-management-csp.md b/windows/client-management/mdm/Language-pack-management-csp.md
index 0a1e9f72a4..4c10dc0ad9 100644
--- a/windows/client-management/mdm/Language-pack-management-csp.md
+++ b/windows/client-management/mdm/Language-pack-management-csp.md
@@ -13,41 +13,71 @@ ms.date: 06/22/2021
# Language Pack Management CSP
+The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users.
-The Language Pack Management CSP allows a direct way to provision language packs remotely in Windows 10 and Windows 10 X. A separate CSP exists to allow provisioning of "optional FODs" (Handwriting recognition, Text-to-speech, and so on) associated with a language. MDMs like Intune can use management commands remotely to devices to configure language related settings.
+1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples:
-1. Enumerate installed languages with GET command on the "InstalledLanguages" node
-
**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages**
**GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/Providers**
- **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers**
+ **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN/LanguageFeatures**
+ **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/Providers**
+ **GET./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/ja-JP/LanguageFeatures**
- The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is the bit map representation of either "language pack (feature)" or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1).
- - Indicates the language pack installed is a System Language Pack (non-LXP)
- - Indicates that the LXP is installed.
- - Indicates that both are installed.
+ The nodes under **InstalledLanguages** are the language tags of the installed languages. The **providers** node under language tag is an integer representation of either [language pack](/windows-hardware/manufacture/desktop/available-language-packs-for-windows?view=windows-11&preserve-view=true) or [LXPs](https://www.microsoft.com/store/collections/localexperiencepacks?cat0=devices&rtc=1).
-2. Install language pack features with the EXECUTE command on the **StartInstall** node of the language. For example,
+ - **1**- Indicates that only the Language Pack cab is installed.
+ - **2**- Indicates that only the LXP is installed.
+ - **3**- Indicates that both are installed.
- **ADD./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
- **EXECUTE./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation**
+ The **LanguageFeatures** node is a bitmap representation of what [Language Features](/windows-hardware/manufacture/desktop/features-on-demand-language-fod?view=windows-11&preserve-view=true) are installed for a language on a device:
- The installation is an asynchronous operation. You can query the **Status** node by using the following commands:
+ - Basic Typing = 0x1
+ - Fonts = 0x2
+ - Handwriting = 0x4
+ - Speech = 0x8
+ - TextToSpeech = 0x10
+ - OCR = 0x20
+ - LocaleData = 0x40
+ - SupplementFonts = 0x80
+
+2. Install language pack and features with the EXECUTE command on the **StartInstallation** node of the language. The language installation will try to install the best matched language packs and features for the provided language.
+
+ > [!NOTE]
+ > If not previously set, installation will set the policy to block cleanup of unused language packs and features on the device to prevent unexpected deletion.
+
+ - Admins can optionally copy the language to the device’s international settings immediately after installation by using the REPLACE command on the "CopyToDeviceInternationalSettings" node of the language. false (default)- will take no action; true- will set the following international settings to reflect the newly installed language:
+ - System Preferred UI Language
+ - System Locale
+ - Default settings for new users
+ - Input Method (keyboard)
+ - Locale
+ - Speech Recognizer
+ - User Preferred Language List
+ - Admins can optionally configure whether they want to install all available language features during installation using the REPLACE command on the "EnableLanguageFeatureInstallations" node of the language. false- will install only required features; true (default)- will install all available features.
+
+ Here are the sample commands to install French language with required features and copy to the device's international settings:
+
+ 1. **ADD ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/**
+ 2. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/CopyToDeviceInternationalSettings (true)**
+ 3. **REPLACE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/EnableLanguageFeatureInstallations (false)**
+ 4. **EXECUTE ./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/StartInstallation**
+
+ The installation is an asynchronous operation. You can query the **Status** or **ErrorCode** nodes by using the following commands:
**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/Status**
**GET./Device/Vendor/MSFT/LanguagePackManagement/Install/fr-FR/ErrorCode**
- Status: 0 – not started; 1 – in process; 2 – succeeded; 3 – failed. ErrorCode is a HRESULT that could help diagnosis if the installation failed.
+ Status: 0 – not started; 1 – in progress; 2 – succeeded; 3 – failed; 4 - partial success (A partial success indicates not all the provisioning operations succeeded, for example, there was an error installing the language pack or features).
- > [!NOTE]
- > If IT admin has NOT set the policy of blocking cleanup of unused language packs, this command will fail.
+ ErrorCode: An HRESULT that could help diagnosis if the installation failed or partially failed.
-3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed.
+3. Delete installed Language with the DELETE command on the installed language tag. The delete command is a fire and forget operation. The deletion will run in background. IT admin can query the installed language later and resend the command if needed. Below is a sample command to delete the zh-CN language.
+ **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN**
- **DELETE./Device/Vendor/MSFT/LanguagePackManagement/InstalledLanguages/zh-CN(Delete command)**
+ > [!NOTE]
+ > The deletion will ignore the policy of block cleanup of unused language packs.
4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
-
**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index fedd94b39a..8173d6ca5b 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -84,8 +84,8 @@ If all else fails, try resetting the Windows Update Agent by running these comma
```
2. Reset the **BITS service** and the **Windows Update service** to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
``` console
- sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
- sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
+ sc.exe sdset bits D:(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)
+ sc.exe sdset wuauserv D:(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
```
5. Type the following command at a command prompt, and then press ENTER:
``` console
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index cd0a734c01..278064b469 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -44,10 +44,10 @@ productDirectory:
summary: Learn more about what's new, what's updated, and what you get in Windows 11 # < 160 chars (optional)
items:
# Card
- - title: What's new in Windows 11
+ - title: Windows 11 overview
imageSrc: /windows/resources/images/winlogo.svg
summary: Get more information about features and improvements that are important to admins
- url: /windows/whats-new/windows-11-whats-new
+ url: /windows/whats-new/windows-11-overview
- title: Windows 11 requirements
imageSrc: /windows/resources/images/winlogo.svg
summary: See the system requirements for Windows 11, including running Windows 11 on a virtual machine
@@ -80,9 +80,9 @@ conceptualContent:
# card
- title: Overview
links:
- - url: /windows/whats-new/windows-11-whats-new
+ - url: /windows/whats-new/windows-11-overview
itemType: overview
- text: What's new in Windows 11
+ text: Windows 11 overview
- url: /windows/whats-new/windows-11-plan
itemType: overview
text: Plan for Windows 11
diff --git a/windows/privacy/essential-services-and-connected-experiences.md b/windows/privacy/essential-services-and-connected-experiences.md
index eceb613db4..b84bda7733 100644
--- a/windows/privacy/essential-services-and-connected-experiences.md
+++ b/windows/privacy/essential-services-and-connected-experiences.md
@@ -106,12 +106,11 @@ To view endpoints for Windows Enterprise, see:
- [Manage connection endpoints for Windows 11](manage-windows-11-endpoints.md)
- [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20h2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows editions, see:
@@ -121,5 +120,3 @@ To view endpoints for non-Enterprise Windows editions, see:
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
-- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
-- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index f17e78125e..d2770a3edf 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -137,12 +137,11 @@ The following methodology was used to derive these network endpoints:
To view endpoints for other versions of Windows 10 Enterprise, see:
- [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
@@ -151,8 +150,6 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
-- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
-- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
## Related links
diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md
deleted file mode 100644
index f3bc7923bd..0000000000
--- a/windows/privacy/manage-windows-1709-endpoints.md
+++ /dev/null
@@ -1,460 +0,0 @@
----
-title: Connection endpoints for Windows 10 Enterprise, version 1709
-description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1709.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 11/29/2021
-ms.reviewer:
-ms.technology: privacy
----
-# Manage connection endpoints for Windows 10 Enterprise, version 1709
-
-**Applies to**
-
-- Windows 10 Enterprise, version 1709
-
-Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
-
-- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
-- Connecting to email servers to send and receive email.
-- Connecting to the web for every day web browsing.
-- Connecting to the cloud to store and access backups.
-- Using your location to show a weather forecast.
-
-This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
-Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
-Where applicable, each endpoint covered in this article includes a link to specific details about how to control traffic to it.
-
-We used the following methodology to derive these network endpoints:
-
-1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
-2. Leave the devices running idle for a week (that is, a user isn't interacting with the system/device).
-3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
-4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine was logged in using a local account and wasn't joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. As such no IPV6 traffic is reported here.
-
-> [!NOTE]
-> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-
-## Windows 10 Enterprise connection endpoints
-
-## Apps
-
-The following endpoint is used to download updates to the Weather app Live Tile.
-If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| explorer | HTTP | tile-service.weather.microsoft.com |
-
-The following endpoint is used for OneNote Live Tile.
-To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
-If you disable the Microsoft store, other Store apps cannot be installed or updated.
-Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
-
-The following endpoints are used for Twitter updates.
-To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
-If you disable the Microsoft store, other Store apps cannot be installed or updated.
-Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTPS | wildcard.twimg.com |
-| svchost.exe | | oem.twimg.com/windows/tile.xml |
-
-The following endpoint is used for Facebook updates.
-To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
-If you disable the Microsoft store, other Store apps cannot be installed or updated.
-Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | star-mini.c10r.facebook.com |
-
-The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office.
-To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
-If you disable the Microsoft store, other Store apps cannot be installed or updated.
-Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
-
-The following endpoint is used for Candy Crush Saga updates.
-To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
-If you disable the Microsoft store, other Store apps cannot be installed or updated.
-Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | TLS v1.2 | candycrushsoda.king.com |
-
-The following endpoint is used for by the Microsoft Wallet app.
-To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
-If you disable the Microsoft store, other Store apps cannot be installed or updated.
-Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
-
-The following endpoint is used by the Groove Music app for update HTTP handler status.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and can't directly launch the app.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
-
-## Cortana and Search
-
-The following endpoint is used to get images that are used for Microsoft Store suggestions.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block images that are used for Microsoft Store suggestions.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| searchui | HTTPS |store-images.s-microsoft.com |
-
-The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block updates to Cortana greetings, tips, and Live Tiles.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| backgroundtaskhost | HTTPS | www.bing.com/client |
-
-The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters wouldn't be updated and the device would no longer participate in experiments.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| backgroundtaskhost | HTTPS | www.bing.com/proactive |
-
-The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and can't fix them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
-
-## Certificates
-
-The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It's possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that isn't recommended because when root certificates are updated over time, applications and websites may stop working because they didn't receive an updated root certificate the application uses.
-
-Additionally, it's used to download certificates that are publicly known to be fraudulent.
-These settings are critical for both Windows security and the overall security of the Internet.
-We don't recommend blocking this endpoint.
-If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTP | ctldl.windowsupdate.com |
-
-## Device authentication
-
-The following endpoint is used to authenticate a device.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device will not be authenticated.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTPS | login.live.com/ppsecure |
-
-## Device metadata
-
-The following endpoint is used to retrieve device metadata.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata will not be updated for the device.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | dmd.metaservices.microsoft.com.akadns.net |
-
-## Diagnostic Data
-
-The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
-
-The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 |
-
-The following endpoints are used by Windows Error Reporting.
-To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| wermgr | | watson.telemetry.microsoft.com |
-| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
-
-## Font streaming
-
-The following endpoints are used to download fonts on demand.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | fs.microsoft.com |
-| | | fs.microsoft.com/fs/windows/config.json |
-
-## Licensing
-
-The following endpoint is used for online activation and some app licensing.
-To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
-
-## Location
-
-The following endpoint is used for location data.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTP | location-inference-westus.cloudapp.net |
-
-## Maps
-
-The following endpoint is used to check for updates to maps that have been downloaded for offline use.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTPS | *g.akamaiedge.net |
-
-## Microsoft account
-
-The following endpoints are used for Microsoft accounts to sign in.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | login.msa.akadns6.net |
-| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
-
-## Microsoft Store
-
-The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | *.wns.windows.com |
-
-The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
-To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTP | storecatalogrevocation.storequality.microsoft.com |
-
-The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net |
-
-The following endpoints are used to communicate with Microsoft Store.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTP | storeedgefd.dsx.mp.microsoft.com |
-| | HTTP | pti.store.microsoft.com |
-||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
-
-## Network Connection Status Indicator (NCSI)
-
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTP | www.msftconnecttest.com/connecttest.txt |
-
-## Office
-
-The following endpoints are used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges).
-You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
-If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | *.a-msedge.net |
-| hxstr | | *.c-msedge.net |
-| | | *.e-msedge.net |
-| | | *.s-msedge.net |
-
-The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges).
-You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
-If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
-
-The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
-
-## OneDrive
-
-The following endpoint is a redirection service that’s used to automatically update URLs.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction |
-
-The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges).
-To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| onedrive | HTTPS | oneclient.sfx.ms |
-
-## Settings
-
-The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
-
-The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| dmclient | HTTPS | settings.data.microsoft.com |
-
-The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTPS | settings-win.data.microsoft.com |
-
-## Skype
-
-The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
-
-
-
-## Windows Defender
-
-The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | wdcp.microsoft.com |
-
-The following endpoints are used for Windows Defender definition updates.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | definitionupdates.microsoft.com |
-|MpCmdRun.exe|HTTPS|go.microsoft.com |
-
-## Windows Spotlight
-
-The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| backgroundtaskhost | HTTPS | arc.msn.com |
-| backgroundtaskhost | | g.msn.com.nsatc.net |
-| |TLS v1.2| *.search.msn.com |
-| | HTTPS | ris.api.iris.microsoft.com |
-| | HTTPS | query.prod.cms.rt.microsoft.com |
-
-## Windows Update
-
-The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
-
-The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTP | *.windowsupdate.com |
-| svchost | HTTP | *.dl.delivery.mp.microsoft.com |
-
-The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTPS | *.update.microsoft.com |
-| svchost | HTTPS | *.delivery.mp.microsoft.com |
-
-These are dependent on enabling:
-- [Device authentication](manage-windows-1709-endpoints.md#device-authentication)
-- [Microsoft account](manage-windows-1709-endpoints.md#microsoft-account)
-
-The following endpoint is used for content regulation.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
-
-## Microsoft forward link redirection service (FWLink)
-
-The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
-
-If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-|Various|HTTPS|go.microsoft.com|
-
-## Other Windows 10 versions and editions
-
-To view endpoints for other versions of Windows 10 enterprise, see:
-- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-
-To view endpoints for non-Enterprise Windows 10 editions, see:
-- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
-- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
-
-## Related links
-
-- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md
deleted file mode 100644
index fdc72f92e7..0000000000
--- a/windows/privacy/manage-windows-1803-endpoints.md
+++ /dev/null
@@ -1,465 +0,0 @@
----
-title: Connection endpoints for Windows 10, version 1803
-description: Explains what Windows 10 endpoints are used for, how to turn off traffic to them, and the impact. Specific to Windows 10 Enterprise, version 1803.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 11/29/2021
-ms.reviewer:
-ms.technology: privacy
----
-# Manage connection endpoints for Windows 10 Enterprise, version 1803
-
-**Applies to**
-
-- Windows 10 Enterprise, version 1803
-
-Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include:
-
-- Connecting to Microsoft Office and Windows sites to download the latest app and security updates.
-- Connecting to email servers to send and receive email.
-- Connecting to the web for every day web browsing.
-- Connecting to the cloud to store and access backups.
-- Using your location to show a weather forecast.
-
-This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later.
-Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
-Where applicable, each endpoint covered in this article includes a link to specific details about how to control traffic to it.
-
-We used the following methodology to derive these network endpoints:
-
-1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
-2. Leave the devices running idle for a week (that is, a user isn't interacting with the system/device).
-3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
-4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine was logged in using a local account and wasn't joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. As such no IPV6 traffic is reported here.
-
-> [!NOTE]
-> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-
-## Windows 10 Enterprise connection endpoints
-
-## Apps
-
-The following endpoint is used to download updates to the Weather app Live Tile.
-If you [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), no Live Tiles will be updated.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| explorer | HTTP | tile-service.weather.microsoft.com |
-| | HTTP | blob.weather.microsoft.com |
-
-The following endpoint is used for OneNote Live Tile.
-To turn off traffic for this endpoint, either uninstall OneNote or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
-If you disable the Microsoft store, other Store apps cannot be installed or updated.
-Additionally, the Microsoft Store can't revoke malicious Store apps and users will can still open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTPS | cdn.onenote.net/livetile/?Language=en-US |
-
-The following endpoints are used for Twitter updates.
-To turn off traffic for these endpoints, either uninstall Twitter or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
-If you disable the Microsoft store, other Store apps cannot be installed or updated.
-Additionally, the Microsoft Store can't revoke malicious Store apps and users will can still open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTPS | wildcard.twimg.com |
-| svchost.exe | | oem.twimg.com/windows/tile.xml |
-
-The following endpoint is used for Facebook updates.
-To turn off traffic for this endpoint, either uninstall Facebook or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
-If you disable the Microsoft store, other Store apps cannot be installed or updated.
-Additionally, the Microsoft Store can't revoke malicious Store apps and users will can still open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | star-mini.c10r.facebook.com |
-
-The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office.
-To turn off traffic for this endpoint, either uninstall the Photos app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
-If you disable the Microsoft store, other Store apps cannot be installed or updated.
-Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| WindowsApps\Microsoft.Windows.Photos | HTTPS | evoke-windowsservices-tas.msedge.net |
-
-The following endpoint is used for Candy Crush Saga updates.
-To turn off traffic for this endpoint, either uninstall Candy Crush Saga or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
-If you disable the Microsoft store, other Store apps cannot be installed or updated.
-Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | TLS v1.2 | candycrushsoda.king.com |
-
-The following endpoint is used for by the Microsoft Wallet app.
-To turn off traffic for this endpoint, either uninstall the Wallet app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore).
-If you disable the Microsoft store, other Store apps cannot be installed or updated.
-Additionally, the Microsoft Store can't revoke malicious Store apps and users can still open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| system32\AppHostRegistrationVerifier.exe | HTTPS | wallet.microsoft.com |
-
-The following endpoint is used by the Groove Music app for update HTTP handler status.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-apps-for-websites), apps for websites won't work and customers who visit websites (such as mediaredirect.microsoft.com) that are registered with their associated app (such as Groove Music) will stay at the website and can't directly launch the app.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| system32\AppHostRegistrationVerifier.exe | HTTPS | mediaredirect.microsoft.com |
-
-## Cortana and Search
-
-The following endpoint is used to get images that are used for Microsoft Store suggestions.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block images that are used for Microsoft Store suggestions.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| searchui | HTTPS |store-images.s-microsoft.com |
-
-The following endpoint is used to update Cortana greetings, tips, and Live Tiles.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), you'll block updates to Cortana greetings, tips, and Live Tiles.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| backgroundtaskhost | HTTPS | www.bing.com/client |
-
-The following endpoint is used to configure parameters, such as how often the Live Tile is updated. It's also used to activate experiments.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), parameters wouldn't be updated and the device would no longer participate in experiments.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| backgroundtaskhost | HTTPS | www.bing.com/proactive |
-
-The following endpoint is used by Cortana to report diagnostic and diagnostic data information.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana), Microsoft won't be aware of issues with Cortana and can't fix them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| searchui
backgroundtaskhost | HTTPS | www.bing.com/threshold/xls.aspx |
-
-## Certificates
-
-The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It's possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that isn't recommended because when root certificates are updated over time, applications and websites may stop working because they didn't receive an updated root certificate the application uses.
-
-Additionally, it's used to download certificates that are publicly known to be fraudulent.
-These settings are critical for both Windows security and the overall security of the Internet.
-We don't recommend blocking this endpoint.
-If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTP | ctldl.windowsupdate.com |
-
-## Device authentication
-
-The following endpoint is used to authenticate a device.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), the device won't be authenticated.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTPS | login.live.com/ppsecure |
-
-## Device metadata
-
-The following endpoint is used to retrieve device metadata.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-devinst), metadata won't be updated for the device.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | dmd.metaservices.microsoft.com.akadns.net |
-| | HTTP | dmd.metaservices.microsoft.com |
-
-## Diagnostic Data
-
-The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | cy2.vortex.data.microsoft.com.akadns.net |
-
-The following endpoint is used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | v10.vortex-win.data.microsoft.com/collect/v1 |
-
-The following endpoints are used by Windows Error Reporting.
-To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| wermgr | | watson.telemetry.microsoft.com |
-| | TLS v1.2 | modern.watson.data.microsoft.com.akadns.net |
-
-## Font streaming
-
-The following endpoints are used to download fonts on demand.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#font-streaming), you will not be able to download fonts on demand.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | | fs.microsoft.com |
-| | | fs.microsoft.com/fs/windows/config.json |
-
-## Licensing
-
-The following endpoint is used for online activation and some app licensing.
-To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| licensemanager | HTTPS | licensing.mp.microsoft.com/v7.0/licenses/content |
-
-## Location
-
-The following endpoint is used for location data.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-location), apps cannot use location data.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTP | location-inference-westus.cloudapp.net |
-
-## Maps
-
-The following endpoint is used to check for updates to maps that have been downloaded for offline use.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps), offline maps will not be updated.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTPS | *g.akamaiedge.net |
-
-## Microsoft account
-
-The following endpoints are used for Microsoft accounts to sign in.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account), users cannot sign in with Microsoft accounts.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | login.msa.akadns6.net |
-| system32\Auth.Host.exe | HTTPS | auth.gfx.ms |
-
-## Microsoft Store
-
-The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#live-tiles), push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | *.wns.windows.com |
-
-The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.
-To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTP | storecatalogrevocation.storequality.microsoft.com |
-
-The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps).
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTPS | img-prod-cms-rt-microsoft-com.akamaized.net |
-| backgroundtransferhost | HTTPS | store-images.microsoft.com |
-
-The following endpoints are used to communicate with Microsoft Store.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore), apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTP | storeedgefd.dsx.mp.microsoft.com |
-| | HTTP | pti.store.microsoft.com |
-||TLS v1.2|cy2.\*.md.mp.microsoft.com.\*.|
-| svchost | HTTPS | displaycatalog.mp.microsoft.com |
-
-## Network Connection Status Indicator (NCSI)
-
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi), NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | HTTP | www.msftconnecttest.com/connecttest.txt |
-
-## Office
-
-The following endpoints are used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges).
-You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
-If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | *.a-msedge.net |
-| hxstr | | *.c-msedge.net |
-| | | *.e-msedge.net |
-| | | *.s-msedge.net |
-| | HTTPS | ocos-office365-s2s.msedge.net |
-
-The following endpoint is used to connect to the Microsoft 365 admin center's shared infrastructure, including Office. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges).
-You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps.
-If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| system32\Auth.Host.exe | HTTPS | outlook.office365.com |
-
-The following endpoint is OfficeHub traffic used to get the metadata of Office apps. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-|Windows Apps\Microsoft.Windows.Photos|HTTPS|client-office365-tas.msedge.net|
-
-## OneDrive
-
-The following endpoint is a redirection service that’s used to automatically update URLs.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive), anything that relies on g.live.com to get updated URL information will no longer work.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| onedrive | HTTP \ HTTPS | g.live.com/1rewlive5skydrive/ODSUProduction |
-
-The following endpoint is used by OneDrive for Business to download and verify app updates. For more info, see [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges).
-To turn off traffic for this endpoint, uninstall OneDrive for Business. In this case, your device will not able to get OneDrive for Business app updates.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| onedrive | HTTPS | oneclient.sfx.ms |
-
-## Settings
-
-The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| dmclient | | cy2.settings.data.microsoft.com.akadns.net |
-
-The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| dmclient | HTTPS | settings.data.microsoft.com |
-
-The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as Windows Connected User Experiences and Telemetry component and Windows Insider Program use it.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback), an app that uses this endpoint may stop working.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTPS | settings-win.data.microsoft.com |
-
-## Skype
-
-The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or [disable the Microsoft Store](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore). If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-|microsoft.windowscommunicationsapps.exe | HTTPS | config.edge.skype.com |
-
-
-
-## Windows Defender
-
-The following endpoint is used for Windows Defender when Cloud-based Protection is enabled.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), the device will not use Cloud-based Protection.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | wdcp.microsoft.com |
-
-The following endpoints are used for Windows Defender definition updates.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender), definitions will not be updated.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| | | definitionupdates.microsoft.com |
-|MpCmdRun.exe|HTTPS|go.microsoft.com |
-
-## Windows Spotlight
-
-The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight), Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see [Windows Spotlight](/windows/configuration/windows-spotlight).
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| backgroundtaskhost | HTTPS | arc.msn.com |
-| backgroundtaskhost | | g.msn.com.nsatc.net |
-| |TLS v1.2| *.search.msn.com |
-| | HTTPS | ris.api.iris.microsoft.com |
-| | HTTPS | query.prod.cms.rt.microsoft.com |
-
-## Windows Update
-
-The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates), Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTPS | *.prod.do.dsp.mp.microsoft.com |
-
-The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to download updates for the operating system.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTP | *.windowsupdate.com |
-| svchost | HTTP | *.dl.delivery.mp.microsoft.com |
-
-The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store.
-If you [turn off traffic for these endpoints](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTPS | *.update.microsoft.com |
-| svchost | HTTPS | *.delivery.mp.microsoft.com |
-
-These are dependent on enabling:
-- [Device authentication](manage-windows-1803-endpoints.md#device-authentication)
-- [Microsoft account](manage-windows-1803-endpoints.md#microsoft-account)
-
-The following endpoint is used for content regulation.
-If you [turn off traffic for this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-wu), the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-| svchost | HTTPS | tsfe.trafficshaping.dsp.mp.microsoft.com |
-
-## Microsoft forward link redirection service (FWLink)
-
-The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer.
-
-If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.
-
-| Source process | Protocol | Destination |
-|----------------|----------|------------|
-|Various|HTTPS|go.microsoft.com|
-
-## Other Windows 10 editions
-
-To view endpoints for other versions of Windows 10 enterprise, see:
-- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-
-To view endpoints for non-Enterprise Windows 10 editions, see:
-- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
-- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
-
-## Related links
-
-- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index f2b61aed53..1b459257be 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -487,13 +487,13 @@ If you disable this endpoint, Windows Defender won't be able to update its malwa
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 Enterprise, see:
-- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
+
+- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
+
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
-- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
-- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
## Related links
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index f4254b905d..7c2bf27999 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -175,15 +175,14 @@ The following methodology was used to derive these network endpoints:
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 Enterprise, see:
+
+- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
-- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
-- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
-- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
+- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
+- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
## Related links
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index 4209d8bafd..da29e4f457 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -123,17 +123,16 @@ The following methodology was used to derive these network endpoints:
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 Enterprise, see:
+
+- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
+
+- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
-- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
-- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
-
## Related links
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index f701bc0e8d..48879ed467 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -122,19 +122,18 @@ The following methodology was used to derive these network endpoints:
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 Enterprise, see:
+
+- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
+
+- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
-- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
-- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
-
## Related links
diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md
index f891d0bf27..8035ebc8d5 100644
--- a/windows/privacy/manage-windows-20H2-endpoints.md
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@@ -138,21 +138,19 @@ The following methodology was used to derive these network endpoints:
To view endpoints for other versions of Windows 10 Enterprise, see:
+- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
+- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
-- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
-- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
## Related links
diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md
index 51e80aa248..940115bae8 100644
--- a/windows/privacy/manage-windows-21H1-endpoints.md
+++ b/windows/privacy/manage-windows-21H1-endpoints.md
@@ -136,21 +136,19 @@ The following methodology was used to derive these network endpoints:
To view endpoints for other versions of Windows 10 Enterprise, see:
+- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
+- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
-- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
-- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
## Related links
diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md
index 6dc79e13de..f8bf449d07 100644
--- a/windows/privacy/manage-windows-21h2-endpoints.md
+++ b/windows/privacy/manage-windows-21h2-endpoints.md
@@ -140,17 +140,14 @@ To view endpoints for other versions of Windows 10 Enterprise, see:
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1803](manage-windows-1803-endpoints.md)
-- [Manage connection endpoints for Windows 10, version 1709](manage-windows-1709-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
+- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
-- [Windows 10, version 1803, connection endpoints for non-Enterprise editions](windows-endpoints-1803-non-enterprise-editions.md)
-- [Windows 10, version 1709, connection endpoints for non-Enterprise editions](windows-endpoints-1709-non-enterprise-editions.md)
## Related links
diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml
index 56331c2e27..ef92db9493 100644
--- a/windows/privacy/toc.yml
+++ b/windows/privacy/toc.yml
@@ -61,10 +61,6 @@
href: manage-windows-1903-endpoints.md
- name: Connection endpoints for Windows 10, version 1809
href: manage-windows-1809-endpoints.md
- - name: Connection endpoints for Windows 10, version 1803
- href: manage-windows-1803-endpoints.md
- - name: Connection endpoints for Windows 10, version 1709
- href: manage-windows-1709-endpoints.md
- name: Connection endpoints for non-Enterprise editions of Windows 11
href: windows-11-endpoints-non-enterprise-editions.md
- name: Connection endpoints for non-Enterprise editions of Windows 10, version 21H1
@@ -79,7 +75,3 @@
href: windows-endpoints-1903-non-enterprise-editions.md
- name: Connection endpoints for non-Enterprise editions of Windows 10, version 1809
href: windows-endpoints-1809-non-enterprise-editions.md
- - name: Connection endpoints for non-Enterprise editions of Windows 10, version 1803
- href: windows-endpoints-1803-non-enterprise-editions.md
- - name: Connection endpoints for non-Enterprise editions of Windows 10, version 1709
- href: windows-endpoints-1709-non-enterprise-editions.md
diff --git a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
deleted file mode 100644
index b3c1cee7bb..0000000000
--- a/windows/privacy/windows-endpoints-1709-non-enterprise-editions.md
+++ /dev/null
@@ -1,295 +0,0 @@
----
-title: Windows 10, version 1709, connection endpoints for non-Enterprise editions
-description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1709.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 12/01/2021
-ms.reviewer:
-ms.technology: privacy
----
-# Windows 10, version 1709, connection endpoints for non-Enterprise editions
-
- **Applies to**
-
-- Windows 10 Home, version 1709
-- Windows 10 Professional, version 1709
-- Windows 10 Education, version 1709
-
-In addition to the endpoints listed for [Windows 10 Enterprise](./manage-connections-from-windows-operating-system-components-to-microsoft-services.md), the following endpoints are available on other editions of Windows 10, version 1709.
-
-We used the following methodology to derive these network endpoints:
-
-1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
-2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
-3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
-4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
-
-> [!NOTE]
-> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-
-## Windows 10 Home
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
-| *.1.msftsrvcs.vo.llnwi.net | HTTP | Used for Windows Update downloads of apps and OS updates. |
-| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
-| *.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| *.dscd.akamai.net | HTTP | Used to download content. |
-| *.dspg.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
-| *.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
-| *.m1-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
-| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
-| .g.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
-| 2.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
-| 2.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
-| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| arc.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
-| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| candycrushsoda.king.com | TLSv1.2 | Used for Candy Crush Saga updates. |
-| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
-| cdn.onenote.net | HTTP | Used for OneNote Live Tile. |
-| client-office365-tas.msedge.net | HTTP | Used to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. |
-| config.edge.skype.com | HTTP | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.licensing.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.purchase.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
-| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
-| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
-| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| dual-a-0001.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
-| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| g.live.com/1rewlive5skydrive/ | HTTPS | Used by a redirection service to automatically update URLs. |
-| g.msn.com.nsatc.net | HTTP | Used to retrieve Windows Spotlight metadata. |
-| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
-| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
-| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
-| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
-| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
-| login.live.com | HTTPS | Used to authenticate a device. |
-| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
-| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| msftsrvcs.vo.llnwd.net | HTTP | Enables connections to Windows Update. |
-| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| oem.twimg.com | HTTPS | Used for the Twitter Live Tile. |
-| oneclient.sfx.ms | HTTPS | Used by OneDrive for Business to download and verify app updates. |
-| peer4-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| ris.api.iris.microsoft.com.akadns.net | TLSv1.2\/HTTPS | Used to retrieve Windows Spotlight metadata. |
-| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| sls.update.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update. |
-| star-mini.c10r.facebook.com | TLSv1.2 | Used for the Facebook Live Tile. |
-| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
-| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| store-images.s-microsoft.com | HTTP | Used to get images that are used for Microsoft Store suggestions. |
-| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
-| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
-| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
-| wallet-frontend-prod-westus.cloudapp.net | TLSv1.2 | Used by the Microsoft Wallet app. |
-| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
-| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
-| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
-| www.bing.com | HTTP | Used for updates for Cortana, apps, and Live Tiles. |
-| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
-| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
-
-## Windows 10 Pro
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.*.akamai.net | HTTP | Used to download content. |
-| *.*.akamaiedge.net | TLSv1.2\/HTTP | Used to check for updates to maps that have been downloaded for offline use. |
-| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.blob.core.windows.net | HTTPS | Used by Windows Update to update words used for language input methods. |
-| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
-| *.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
-| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.dspg.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
-| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| *.wac.edgecastcdn.net | TLSv1.2 | Used by the Verizon Content Delivery Network to perform Windows updates. |
-| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates. |
-| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2\/HTTPS | Used for Windows Update downloads of apps and OS updates. |
-| 3.dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| 3.tlu.dl.delivery.mp.microsoft.com | HTTP | Enables connections to Windows Update. |
-| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| arc.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| arc.msn.com.nsatc.net | TLSv1.3 | Used to retrieve Windows Spotlight metadata. |
-| au.download.windowsupdate.com | HTTPS | Used to download operating system patches and updates. |
-| b-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| candycrushsoda.king.com | HTTPS | Used for Candy Crush Saga updates. |
-| cdn.content.prod.cms.msn.com | HTTP | Used to retrieve Windows Spotlight metadata. |
-| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
-| client-office365-tas.msedge.net | HTTPS | Used to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. |
-| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
-| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
-| definitionupdates.microsoft.com | HTTPS | Used for Windows Defender definition updates. |
-| displaycatalog.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
-| evoke-windowsservices-tas.msedge.net | HTTPS | Used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. |
-| fe2.update.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2\/HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
-| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| fs.microsoft.com | HTTPS | Used to download fonts on demand |
-| g.live.com | HTTP | Used by a redirection service to automatically update URLs. |
-| g.msn.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| g.msn.com.nsatc.net | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
-| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
-| img-prod-cms-rt-microsoft-com.akamaized.net | HTTPS | Used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). |
-| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
-| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
-| login.live.com | HTTPS | Used to authenticate a device. |
-| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
-| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| msnbot-*.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| oem.twimg.com | HTTP | Used for the Twitter Live Tile. |
-| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
-| peer1-wst.msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
-| pti.store.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| pti.store.microsoft.com.unistore.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| purchase.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| ris.api.iris.microsoft.com | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| sls.update.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| storecatalogrevocation.storequality.microsoft.com | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
-| storeedgefd.dsx.mp.microsoft.com | HTTPS | Used to communicate with Microsoft Store. |
-| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
-| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
-| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
-| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
-| v10.vortex-win.data.microsoft.com | HTTPS | Used to retrieve Windows Insider Preview builds. |
-| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
-| wdcp.microsoft.akadns.net | HTTPS | Used for Windows Defender when Cloud-based Protection is enabled. |
-| wildcard.twimg.com | TLSv1.2 | Used for the Twitter Live Tile. |
-| www.bing.com | TLSv1.2 | Used for updates for Cortana, apps, and Live Tiles. |
-| www.facebook.com | HTTPS | Used for the Facebook Live Tile. |
-| [www.microsoft.com](https://www.microsoft.com/) | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
-
-## Windows 10 Education
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.a-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.b.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.c-msedge.net | HTTP | Used by OfficeHub to get the metadata of Office apps. |
-| *.dscb1.akamaiedge.net | HTTP | Used to check for updates to maps that have been downloaded for offline use. |
-| *.dscd.akamai.net | HTTP | Used to download content. |
-| *.dspb.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.dspw65.akamai.net | HTTP | Used to download content. |
-| *.e-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.g.akamai.net | HTTP | Used to download content. |
-| *.g.akamaiedge.net | TLSv1.2 | Used to check for updates to maps that have been downloaded for offline use. |
-| *.l.windowsupdate.com | HTTP | Enables connections to Windows Update. |
-| *.s-msedge.net | TLSv1.2 | Used by OfficeHub to get the metadata of Office apps. |
-| *.wac.phicdn.net | HTTP | Used by the Verizon Content Delivery Network to perform Windows updates |
-| *.wns.windows.com | TLSv1.2 | Used for the Windows Push Notification Services (WNS). |
-| *prod.do.dsp.mp.microsoft.com | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
-| *prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Used for Windows Update downloads of apps and OS updates. |
-| 3.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| 3.tlu.dl.delivery.mp.microsoft.com.c.footprint.net | HTTP | Enables connections to Windows Update. |
-| a-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| au.download.windowsupdate.com | HTTP | Used to download operating system patches and updates. |
-| cdn.onenote.net | HTTPS | Used for OneNote Live Tile. |
-| cds.*.hwcdn.net | HTTP | Used by the Highwinds Content Delivery Network to perform Windows updates. |
-| co4.telecommand.telemetry.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| config.edge.skype.com | HTTPS | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cs12.wpc.v0cdn.net | HTTP | Used by the Verizon Content Delivery Network to download content for Windows upgrades with Wireless Planning and Coordination (WPC). |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | TLSv1.2 | Used as a way for apps to dynamically update their configuration. |
-| cy2.vortex.data.microsoft.com.akadns.net | TLSv1.2 | Used to retrieve Windows Insider Preview builds. |
-| dl.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| download.windowsupdate.com | HTTP | Enables connections to Windows Update. |
-| evoke-windowsservices-tas.msedge.net/ab | HTTPS | Used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. |
-| fe2.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| fg.download.windowsupdate.com.c.footprint.net | HTTP | Used to download operating system patches and updates. |
-| fp.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| g.msn.com.nsatc.net | TLSv1.2\/HTTP | Used to retrieve Windows Spotlight metadata. |
-| geo-prod.do.dsp.mp.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| geover-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| go.microsoft.com | HTTPS | Used by a redirection service to automatically update URLs. |
-| gpla1.wac.v2cdn.net | HTTP | Used for Baltimore CyberTrust Root traffic. . |
-| ipv4.login.msa.akadns6.net | TLSv1.2 | Used for Microsoft accounts to sign in. |
-| licensing.mp.microsoft.com | HTTPS | Used for online activation and some app licensing. |
-| location-inference-westus.cloudapp.net | TLSv1.2 | Used for location data. |
-| login.live.com/* | HTTPS | Used to authenticate a device. |
-| l-ring.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| mediaredirect.microsoft.com | HTTPS | Used by the Groove Music app to update HTTP handler status. |
-| modern.watson.data.microsoft.com.akadns.net | TLSv1.2 | Used by Windows Error Reporting. |
-| msftconnecttest.com/* | HTTP | Used by Network Connection Status Indicator (NCSI) to detect Internet connectivity and corporate network connectivity status. |
-| msnbot-65-52-108-198.search.msn.com | TLSv1.2 | Used to retrieve Windows Spotlight metadata. |
-| oneclient.sfx.ms | HTTP | Used by OneDrive for Business to download and verify app updates. |
-| peer1-wst.msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| pti.store.microsoft.com.unistore.akadns.net | TLSv1.2 | Used to communicate with Microsoft Store. |
-| settings-win.data.microsoft.com | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| sls.update.microsoft.com.nsatc.net | TLSv1.2 | Enables connections to Windows Update. |
-| store-images.s-microsoft.com | HTTPS | Used to get images that are used for Microsoft Store suggestions. |
-| tile-service.weather.microsoft.com | HTTP | Used to download updates to the Weather app Live Tile. |
-| *.telemetry.microsoft.com | HTTPS | Used by Windows Error Reporting. |
-| ceuswatcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| ceuswatcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| eaus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| eaus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| weus2watcab01.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| weus2watcab02.blob.core.windows.net | HTTPS | Used by Windows Error Reporting. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | TLSv1.2 | Used for content regulation. |
-| wallet.microsoft.com | HTTPS | Used by the Microsoft Wallet app. |
-| wdcp.microsoft.akadns.net | TLSv1.2 | Used for Windows Defender when Cloud-based Protection is enabled. |
-| www.bing.com | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
\ No newline at end of file
diff --git a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
deleted file mode 100644
index b3ec01bc64..0000000000
--- a/windows/privacy/windows-endpoints-1803-non-enterprise-editions.md
+++ /dev/null
@@ -1,166 +0,0 @@
----
-title: Windows 10, version 1803, connection endpoints for non-Enterprise editions
-description: Explains what Windows 10 endpoints are used in non-Enterprise editions. Specific to Windows 10, version 1803.
-keywords: privacy, manage connections to Microsoft, Windows 10, Windows Server 2016
-ms.prod: m365-security
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.localizationpriority: high
-audience: ITPro
-author: dansimp
-ms.author: dansimp
-manager: dansimp
-ms.collection: M365-security-compliance
-ms.topic: article
-ms.date: 12/01/2021
-ms.reviewer:
-ms.technology: privacy
----
-# Windows 10, version 1803, connection endpoints for non-Enterprise editions
-
- **Applies to**
-
-- Windows 10 Home, version 1803
-- Windows 10 Professional, version 1803
-- Windows 10 Education, version 1803
-
-In addition to the endpoints listed for [Windows 10 Enterprise](./manage-windows-1803-endpoints.md), the following endpoints are available on other editions of Windows 10, version 1803.
-
-We used the following methodology to derive these network endpoints:
-
-1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
-2. Leave the devices running idle for a week (that is, a user is not interacting with the system/device).
-3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
-4. Compile reports on traffic going to public IP addresses.
-5. The test virtual machine was logged in using a local account and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore no IPV6 traffic is reported here.
-
-> [!NOTE]
-> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
-
-## Windows 10 Family
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
-| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/ | HTTP | Enables connections to Windows Update. |
-| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| arc.msn.com/v3/Delivery/Placement | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| client-office365-tas.msedge.net* | HTTPS | Used to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. |
-| config.edge.skype.com/config/* | HTTPS | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com/msdownload/update* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| displaycatalog.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. |
-| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS). |
-| fe2.update.microsoft.com* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.mp.microsoft.com | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| g.live.com/odclientsettings/Prod | HTTPS | Used by OneDrive for Business to download and verify app updates. |
-| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
-| ip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
-| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
-| licensing.mp.microsoft.com/v7.0/licenses/content | HTTPS | Used for online activation and some app licensing. |
-| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
-| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application. |
-| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
-| ocos-office365-s2s.msedge.net* | HTTPS | Used to connect to the Microsoft 365 admin center's shared infrastructure. |
-| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
-| oneclient.sfx.ms* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
-| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry |
-| prod.nexusrules.live.com.akadns.net | HTTPS | Office Telemetry |
-| query.prod.cms.rt.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| ris.api.iris.microsoft.com* | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| settings.data.microsoft.com/settings/v2.0/* | HTTPS | Used for Windows apps to dynamically update their configuration. |
-| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. |
-| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app |
-| sls.update.microsoft.com* | HTTPS | Enables connections to Windows Update. |
-| storecatalogrevocation.storequality.microsoft.com* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
-| storeedgefd.dsx.mp.microsoft.com* | HTTPS | Used to communicate with Microsoft Store. |
-| tile-service.weather.microsoft.com* | HTTP | Used to download updates to the Weather app Live Tile. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
-| us.configsvc1.live.com.akadns.net | HTTPS | Microsoft Office configuration related traffic |
-| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
-| wd-prod-cp-us-east-2-fe.eastus.cloudapp.azure.com | HTTPS | Azure front end traffic |
-
-
-## Windows 10 Pro
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
-| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.tlu.dl.delivery.mp.microsoft.com/* | HTTP | Enables connections to Windows Update. |
-| *geo-prod.dodsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update. |
-| arc.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| au.download.windowsupdate.com/* | HTTP | Enables connections to Windows Update. |
-| ctldl.windowsupdate.com/msdownload/update/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| dm3p.wns.notify.windows.com.akadns.net | HTTPS | Used for the Windows Push Notification Services (WNS) |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| flightingservicewus.cloudapp.net | HTTPS | Insider Program |
-| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
-| location-inference-westus.cloudapp.net | HTTPS | Used for location data. |
-| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
-| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
-| onecollector.cloudapp.aria.akadns.net | HTTPS | Office Telemetry |
-| ris.api.iris.microsoft.com.akadns.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
-| vip5.afdorigin-prod-am02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic |
-
-
-## Windows 10 Education
-
-| **Destination** | **Protocol** | **Description** |
-| --- | --- | --- |
-| *.b.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
-| *.e-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.g.akamaiedge.net | HTTPS | Used to check for updates to maps that have been downloaded for offline use. |
-| *.s-msedge.net | HTTPS | Used by OfficeHub to get the metadata of Office apps. |
-| *.telecommand.telemetry.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
-| *.tlu.dl.delivery.mp.microsoft.com* | HTTP | Enables connections to Windows Update. |
-| *.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
-| *geo-prod.do.dsp.mp.microsoft.com | HTTPS | Enables connections to Windows Update. |
-| au.download.windowsupdate.com* | HTTP | Enables connections to Windows Update. |
-| cdn.onenote.net/livetile/* | HTTPS | Used for OneNote Live Tile. |
-| client-office365-tas.msedge.net/* | HTTPS | Used to connect to the Microsoft 365 admin center’s shared infrastructure, including Office. |
-| cloudtile.photos.microsoft.com.akadns.net | HTTPS | Photos App in MS Store
-| config.edge.skype.com/* | HTTPS | Used to retrieve Skype configuration values. |
-| ctldl.windowsupdate.com/* | HTTP | Used to download certificates that are publicly known to be fraudulent. |
-| cy2.displaycatalog.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| cy2.licensing.md.mp.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| cy2.settings.data.microsoft.com.akadns.net | HTTPS | Used to communicate with Microsoft Store. |
-| displaycatalog.mp.microsoft.com/* | HTTPS | Used to communicate with Microsoft Store. |
-| download.windowsupdate.com/* | HTTPS | Enables connections to Windows Update. |
-| emdl.ws.microsoft.com/* | HTTP | Used to download apps from the Microsoft Store. |
-| fe2.update.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.dsp.mp.microsoft.com.nsatc.net | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| fe3.delivery.mp.microsoft.com/* | HTTPS | Enables connections to Windows Update, Microsoft Update, and the online services of Microsoft Store. |
-| flightingservicewus.cloudapp.net | HTTPS | Insider Program |
-| g.live.com/odclientsettings/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
-| g.msn.com.nsatc.net | HTTPS | Used to retrieve Windows Spotlight metadata. |
-| ipv4.login.msa.akadns6.net | HTTPS | Used for Microsoft accounts to sign in. |
-| licensing.mp.microsoft.com/* | HTTPS | Used for online activation and some app licensing. |
-| maps.windows.com/windows-app-web-link | HTTPS | Link to Maps application |
-| modern.watson.data.microsoft.com.akadns.net | HTTPS | Used by Windows Error Reporting. |
-| ocos-office365-s2s.msedge.net/* | HTTPS | Used to connect to the Microsoft 365 admin center's shared infrastructure. |
-| ocsp.digicert.com* | HTTP | CRL and OCSP checks to the issuing certificate authorities. |
-| oneclient.sfx.ms/* | HTTPS | Used by OneDrive for Business to download and verify app updates. |
-| onecollector.cloudapp.aria.akadns.net | HTTPS | Office telemetry |
-| settings-win.data.microsoft.com/settings/* | HTTPS | Used as a way for apps to dynamically update their configuration. |
-| share.microsoft.com/windows-app-web-link | HTTPS | Traffic related to Books app |
-| sls.update.microsoft.com/* | HTTPS | Enables connections to Windows Update. |
-| storecatalogrevocation.storequality.microsoft.com/* | HTTPS | Used to revoke licenses for malicious apps on the Microsoft Store. |
-| tile-service.weather.microsoft.com/* | HTTP | Used to download updates to the Weather app Live Tile. |
-| tsfe.trafficshaping.dsp.mp.microsoft.com | HTTPS | Used for content regulation. |
-| vip5.afdorigin-prod-ch02.afdogw.com | HTTPS | Used to serve office 365 experimentation traffic. |
-| watson.telemetry.microsoft.com/Telemetry.Request | HTTPS | Used by Windows Error Reporting. |
-| wd-prod-cp-us-west-3-fe.westus.cloudapp.azure.com | HTTPS | Azure front end traffic |
-| www.bing.com/* | HTTPS | Used for updates for Cortana, apps, and Live Tiles. |
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 57e428e8b6..c04d24c0e6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -15,7 +15,7 @@ ms.collection:
- highpri
ms.topic: article
localizationpriority: medium
-ms.date: 01/21/2021
+ms.date: 02/15/2022
---
# Windows Hello for Business Deployment Overview
@@ -28,10 +28,7 @@ Windows Hello for Business is the springboard to a world without passwords. It r
This deployment overview is to guide you through deploying Windows Hello for Business. Your first step should be to use the Passwordless Wizard in the [Microsoft 365 admin center](https://admin.microsoft.com/AdminPortal/Home#/modernonboarding/passwordlesssetup) or the [Planning a Windows Hello for Business Deployment](hello-planning-guide.md) guide to determine the right deployment model for your organization.
-Once you've chosen a deployment model, the deployment guide for the that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment.
-
-> [!NOTE]
-> Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
+Once you've chosen a deployment model, the deployment guide for that model will provide you with the information needed to successfully deploy Windows Hello for Business in your environment. Read the [Windows Hello for Business Deployment Prerequisite Overview](hello-identity-verification.md) for a summary of the prerequisites for each different Windows Hello for Business deployment model.
## Assumptions
@@ -42,7 +39,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme
- Multi-factor Authentication is required during Windows Hello for Business provisioning
- Proper name resolution, both internal and external names
- Active Directory and an adequate number of domain controllers per site to support authentication
-- Active Directory Certificate Services 2012 or later
+- Active Directory Certificate Services 2012 or later (Note: certificate services are not needed for cloud trust deployments)
- One or more workstation computers running Windows 10, version 1703 or later
If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server.
@@ -51,36 +48,33 @@ Do not begin your deployment until the hosting servers and infrastructure (not r
## Deployment and trust models
-Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*.
-
-> [!NOTE]
-> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
+Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid has three trust models: *Key trust*, *certificate trust*, and *cloud trust*. On-premises deployment models only support *Key trust* and *certificate trust*.
Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest.
The trust model determines how you want users to authenticate to the on-premises Active Directory:
-- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication.
-- The certificate-trust model is for enterprise that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
+- The key-trust model is for enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This still requires Active Directory Certificate Services for domain controller certificates.
+- The cloud-trust model is also for hybrid enterprises who do not want to issue end-entity certificates to their users and have an adequate number of 2016 domain controllers in each site to support authentication. This trust model is simpler to deploy than key trust and does not require Active Directory Certificate Services. We recommend using cloud trust instead of key trust if the clients in your enterprise support it.
+- The certificate-trust model is for enterprises that *do* want to issue end-entity certificates to their users and have the benefits of certificate expiration and renewal, similar to how smart cards work today.
- The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
-> [!NOTE]
-> RDP does not support authentication with Windows Hello for Business key trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
+> [!Note]
+> RDP does not support authentication with Windows Hello for Business key trust or cloud trust deployments as a supplied credential. RDP is only supported with certificate trust deployments as a supplied credential at this time. Windows Hello for Business key trust and cloud trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
Following are the various deployment guides and models included in this topic:
+- [Hybrid Azure AD Joined Cloud Trust Deployment](hello-hybrid-cloud-trust.md)
- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
- [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
- [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
-> [!NOTE]
-> For Windows Hello for Business hybrid [certificate trust prerequisites](hello-hybrid-cert-trust-prereqs.md#directory-synchronization) and [key trust prerequisites](hello-hybrid-key-trust-prereqs.md#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
+For Windows Hello for Business hybrid [certificate trust prerequisites](hello-hybrid-cert-trust-prereqs.md#directory-synchronization) and [key trust prerequisites](hello-hybrid-key-trust-prereqs.md#directory-synchronization) deployments, you will need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory. For on-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. Learn how to [deploy Multifactor Authentication Services (MFA) for key trust](hello-key-trust-validate-deploy-mfa.md) and [for certificate trust](hello-cert-trust-validate-deploy-mfa.md) deployments.
## Provisioning
Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
-> [!NOTE]
-> You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data.
+Note that you need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 892f986c01..a0afa94e49 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -12,7 +12,7 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 08/19/2018
+ms.date: 02/15/2022
ms.reviewer:
---
# Windows Hello for Business and Authentication
@@ -22,31 +22,46 @@ ms.reviewer:
- Windows 10
- Windows 11
-Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
-Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
+Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
-[Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)
-[Azure AD join authentication to Active Directory using a Key](#azure-ad-join-authentication-to-active-directory-using-a-key)
-[Azure AD join authentication to Active Directory using a Certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)
-[Hybrid Azure AD join authentication using a Key](#hybrid-azure-ad-join-authentication-using-a-key)
-[Hybrid Azure AD join authentication using a Certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)
+Azure Active Directory joined devices authenticate to Azure during sign-in and can optionally authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
+- [Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)
+- [Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)](#azure-ad-join-authentication-to-active-directory-using-azure-ad-kerberos-cloud-trust-preview)
+- [Azure AD join authentication to Active Directory using a key](#azure-ad-join-authentication-to-active-directory-using-a-key)
+- [Azure AD join authentication to Active Directory using a certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)
+- [Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview)](#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview)
+- [Hybrid Azure AD join authentication using a key](#hybrid-azure-ad-join-authentication-using-a-key)
+- [Hybrid Azure AD join authentication using a certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)
## Azure AD join authentication to Azure Active Directory
+
+> [!NOTE]
+> All Azure AD joined devices authenticate with Windows Hello for Business to Azure AD the same way. The Windows Hello for Business trust type only impacts how the device authenticates to on-premises AD.
+
| Phase | Description |
| :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
|B | The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.|
|C | Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
-|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+
+## Azure AD join authentication to Active Directory using Azure AD Kerberos (cloud trust preview)
+
+
+
+| Phase | Description |
+| :----: | :----------- |
+|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller.
+|B | After locating an active 2016 domain controller, the Kerberos provider sends a partial TGT that it received from Azure AD from a previous Azure AD authentication to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller will verify that the partial TGT is valid. On success, the KDC returns a TGT to the client.|
+
+## Azure AD join authentication to Active Directory using a key
-## Azure AD join authentication to Active Directory using a Key
-
| Phase | Description |
| :----: | :----------- |
|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates an active 2016 domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
@@ -56,28 +71,40 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
> [!NOTE]
> You might have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on the Azure AD joined device, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT and trigger authenticate against your DC (if LOS to DC is available) to get Kerberos. It no longer uses AD FS to authenticate for Windows Hello for Business sign-ins.
+## Azure AD join authentication to Active Directory using a certificate
-## Azure AD join authentication to Active Directory using a Certificate
| Phase | Description |
| :----: | :----------- |
-|A | Authentication to Active Directory from a Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
+|A | Authentication to Active Directory from an Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
> [!NOTE]
> You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned previously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.
+## Hybrid Azure AD join authentication using Azure AD Kerberos (cloud trust preview)
-## Hybrid Azure AD join authentication using a Key
-
+
+
+| Phase | Description |
+| :----: | :----------- |
+|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass queries Windows Hello for Business policy to check if cloud trust is enabled. If cloud trust is enabled, Lsass passes the collected credentials to the Cloud Authentication security support provider, or Cloud AP. Cloud AP requests a nonce from Azure Active Directory. Azure AD returns a nonce.
+|B | Cloud AP signs the nonce using the user's private key and returns the signed nonce to Azure AD.
+|C | Azure AD validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and creates a Partial TGT from Azure AD Kerberos and returns them to Cloud AP.
+|D | Cloud AP receives the encrypted PRT with session key. Using the device's private transport key, Cloud AP decrypts the session key and protects the session key using the device's TPM (if available). Cloud AP returns a successful authentication response to lsass. Lsass caches the PRT and the Partial TGT.
+|E | The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After locating an active 2016 domain controller, the Kerberos provider sends the partial TGT that it received from Azure AD to the domain controller. The partial TGT contains only the user SID and is signed by Azure AD Kerberos. The domain controller will verify that the partial TGT is valid. On success, the KDC returns a TGT to the client. Kerberos will return the TGT to lsass, where it is cached and used for subsequent service ticket requests. Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+
+## Hybrid Azure AD join authentication using a key
+
+
| Phase | Description |
| :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
-|B | The Kerberos provider sends the signed pre-authentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
+|B | The Kerberos provider sends the signed pre-authentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.
The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
|E | Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
@@ -86,14 +113,15 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
> [!IMPORTANT]
> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
-## Hybrid Azure AD join authentication using a Certificate
+## Hybrid Azure AD join authentication using a certificate
+
| Phase | Description |
| :----: | :----------- |
|A | Authentication begins when the user dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
-|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
-|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
+|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not been revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
|E | Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index bf92834f9b..521b4364a4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -12,85 +12,109 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 08/19/2018
+ms.date: 2/15/2022
ms.reviewer:
---
# Windows Hello for Business Provisioning
**Applies to:**
+
- Windows 10
- Windows 11
Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on:
+
- How the device is joined to Azure Active Directory
- The Windows Hello for Business deployment type
- If the environment is managed or federated
-[Azure AD joined provisioning in a Managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
-[Azure AD joined provisioning in a Federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
-[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
-[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
-[Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
-[Domain joined provisioning in an On-premises Certificate Trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)
+List of provisioning flows:
+
+- [Azure AD joined provisioning in a managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
+- [Azure AD joined provisioning in a federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
+- [Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-cloud-trust-preview-deployment-in-a-managed-environment)
+- [Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
+- [Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
+- [Domain joined provisioning in an On-premises key trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
+- [Domain joined provisioning in an On-premises certificate trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)
> [!NOTE]
> The flows in this section are not exhaustive for every possible scenario. For example, Federated Key Trust is also a supported configuration.
+## Azure AD joined provisioning in a managed environment
-## Azure AD joined provisioning in a Managed environment
-
+
[Full size image](images/howitworks/prov-aadj-managed.png)
| Phase | Description |
| :----: | :----------- |
-| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
-|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
-|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
[Return to top](#windows-hello-for-business-provisioning)
-## Azure AD joined provisioning in a Federated environment
-
+
+## Azure AD joined provisioning in a federated environment
+
+
[Full size image](images/howitworks/prov-aadj-federated.png)
| Phase | Description |
| :----: | :----------- |
-| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
The on-premises STS server issues a enterprise token on successful MFA. The application sends the token to Azure Active Directory.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
-|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
The on-premises STS server issues an enterprise token on successful MFA. The application sends the token to Azure Active Directory.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.|
[Return to top](#windows-hello-for-business-provisioning)
-## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment
-
+
+## Hybrid Azure AD joined provisioning in a cloud trust (preview) deployment in a managed environment
+
+
+[Full size image](images/howitworks/prov-haadj-cloudtrust-managed.png)
+
+| Phase | Description |
+|:-----:|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
+| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. |
+
+> [!NOTE]
+> Windows Hello for Business Cloud Trust does not require users' keys to be synced from Azure AD to AD. Users can immediately authenticate to AAD and AD after provisioning their credential.
+
+[Return to top](#windows-hello-for-business-provisioning)
+
+## Hybrid Azure AD joined provisioning in a key trust deployment in a managed environment
+
+
[Full size image](images/howitworks/prov-haadj-keytrust-managed.png)
| Phase | Description |
|:-----:|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
-| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
-| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. |
-| D | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory. |
+| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
+| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits. |
+| D | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory. |
> [!IMPORTANT]
> The newly provisioned user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
-
-
-
[Return to top](#windows-hello-for-business-provisioning)
-## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
-
+
+## Hybrid Azure AD joined provisioning in a synchronous certificate trust deployment in a federated environment
+
+
[Full size image](images/howitworks/prov-haadj-instant-certtrust-federated.png)
| Phase | Description |
|:-----:|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services (or a third party MFA service) provides the second factor of authentication.
The on-premises STS server issues a enterprise token on successful MFA. The application sends the token to Azure Active Directory.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
-| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
+| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. The Azure MFA service (or a third party MFA service) provides the second factor of authentication.
The on-premises STS server issues an enterprise token on successful MFA. The application sends the token to Azure Active Directory.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+| B | After receiving an ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). |
| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration. |
| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys. |
| E | The registration authority validates the public key in the certificate request matches a registered key for the user.
If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate. |
| F | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. |
-| G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. |
+| G | The application receives the newly issued certificate and installs it into the Personal store of the user. This signals the end of provisioning. |
> [!IMPORTANT]
> Synchronous certificate enrollment does not depend on Azure AD Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
@@ -102,8 +126,8 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| Phase | Description |
| :----: | :----------- |
-|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA server (or a third party MFA service) provides the second factor of authentication.
The on-premises STS server issues a enterprise DRS token on successful MFA.|
-| B| After receiving a EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
+|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA server (or a third party MFA service) provides the second factor of authentication.
The on-premises STS server issues an enterprise DRS token on successful MFA.|
+| B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
@@ -114,8 +138,8 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
| Phase | Description |
| :----: | :----------- |
-|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA server (or a third party MFA service) provides the second factor of authentication.
The on-premises STS server issues a enterprise DRS token on successful MFA.|
-| B| After receiving a EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
+|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA server (or a third party MFA service) provides the second factor of authentication.
The on-premises STS server issues an enterprise DRS token on successful MFA.|
+| B| After receiving an EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentialsLink for a list of registered public keys.|
|E | The registration authority validates the public key in the certificate request matches a registered key for the user.
After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate.|
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 560844634b..ed3ad19d9d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -19,20 +19,20 @@ ms.reviewer:
# Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning
**Applies to**
-- Windows 10, version 1703 or later
-- Windows 11
-- Hybrid deployment
-- Certificate trust
+- Windows 10, version 1703 or later
+- Windows 11
+- Hybrid deployment
+- Certificate trust
## Provisioning
+
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
-
Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**.
@@ -46,10 +46,11 @@ After a successful MFA, the provisioning flow asks the user to create and valida
The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment.
-* A successful single factor authentication (username and password at sign-in)
-* A device that has successfully completed device registration
-* A fresh, successful multi-factor authentication
-* A validated PIN that meets the PIN complexity requirements
+
+- A successful single factor authentication (username and password at sign-in)
+- A device that has successfully completed device registration
+- A fresh, successful multi-factor authentication
+- A validated PIN that meets the PIN complexity requirements
The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect synchronizes the user's key to the on-premises Active Directory.
@@ -77,6 +78,7 @@ The certificate authority validates the certificate was signed by the registrati
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
+
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
new file mode 100644
index 0000000000..157f25c9bb
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md
@@ -0,0 +1,260 @@
+---
+title: Hybrid Cloud Trust Deployment (Windows Hello for Business)
+description: Learn the information you need to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
+keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust
+ms.prod: m365-security
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+audience: ITPro
+author: mapalko
+ms.author: mapalko
+manager: dansimp
+ms.collection: M365-identity-device-management
+ms.topic: article
+localizationpriority: medium
+ms.date: 2/15/2022
+ms.reviewer:
+---
+# Hybrid Cloud Trust Deployment (Preview)
+
+Applies to
+
+- Windows 10, version 21H2
+- Windows 11 and later
+
+Windows Hello for Business replaces username and password Windows sign in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario.
+
+## Introduction to Cloud Trust
+
+The goal of the Windows Hello for Business cloud trust is to bring the simplified deployment experience of [on-premises SSO with passwordless security keys](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises) to Windows Hello for Business. This deployment model can be used for new Windows Hello for Business deployments or existing deployments can move to this model using policy controls.
+
+Windows Hello for Business cloud trust uses Azure Active Directory (AD) Kerberos to address pain points of the key trust deployment model:
+
+- Windows Hello for Business cloud trust provides a simpler deployment experience because it doesn't require the deployment of public key infrastructure (PKI) or changes to existing PKI.
+- Cloud trust doesn't require syncing of public keys between Azure AD and on-premises domain controllers (DCs) for users to access on-premises resources and applications. This change means there isn't a delay between the user provisioning and being able to authenticate.
+- Deploying Windows Hello for Business cloud trust enables you to also deploy passwordless security keys with minimal extra setup.
+
+> [!NOTE]
+> Windows Hello for Business cloud trust is recommended instead of key trust if you meet the prerequisites to deploy cloud trust. Cloud trust is the preferred deployment model if you do not need to support certificate authentication scenarios.
+
+## Azure Active Directory Kerberos and Cloud Trust Authentication
+
+Key trust and certificate trust use certificate authentication based Kerberos for requesting kerberos ticket-granting-tickets (TGTs) for on-premises authentication. This type of authentication requires PKI for DC certificates, and requires end-user certificates for certificate trust. Single sign-on (SSO) to on-premises resources from Azure AD joined devices requires more PKI configuration to publish a certificate revocation list (CRL) to a public endpoint. Cloud trust uses Azure AD Kerberos that doesn't require any of the above PKI to get the user a TGT.
+
+With Azure AD Kerberos, Azure AD can issue TGTs for one or more of your AD domains. Windows can request a TGT from Azure AD when authenticating with Windows Hello for Business and use the returned TGT for logon or to access traditional AD-based resources. Kerberos service tickets and authorization continue to be controlled by your on-premises AD DCs.
+
+When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server object is created in your on-premises AD. This object will appear as a Read Only Domain Controller (RODC) object but isn't associated with any physical servers. This resource is only used by Azure Active Directory to generate TGTs for your Active Directory Domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object.
+
+More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview).
+
+## Prerequisites
+
+| Requirement | Notes |
+| --- | --- |
+| Multi-factor Authentication | This requirement can be met using [Azure AD multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted), multi-factor authentication provided through AD FS, or a comparable solution. |
+| Patched Windows 10 version 21H2 or patched Windows 11 and later | If you're using Windows 10 21H2, KB5010415 must be installed. If you're using Windows 11 21H2, KB5010414 must be installed. There's no Windows version support difference between Azure AD joined and Hybrid Azure AD joined devices. |
+| Fully patched Windows Server 2016 or later Domain Controllers | Domain controllers should be fully patched to support updates needed for Azure AD Kerberos. If you're using Windows Server 2016, [KB3534307](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534307-os-build-14393-3474-b181594e-2c6a-14ea-e75b-678efea9d27e) must be installed. If you're using Server 2019, [KB4534321](https://support.microsoft.com/en-us/topic/january-23-2020-kb4534321-os-build-17763-1012-023e84c3-f9aa-3b55-8aff-d512911c459f) must be installed. |
+| Azure AD Kerberos PowerShell module | This module is used for enabling and managing Azure AD Kerberos. It's available through the [PowerShell Gallery](https://www.powershellgallery.com/packages/AzureADHybridAuthenticationManagement).|
+| Device management | Windows Hello for Business cloud trust can be managed with group policy or through mobile device management (MDM) policy. This feature is disabled by default and must be enabled using policy. |
+
+### Unsupported Scenarios
+
+The following scenarios aren't supported using Windows Hello for Business cloud trust.
+
+- On-premises only deployments
+- RDP/VDI scenarios using supplied credentials (RDP/VDI can be used with Remote Credential Guard or if a certificate is enrolled into the Windows Hello for Business container)
+- Scenarios that require a certificate for authentication
+- Using cloud trust for "Run as"
+- Signing in with cloud trust on a Hybrid Azure AD joined device without previously signing in with DC connectivity
+
+## Deployment Instructions
+
+Deploying Windows Hello for Business cloud trust consists of two steps:
+
+1. Set up Azure AD Kerberos in your hybrid environment.
+1. Configure Windows Hello for Business policy and deploy it to devices.
+
+### Deploy Azure AD Kerberos
+
+If you've already deployed on-premises SSO for passwordless security key sign-in, then you've already deployed Azure AD Kerberos in your hybrid environment. You don't need to redeploy or change your existing Azure AD Kerberos deployment to support Windows Hello for Business and you can skip this section.
+
+If you haven't deployed Azure AD Kerberos, follow the instructions in the [Enable passwordless security key sign-in to on-premises resources by using Azure AD](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module) documentation. This page includes information on how to install and use the Azure AD Kerberos Powershell module. Use the module to create an Azure AD Kerberos Server object for the domains where you want to use Windows Hello for Business cloud trust.
+
+### Configure Windows Hello for Business Policy
+
+After setting up the Azure AD Kerberos Object, Windows Hello for business cloud trust must be enabled using policy. By default, cloud trust won't be used by Hybrid Azure AD joined or Azure AD joined devices.
+
+#### Configure Using Group Policy
+
+Hybrid Azure AD joined organizations can use Windows Hello for Business Group Policy to manage the feature. Group Policy can be configured to enable users to enroll and use Windows Hello for Business.
+
+The Enable Windows Hello for Business Group Policy setting is used by Windows to determine if a user should attempt to enroll a credential. A user will only attempt enrollment if this policy is configured to enabled.
+
+You can configure the Enable Windows Hello for Business Group Policy setting for computers or users. Deploying this policy setting to computers results in all users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
+
+Cloud trust requires setting a dedicated policy for it to be enabled. This policy is only available as a computer configuration.
+
+> [!NOTE]
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more information about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more information about policy conflicts, see [Policy conflicts from multiple policy sources](hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
+
+##### Update Group Policy Objects
+
+You may need to update your Group Policy definitions to be able to configure the cloud trust policy. You can copy the ADMX and ADML files from a Windows 10 21H2 or Windows 11 device that supports cloud trust to their respective language folder on your Group Policy management server. Windows Hello for Business settings are in the Passport.admx and Passport.adml files.
+
+You can also create a Group Policy Central Store and copy them their respective language folder. For more information, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](/troubleshoot/windows-client/group-policy/create-and-manage-central-store).
+
+##### Create the Windows Hello for Business Group Policy object
+
+Sign-in a domain controller or management workstations with *Domain Admin* equivalent credentials.
+
+1. Start the **Group Policy Management Console** (gpmc.msc).
+1. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+1. Right-click **Group Policy object** and select **New**.
+1. Type *Enable Windows Hello for Business* in the name box and click **OK**.
+1. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**.
+1. In the navigation pane, expand **Policies** under **Device Configuration**.
+1. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
+1. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**.
+1. In the content pane, double-click **Use cloud trust for on-premises authentication**. Click **Enable** and click **OK**.
+1. *Optional but recommended*: In the content pane, double-click **Use a hardware security device**. Click **Enable** and click **OK**.
+
+This group policy should be targeted at the computer group that you've created for that you want to use Windows Hello for Business.
+
+> [!Important]
+> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud trust have this policy not configured or disabled.
+
+#### Configure Using Intune
+
+Windows Hello for Business can be enabled using device enrollment or device configuration policy. Device enrollment policy is only applied at device enrollment time. Any modifications to the configuration in Intune won't apply to already enrolled devices. Device configuration policy is applied after device enrollment. Changes to this policy type in Intune are applied to already enrolled devices.
+
+The cloud trust policy needs to be configured using a custom template and is configured separately from enabling Windows Hello from Business.
+
+##### Create a user Group that will be targeted for Windows Hello for Business
+
+If you have an existing group you want to target with Windows Hello for Business cloud trust policy, you can skip this step.
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Browse to **Groups** and select **New group**.
+1. Configure the following group settings:
+ 1. Group type: "Security"
+ 1. Group name: "WHFBCloudTrustUsers" or a group name of your choosing
+ 1. Membership type: Assigned
+1. Select **Members** and add users that you want to target with Windows Hello for Business cloud trust.
+
+You can also create a group through the Azure portal instead of using the Microsoft Endpoint Manager admin center.
+
+##### Enable Windows Hello for Business
+
+If you already enabled Windows Hello for Business for a target set of users or devices, you can skip below to configuring the cloud trust policy. Otherwise, follow the instructions at [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello) to create a Windows Hello for Business device enrollment policy.
+
+You can also follow these steps to create a device configuration policy instead of a device enrollment policy:
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Browse to Devices > Windows > Configuration Profiles > Create profile.
+1. For Platform, select Windows 10 and later.
+1. For Profile Type, select **Templates** and select the **Identity Protection** Template.
+1. Name the profile with a familiar name. For example, "Windows Hello for Business".
+1. In **Configurations settings**, set the **Configure Windows Hello for Business** option to **Enable**.
+1. After setting Configure Windows Hello for Business to Enable, multiple policy options become available. These policies are optional to configure. More information on these policies is available in our documentation on managing [Windows Hello for Business in your organization](hello-manage-in-organization.md#mdm-policy-settings-for-windows-hello-for-business). We recommend setting **Use a Trusted Platform Module (TPM)** to **Enable**.
+
+ [](./images/hello-intune-enable-large.png#lightbox)
+
+1. Select Next to move to **Assignments**.
+1. Under Included groups, select **Add groups**.
+1. Select the user group you would like to use Windows Hello for Business cloud trust. This group may be WHFBCloudTrustUsers or a group of your choosing.
+1. Select Next to move to the Applicability Rules.
+1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
+
+Windows Hello for Business settings are also available in the settings catalog. For more information, see [Use the settings catalog to configure settings on Windows and macOS devices - preview](/mem/intune/configuration/settings-catalog).
+
+##### Configure Cloud Trust policy
+
+To configure the cloud trust policy, follow the steps below:
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
+1. Browse to Devices > Windows > Configuration Profiles > Create profile.
+1. For Platform, select Windows 10 and later.
+1. For Profile Type, select **Templates** and select the **Custom** Template.
+1. Name the profile with a familiar name. For example, "Windows Hello for Business cloud trust".
+1. In Configuration Settings, add a new configuration with the following settings:
+
+ - Name: "Windows Hello for Business cloud trust" or another familiar name
+ - Description: Enable Windows Hello for Business cloud trust for sign-in and on-premises SSO.
+ - OMA-URI: ./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/UseCloudTrustForOnPremAuth
+
+ >[!IMPORTANT]
+ >*Tenant ID* in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant. See [How to find your Azure AD tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) for instructions on looking up your tenant ID.
+
+ - Data type: Boolean
+ - Value: True
+
+ [](./images/hello-cloud-trust-intune-large.png#lightbox)
+
+1. Select Next to navigate to **Assignments**.
+1. Under Included groups, select **Add groups**.
+1. Select the user group you would like to use Windows Hello for Business cloud trust. This group may be WHFBCloudTrustUsers or a group of your choosing.
+1. Select Next to move to the Applicability Rules.
+1. Select Next again to move to the **Review + create** tab and select the option to create the policy.
+
+> [!Important]
+> If the Use certificate for on-premises authentication policy is enabled, we will enforce certificate trust instead of cloud trust on the client. Please make sure that any machines that you want to use Windows Hello for Business cloud trust have this policy not configured or disabled.
+
+## Provisioning
+
+The Windows Hello for Business provisioning process begins immediately after a user has signed in if certain prerequisite checks are passed. Windows Hello for Business cloud trust adds a prerequisite check for Hybrid Azure AD joined devices when cloud trust is enabled by policy.
+
+You can determine the status of the prerequisite check by viewing the **User Device Registration** admin log under **Applications and Services Logs\Microsoft\Windows**. This information is also available using the [**dsregcmd /status**](/azure/active-directory/devices/troubleshoot-device-dsregcmd) command from a console.
+
+ 
+
+The cloud trust prerequisite check detects whether the user has a partial TGT before allowing provisioning to start. The purpose of this check is to validate whether Azure AD Kerberos is set up for the user's domain and tenant. If Azure AD Kerberos is set up, the user will receive a partial TGT during sign-in with one of their other unlock methods. This check has three states: Yes, No, and Not Tested. The *Not Tested* state is reported if cloud trust is not being enforced by policy or if the device is Azure AD joined.
+
+This prerequisite check isn't done for provisioning on Azure AD joined devices. If Azure AD Kerberos isn't provisioned, a user on an Azure AD joined device will still be able to sign in.
+
+### PIN Setup
+
+When Windows Hello for Business provisioning begins, the user will see a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**.
+
+
+
+The provisioning flow proceeds to the multi-factor authentication portion of the enrollment. Provisioning informs the user that it's actively attempting to contact the user through their configured form of MFA. The provisioning process doesn't proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
+
+
+
+After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment.
+
+
+
+### Sign-in
+
+Once a user has set up a PIN with cloud trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
+
+## Troubleshooting
+
+If you encounter issues or want to share feedback about Windows Hello for Business cloud trust, share via the Windows Feedback Hub app by following these steps:
+
+1. Open **Feedback Hub**, and make sure that you're signed in.
+1. Submit feedback by selecting the following categories:
+ - Category: Security and Privacy
+ - Subcategory: Windows Hello PIN
+
+## Frequently Asked Questions
+
+### Does Windows Hello for Business cloud trust work in my on-premises environment?
+
+This feature doesn't work in a pure on-premises AD domain services environment.
+
+### Does Windows Hello for Business cloud trust work in a Windows login with RODC present in the hybrid environment?
+
+Windows Hello for Business cloud trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud trust will work.
+
+### Do I need line of sight to a domain controller to use Windows Hello for Business cloud trust?
+
+Windows Hello for Business cloud trust requires line of sight to a domain controller for some scenarios:
+ - The first sign-in or unlock with Windows Hello for Business after provisioning on a Hybrid Azure AD joined device.
+ - When attempting to access an on-premises resource from an Azure AD joined device.
+
+### Can I use RDP/VDI with Windows Hello for Business cloud trust?
+
+Windows Hello for Business cloud trust cannot be used as a supplied credential with RDP/VDI. Similar to key trust, cloud trust can be used for RDP with [remote credential guard](/windows/security/identity-protection/remote-credential-guard) or if a [certificate is enrolled into Windows Hello for Business](hello-deployment-rdp-certs.md) for this purpose.
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 38ad42ddd5..1bbb178788 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -16,7 +16,7 @@ ms.collection:
- highpri
ms.topic: article
localizationpriority: medium
-ms.date: 1/22/2021
+ms.date: 2/15/2022
---
# Windows Hello for Business Deployment Prerequisite Overview
@@ -36,25 +36,20 @@ This article lists the infrastructure requirements for the different deployment
The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process.
-> [!NOTE]
-> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
-
-| Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed |
-| --- | --- | --- | --- |
-| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later |
-| Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema |
-| Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
-| Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers |
-| Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
-| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
and
Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service |
-| Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter |
-| Azure Account | Azure Account | Azure Account | Azure Account |
-| Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
-| Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect |
-| Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
+| Requirement | Cloud trust (Preview)
Group Policy or Modern managed | Key trust
Group Policy or Modern managed | Certificate trust
Mixed managed | Certificate trust
Modern managed |
+| --- | --- | --- | --- | --- |
+| **Windows Version** | Windows 10, version 21H2 with KB5010415; Windows 11 with KB5010414; or later | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later |
+| **Schema Version** | No specific Schema requirement | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema |
+| **Domain and Forest Functional Level** | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level |
+| **Domain Controller Version** | Windows Server 2016 or later | Windows Server 2016 or later | Windows Server 2008 R2 or later | Windows Server 2008 R2 or later |
+| **Certificate Authority**| N/A | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority |
+| **AD FS Version** | N/A | N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
and
Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | Windows Server 2012 or later Network Device Enrollment Service |
+| **MFA Requirement** | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter |
+| **Azure AD Connect** | N/A | Required | Required | Required |
+| **Azure AD License** | Azure AD Premium, optional | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional. Intune license required |
> [!Important]
-> - Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
+> - Hybrid deployments support non-destructive PIN reset that works with certificate trust, key trust and cloud trust models.
>
> **Requirements:**
> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index a730b8d478..5938679856 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -21,36 +21,39 @@ localizationpriority: medium
# Windows Hello for Business Overview
**Applies to**
+
- Windows 10
- Windows 11
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
>[!NOTE]
-> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
+> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.
Windows Hello addresses the following problems with passwords:
-- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
-- Server breaches can expose symmetric network credentials (passwords).
-- Passwords are subject to [replay attacks](/previous-versions/dotnet/netframework-4.0/aa738652(v=vs.100)).
-- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
+
+- Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
+- Server breaches can expose symmetric network credentials (passwords).
+- Passwords are subject to [replay attacks](/previous-versions/dotnet/netframework-4.0/aa738652(v=vs.100)).
+- Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
Windows Hello lets users authenticate to:
-- a Microsoft account.
-- an Active Directory account.
-- a Microsoft Azure Active Directory (Azure AD) account.
-- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication (in progress)
+
+- A Microsoft account.
+- An Active Directory account.
+- A Microsoft Azure Active Directory (Azure AD) account.
+- Identity Provider Services or Relying Party Services that support [Fast ID Online (FIDO) v2.0](https://go.microsoft.com/fwlink/p/?LinkId=533889) authentication.
After an initial two-step verification of the user during enrollment, Windows Hello is set up on the user's device and Windows asks the user to set a gesture, which can be a biometric, such as a fingerprint, or a PIN. The user provides the gesture to verify their identity. Windows then uses Windows Hello to authenticate users.
As an administrator in an enterprise or educational organization, you can create policies to manage Windows Hello for Business use on Windows 10-based devices that connect to your organization.
## Biometric sign-in
-
+
Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials.
-
-- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
-- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10 and Windows 11.
+
+- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
+- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10 and Windows 11.
Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md).
@@ -60,17 +63,16 @@ Windows stores biometric data that is used to implement Windows Hello securely o
- **Windows Hello for Business**, which is configured by Group Policy or mobile device management (MDM) policy, always uses key-based or certificate-based authentication. This makes it much more secure than **Windows Hello convenience PIN**.
-
## Benefits of Windows Hello
Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone, anywhere. Because they're stored on the server, a server breach can reveal those stored credentials.
-In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services.
+In Windows 10 and later, Windows Hello replaces passwords. When an identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows to access resources and services.
>[!NOTE]
->Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
+>Windows Hello as a convenience sign-in uses regular username and password authentication, without the user entering the password.
:::image type="content" alt-text="How authentication works in Windows Hello." source="images/authflow.png" lightbox="images/authflow.png":::
@@ -78,36 +80,31 @@ Imagine that someone is looking over your shoulder as you get money from an ATM
Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
-
-
## How Windows Hello for Business works: key points
-- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
+- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
-- Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
+- Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
-- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
+- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. To guarantee that keys are generated in hardware, you must set policy.
-- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared.
+- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared.
-- The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
+- The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
-- PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
+- PIN entry and biometric gesture both trigger Windows 10 and later to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
-- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
+- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
-- Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
+- Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
For details, see [How Windows Hello for Business works](hello-how-it-works.md).
## Comparing key-based and certificate-based authentication
-Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello. Enterprises that do not use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello but still use certificates on their domain controllers as a root of trust.
+Windows Hello for Business can use either keys (hardware or software) or certificates in hardware or software. Enterprises that have a public key infrastructure (PKI) for issuing and managing end user certificates can continue to use PKI in combination with Windows Hello for Business. Enterprises that do not use PKI or want to reduce the effort associated with managing user certificates can rely on key-based credentials for Windows Hello. This still uses certificates on the domain controllers as a root of trust. Starting with Windows 10 21H2, there is a feature called cloud trust for hybrid deployments which uses Azure AD as the root of trust. Cloud trust uses key-based credentials for Windows Hello but does not require certificates on the domain controller.
-Windows Hello for Business with a key does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
-
-> [!NOTE]
-> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available.
+Windows Hello for Business with a key, including cloud trust, does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business with a key credential can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md).
## Learn more
@@ -134,4 +131,3 @@ Windows Hello for Business with a key does not support supplied credentials for
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/images/cloud-trust-prereq-check.png b/windows/security/identity-protection/hello-for-business/images/cloud-trust-prereq-check.png
new file mode 100644
index 0000000000..f327f79f32
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/cloud-trust-prereq-check.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune-large.png b/windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune-large.png
new file mode 100644
index 0000000000..e9d0876738
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune-large.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune.png b/windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune.png
new file mode 100644
index 0000000000..fd6644b8b7
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/hello-cloud-trust-intune.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png b/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png
new file mode 100644
index 0000000000..ef99144042
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/hello-intune-enable-large.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png b/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png
new file mode 100644
index 0000000000..edcbe0ec34
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/hello-intune-enable.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloudtrust-kerb.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloudtrust-kerb.png
new file mode 100644
index 0000000000..1fec70ce5a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloudtrust-kerb.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-cloudtrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-cloudtrust.png
new file mode 100644
index 0000000000..0a803d8fbb
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-cloudtrust.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-cloudtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-cloudtrust-managed.png
new file mode 100644
index 0000000000..b2867c3aeb
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-cloudtrust-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml
index f0c08b1c66..1e3bd031b3 100644
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@@ -33,6 +33,8 @@
href: hello-prepare-people-to-use.md
- name: Deployment Guides
items:
+ - name: Hybrid Cloud Trust Deployment
+ href: hello-hybrid-cloud-trust.md
- name: Hybrid Azure AD Joined Key Trust
items:
- name: Hybrid Azure AD Joined Key Trust Deployment
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
index 4bfabc7ffe..383ac38442 100644
--- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml
@@ -22,8 +22,6 @@
href: understand-windows-defender-application-control-policy-design-decisions.md
- name: Understand WDAC policy rules and file rules
href: select-types-of-rules-to-create.md
- - name: Understand WDAC secure settings
- href: understanding-wdac-policy-settings.md
items:
- name: Allow apps installed by a managed installer
href: configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -37,6 +35,8 @@
href: manage-packaged-apps-with-windows-defender-application-control.md
- name: Use WDAC to control specific plug-ins, add-ins, and modules
href: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+ - name: Understand WDAC policy settings
+ href: understanding-wdac-policy-settings.md
- name: Use multiple WDAC policies
href: deploy-multiple-windows-defender-application-control-policies.md
- name: Create your WDAC policy
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
index e00de62409..47d1c3fb7d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
@@ -14,7 +14,7 @@ audience: ITPro
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
-ms.date: 08/12/2021
+ms.date: 02/10/2022
ms.technology: windows-sec
---
@@ -42,7 +42,7 @@ For example, to create a WDAC policy allowing **addin1.dll** and **addin2.dll**
```powershell
$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
-$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP2.exe'
+$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe'
New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs
```
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index ff87af323d..207c4d7600 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -11,7 +11,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 01/28/2022
+ms.date: 02/14/2022
ms.reviewer:
ms.technology: windows-sec
---
@@ -80,7 +80,7 @@ Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-fo
| Name | Details | Security Tools |
|---------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------|
| Microsoft 365 Apps for enterprise, version 2112 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-365-apps-for-enterprise-v2112/ba-p/3038172) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Microsoft Edge, version 97 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v97/ba-p/3062252) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Microsoft Edge, version 98 | [SecGuide](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-v98/ba-p/3165443) | [SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 51f02ea52d..3525284dcd 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -11,7 +11,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 01/28/2022
+ms.date: 02/14/2022
ms.reviewer: rmunck
ms.technology: windows-sec
---
@@ -49,7 +49,7 @@ The Security Compliance Toolkit consists of:
- Office 2016
- Microsoft Edge security baseline
- - Edge Browser Version 97
+ - Edge version 98
- Tools
- Policy Analyzer
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index ebdec42441..6d4c993655 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -69,7 +69,7 @@ There are several ways to get and use security baselines:
## Community
-[](/archive/blogs/secguide/)
+[](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines)
## Related Videos
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 176668f48e..9e25d09647 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -3,8 +3,8 @@
- name: Windows 11
expanded: true
items:
- - name: What's new in Windows 11
- href: windows-11-whats-new.md
+ - name: Windows 11 overview
+ href: windows-11-overview.md
- name: Windows 11 requirements
href: windows-11-requirements.md
- name: Plan for Windows 11
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 459aec5b4f..2df276a567 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -30,8 +30,8 @@ landingContent:
linkLists:
- linkListType: overview
links:
- - text: What's new
- url: windows-11-whats-new.md
+ - text: Windows 11 overview
+ url: windows-11-overview.md
- text: Windows 11 requirements
url: windows-11-requirements.md
- text: Plan for Windows 11
diff --git a/windows/whats-new/windows-11-whats-new.md b/windows/whats-new/windows-11-overview.md
similarity index 98%
rename from windows/whats-new/windows-11-whats-new.md
rename to windows/whats-new/windows-11-overview.md
index fbe9e7108d..daac49c8c5 100644
--- a/windows/whats-new/windows-11-whats-new.md
+++ b/windows/whats-new/windows-11-overview.md
@@ -1,11 +1,11 @@
---
-title: Windows 11, what's new and overview for administrators
-description: Learn more about what's new in Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
+title: Windows 11 overview for administrators
+description: Learn more about Windows 11. Read about the features IT professionals and administrators should know about Windows 11, including security, using apps, using Android apps, the new desktop, and deploying and servicing PCs.
ms.reviewer:
manager: dougeby
ms.audience: itpro
-author: MandiOhlinger
-ms.author: mandia
+author: greg-lindsay
+ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -16,7 +16,7 @@ ms.collection: highpri
ms.custom: intro-overview
---
-# What's new in Windows 11
+# Windows 11 overview
**Applies to**: