diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 0276189379..0b28cf30d1 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -79,7 +79,14 @@ For a local account, the domain name should be the device name. When Get is exec
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
**./Device/Vendor/MSFT/AssignedAccess/Configuration**
-Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here's the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
+Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For more information about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). For more information on the schema, see [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
+
+Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode support. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like "shift+alt+a", where "shift" and "alt" are the modifiers and "a" is the key.
+
+> [!Note]
+> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
+>
+> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it’s not effective.
Enterprises can use this to easily configure and manage the curated lockdown experience.
@@ -248,7 +255,7 @@ KioskModeApp Replace
## AssignedAccessConfiguration XSD
-Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
+The schema below is for AssignedAccess Configuration up to Windows 10 20H2 release.
```xml
@@ -259,11 +266,13 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
+ xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
+
@@ -273,8 +282,14 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
+
+
+
+
+
+
@@ -283,7 +298,19 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
-
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -384,6 +411,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
+
@@ -422,7 +450,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
-
+);
```
Here's the schema for new features introduced in Windows 10 1809 release
@@ -501,7 +529,32 @@ Schema for Windows 10 prerelease
```
-To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure auto-launch feature that is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
+The schema below is for features introduced in Windows 10, version 1909 which has added support for Microsoft Edge kiosk mode and breakout key sequence customization.
+```xml
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
+To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that's added in the 1809 release, use the below sample. Notice an alias r1809 is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
```xml
@@ -568,6 +622,53 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele
```
+Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
+```xml
+
+
+
+
+
+
+
+
+
+ EdgeKioskUser
+
+
+
+
+```
+
+Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
+> [!NOTE]
+> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
+```xml
+
+
+
+
+
+
+
+
+
+
+ EdgeKioskUser
+
+
+
+
+```
+
## Configuration examples
XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md
index c6d84bf203..6a73458cf7 100644
--- a/windows/client-management/mdm/assignedaccess-ddf.md
+++ b/windows/client-management/mdm/assignedaccess-ddf.md
@@ -22,8 +22,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
-The XML below is for Windows 10, version 1803.
-
+The XML below is for Windows 10, version 1909.
```xml
- com.microsoft/2.0/MDM/AssignedAccess
+ com.microsoft/4.0/MDM/AssignedAccess
@@ -208,4 +207,3 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
-
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 36c96ffa8d..fbc41ad17a 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -266,7 +266,7 @@ ms.collection: highpri
Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. there's a 12-hour maximum from start time.
> [!NOTE]
-> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
+> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
@@ -361,7 +361,7 @@ ADMX Info:
Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
> [!NOTE]
-> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
+> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
@@ -426,12 +426,12 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
+- 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
- 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
-- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
-- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
-- 5 – Turn off automatic updates.
+- 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
+- 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
+- 5 - Turn off automatic updates.
> [!IMPORTANT]
@@ -536,8 +536,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Not configured.
-- 1 – Allowed. Accepts updates received through Microsoft Update.
+- 0 - Not configured.
+- 1 - Allowed. Accepts updates received through Microsoft Update.
> [!NOTE]
> Setting this policy back to **0** or **Not configured** doesn't revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:.
@@ -588,8 +588,8 @@ This policy is specific to desktop and local publishing via WSUS for third-party
The following list shows the supported values:
-- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
-- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
+- 0 - Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
+- 1 - Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
@@ -629,7 +629,7 @@ Even when Windows Update is configured to receive updates from an intranet updat
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working.
> [!NOTE]
-> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
+> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
@@ -643,8 +643,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 – Update service isn't allowed.
-- 1 (default) – Update service is allowed.
+- 0 - Update service isn't allowed.
+- 1 (default) - Update service is allowed.
@@ -856,8 +856,8 @@ ADMX Info:
The following list shows the supported values:
-- 1 (default) – Auto Dismissal.
-- 2 – User Dismissal.
+- 1 (default) - Auto Dismissal.
+- 2 - User Dismissal.
@@ -1306,7 +1306,7 @@ Defers Feature Updates for the specified number of days.
Supported values are 0-365 days.
> [!IMPORTANT]
-> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
+> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
@@ -1393,7 +1393,7 @@ ADMX Info:
> [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify update delays for up to four weeks.
@@ -1471,7 +1471,7 @@ ADMX Info:
> [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify other upgrade delays for up to eight months.
@@ -1616,18 +1616,18 @@ The following list shows the supported values:
-Available in Windows Update for Business (WUfB) devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a WUfB device should skip safeguards.
+Available in Windows Update for Business devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a Windows Update for Business device should skip safeguards.
Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience.
The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update.
-IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the “Disable safeguards for Feature Updates” Group Policy.
+IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the "Disable safeguards for Feature Updates" Group Policy.
> [!NOTE]
> Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied.
>
-> The disable safeguards policy will revert to “Not Configured” on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update.
+> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update.
>
> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you're bypassing the protection given by Microsoft pertaining to known issues.
@@ -2069,8 +2069,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Allow Windows Update drivers.
-- 1 – Exclude Windows Update drivers.
+- 0 (default) - Allow Windows Update drivers.
+- 1 - Exclude Windows Update drivers.
@@ -2121,8 +2121,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Disabled.
-- 1 – Enabled.
+- 0 (default) - Disabled.
+- 1 - Enabled.
@@ -2164,8 +2164,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading)
The following list shows the supported values:
-- 0 (default) – Don't ignore MO download limit for apps and their updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
+- 0 (default) - Don't ignore MO download limit for apps and their updates.
+- 1 - Ignore MO download limit (allow unlimited downloading) for apps and their updates.
@@ -2217,8 +2217,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading)
The following list shows the supported values:
-- 0 (default) – Don't ignore MO download limit for OS updates.
-- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
+- 0 (default) - Don't ignore MO download limit for OS updates.
+- 1 - Ignore MO download limit (allow unlimited downloading) for OS updates.
@@ -2312,7 +2312,7 @@ The following list shows the supported values:
> [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
@@ -2333,8 +2333,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Deferrals aren't paused.
-- 1 – Deferrals are paused.
+- 0 (default) - Deferrals aren't paused.
+- 1 - Deferrals are paused.
@@ -2383,8 +2383,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Feature Updates aren't paused.
-- 1 – Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
+- 0 (default) - Feature Updates aren't paused.
+- 1 - Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
@@ -2476,8 +2476,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Quality Updates aren't paused.
-- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
+- 0 (default) - Quality Updates aren't paused.
+- 1 - Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
@@ -2580,7 +2580,7 @@ ADMX Info:
-Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”.
+Value type is a string containing a Windows product, for example, "Windows 11" or "11" or "Windows 10".
@@ -2624,7 +2624,7 @@ By using this Windows Update for Business policy to upgrade devices to a new pro
> [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
Allows the IT admin to set a device to General Availability Channel train.
@@ -2640,8 +2640,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – User gets upgrades from General Availability Channel (Targeted).
-- 1 – User gets upgrades from General Availability Channel.
+- 0 (default) - User gets upgrades from General Availability Channel (Targeted).
+- 1 - User gets upgrades from General Availability Channel.
@@ -2675,7 +2675,7 @@ The following list shows the supported values:
> [!NOTE]
-> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
+> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved.
@@ -2686,8 +2686,8 @@ Supported operations are Get and Replace.
The following list shows the supported values:
-- 0 – Not configured. The device installs all applicable updates.
-- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
+- 0 - Not configured. The device installs all applicable updates.
+- 1 - The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
@@ -2769,7 +2769,7 @@ Supported values are 15, 30, or 60 (minutes).
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Allows the IT Admin to specify the period for autorestart warning reminder notifications.
@@ -2839,14 +2839,14 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Every day
-- 1 – Sunday
-- 2 – Monday
-- 3 – Tuesday
-- 4 – Wednesday
-- 5 – Thursday
-- 6 – Friday
-- 7 – Saturday
+- 0 (default) - Every day
+- 1 - Sunday
+- 2 - Monday
+- 3 - Tuesday
+- 4 - Wednesday
+- 5 - Thursday
+- 6 - Friday
+- 7 - Saturday
@@ -3110,7 +3110,7 @@ ADMX Info:
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Enables the IT admin to schedule the time of the update installation.
@@ -3178,8 +3178,8 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Enabled
-- 1 – Disabled
+- 0 (default) - Enabled
+- 1 - Disabled
@@ -3675,9 +3675,9 @@ Display options for update notifications. This policy allows you to define what
Options:
-- 0 (default) – Use the default Windows Update notifications
-- 1 – Turn off all notifications, excluding restart warnings
-- 2 – Turn off all notifications, including restart warnings
+- 0 (default) - Use the default Windows Update notifications
+- 1 - Turn off all notifications, excluding restart warnings
+- 2 - Turn off all notifications, including restart warnings
> [!IMPORTANT]
> If you choose not to get update notifications and also define other Group policies so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk.
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index fa91e9823e..efba4330c5 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -560,7 +560,7 @@ The XML below is for Windows 10, version 1803.
Roll back Latest Quality Update, if the machine meets the following conditions:
- Condition 1: Device must be WUfB Connected
+ Condition 1: Device must be Windows Update for Business connected
Condition 2: Device must be in a Paused State
Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
If the conditions are not true, the device will not Roll Back the Latest Quality Update.
@@ -588,7 +588,7 @@ The XML below is for Windows 10, version 1803.
Roll Back Latest Feature Update, if the machine meets the following conditions:
- Condition 1: Device must be WUfB Connected
+ Condition 1: Device must be Windows Update for Business connected
Condition 2: Device must be in Paused State
Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
Condition 4: Machine should be within the uninstall period
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index 13779d0100..7ec5869bf1 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -46,7 +46,9 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
## Guidelines for web browsers
-Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
+In Windows 10, version 1909, assigned access adds support for the new Microsoft Edge kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/DeployEdge/microsoft-edge-configure-kiosk-mode).
+
+In Windows 10, version 1809, Microsoft Edge Legacy includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website.
@@ -156,6 +158,12 @@ You can create your own web browser Windows app by using the WebView class. Lear
Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
+## Customize your breakout sequence
+
+Assigned access allows for the specification of a new breakout sequence. A breakout sequence is a keyboard shortcut that stops the kiosk experience and brings the user back to the lock screen. By default the breakout sequence is configured to be ctrl+alt+delete, a common Windows keyboard shortcut. It is recommended that this is set to a non-standard Windows shortcut to prevent disruptions in the kiosk experience.
+
+There is currently no user interface for customizing the breakout sequence in Windows settings, so it would need to be specified in a provisioning method where an XML format such as MDM is used.
+
## App configuration
Some apps may require additional configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index e002ead309..179c44499b 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -342,3 +342,8 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a
`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
+
+> [!NOTE]
+> **IdleTimeOut** doesn't apply to the new Microsoft Edge kiosk mode.
+
+The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. For more information, see [Microsoft Edge kiosk XML sample](/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample).
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index 7dd54085f1..f6ddb6a2d4 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -254,16 +254,40 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
```
+## Microsoft Edge Kiosk XML Sample
+```xml
+
+
+
+
+
+
+
+
+
+
+ EdgeKioskUser
+
+
+
+
+```
+
## Global Profile Sample XML
Global Profile is supported on:
-- Windows 10 version 2004+
- Windows 11
+- Windows 10, version 2004 and later
-Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
+Global Profile is designed for scenarios where a user doesn't have a designated profile, yet you still want the user to run in lockdown mode. It's also used as mitigation when a profile can't be determined for a user.
-This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in.
+This sample demonstrates that only a global profile is used, with no active user configured. Global Profile will be applied when every non-admin account signs in.
```xml
@@ -642,13 +666,12 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n
## XSD for AssignedAccess configuration XML
->[!NOTE]
->Updated for Windows 10, version 1903+.
+> [!NOTE]
+> Updated for Windows 10, version 1903 and later.
-The following XML schema is for AssignedAccess Configuration up to Windows 10 1803 release:
+The following XML schema is for AssignedAccess Configuration up to Windows 10, version 1803 release:
```xml
-
+
@@ -670,8 +695,14 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
+
+
+
+
+
+
@@ -680,7 +711,19 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
-
+
+
+
+
+
+
+
+
+
+
+
+
+
@@ -781,6 +824,7 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
+
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
index 54f74aba1c..ae172dc1c5 100644
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -15,21 +15,59 @@ manager: dougeby
# ADMXIngestion (Windows Configuration Designer reference)
-Starting in Windows 10, version 1703, you can import (*ingest*) select Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration).
+Starting in Windows 10, version 1703, you can import (*ingest*) Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration).
- The settings under [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) allow you to set values for policies in the imported ADMX file.
- The settings under [ConfigOperations](#configoperations) specify the ADMX file to be imported.
>[!IMPORTANT]
->Only per-device policies can be set using a provisioning package.
+>Only device scope policies (class="Machine" or class="Both") can be set using a provisioning package.
## Applies to
-| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
+| Setting groups | Windows client | Surface Hub | HoloLens | IoT Enterprise |
| --- | :---: | :---: | :---: | :---: |
-| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | ✔️ | | | |
-| [ConfigOperations](#configoperations) | ✔️ | | | |
+| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | ✔️ | | | ✔️ |
+| [ConfigOperations](#configoperations) | ✔️ | | | ✔️ |
+
+## ConfigOperations
+
+Use **ConfigOperations** to import ADMX policies from an ADMX file.
+
+1. Enter an app name, and then click **Add**.
+
+ This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Chromium Edge, enter an app name.
+
+ Example, `MSEdgeEfficiencyMode`
+
+2. Select the app name in the Customizations pane, select a setting type, and then click **Add**.
+
+ The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add.
+
+3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
+
+ The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future.
+
+ Example, `MSEdgeEfficiencyMode`
+
+ >[!NOTE]
+ >Keeping the AdmxFileUid and AppName the same will help prevent authorizing errors.
+
+4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
+
+ >[!NOTE]
+ >When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).
+
+ Example, EfficiencyMode
+ ```XML
+
+ ```
+
+5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
+
+
+
## ConfigADMXInstalledPolicy
@@ -40,59 +78,121 @@ In **ConfigADMXInstalledPolicy**, you provide a policy setting and value for tha
1. Enter an area name, and then click **Add**. The structure of the area name is the following:
- `AppName (from ConfigOperations)`~`SettingType`~`category name from ADMX`
+ `~~`
See [Category and policy in ADMX](#category-and-policy-in-admx) for more information. A setting may have multiple levels of category names, as in the following example.
- Example: `Office16~Policy~L_MicrosoftOfficemachine~L_Updates`
+ Example: `MSEdgeEfficiencyMode~Policy~microsoft_edge~Performance`
-2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**. For example, `L_HideEnableDisableUpdates`.
-3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field. For example, ``.
+2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**.
-## ConfigOperations
+ Example, `EfficiencyMode`.
-Use **ConfigOperations** to import an ADMX file or policies from an ADMX file.
+3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field.
-1. Enter an app name, and then click **Add**.
+ Example, ``.
- This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Office 16, enter an app name of **Office 16**.
-2. Select the app name in the Customizations pane, select a setting type, and then click **Add**.
+## Category and policy in ADMX
- The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add.
-
-3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
+The following samples show the ADMX file for Chromium Edge used in the examples in the procedures above. The first sample highlights the category names.
- The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future.
+```XML
+
+
+
+
+
+
+```
+
-4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
+The next sample highlights the specific policy.
- >[!NOTE]
- >When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).
-
-5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
+```XML
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
+
-
## Convert multi-line to single line
Use the following PowerShell cmdlet to remove carriage returns and line feeds from a multi-line file to create a single-line file that you can paste in **AdmxFileUid**.
```PS
-$path="file path"
-(Get-Content $admxFile -Raw).Replace("`r`n","") | Set-Content $path -Force
+$outputFile = "output.admx"
+$inputFile = "input.admx"
+(Get-Content $inputFile -Raw).Replace("`r`n","") | Set-Content $outputFile -Force
```
-## Category and policy in ADMX
-
-The following images show snippets of the ADMX file for Office 16 that are used in the examples in the procedures above. The first image highlights the category names.
-
-
-
-The next image highlights the specific policy.
-
-
-
+## Configuration Samples
+Example: Edge Efficiency Mode
+```XML
+
+
+
+ {d1ab1e3e-6e6d-4bd5-b35b-34cca18d2e16}
+ MSEdgeEfficiencyMode
+ 1.1
+ OEM
+ 0
+
+
+
+
+
+
+
+
+
+ <enabled/><data id="EfficiencyMode" value="2"/>
+
+
+
+
+
+
+
+
+ <?xml version="1.0" ?><policyDefinitions revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions"> <!--microsoft_edge version: 96.0.1054.62--> <policyNamespaces> <target namespace="Microsoft.Policies.Edge" prefix="microsoft_edge"/> <using namespace="Microsoft.Policies.Windows" prefix="windows"/> </policyNamespaces> <resources minRequiredRevision="1.0"/> <supportedOn> <definitions> <definition displayName="$(string.SUPPORTED_WIN7_V96)" name="SUPPORTED_WIN7_V96"/> </definitions> </supportedOn> <categories> <category displayName="$(string.microsoft_edge)" name="microsoft_edge"/> <category displayName="$(string.Performance_group)" name="Performance"> <parentCategory ref="microsoft_edge"/> </category> </categories> <policies> <policy class="Both" displayName="$(string.EfficiencyMode)" explainText="$(string.EfficiencyMode_Explain)" key="Software\Policies\Microsoft\Edge" name="EfficiencyMode" presentation="$(presentation.EfficiencyMode)"> <parentCategory ref="Performance"/> <supportedOn ref="SUPPORTED_WIN7_V96"/> <elements> <enum id="EfficiencyMode" valueName="EfficiencyMode"> <item displayName="$(string.EfficiencyMode_AlwaysActive)"> <value> <decimal value="0"/> </value> </item> <item displayName="$(string.EfficiencyMode_NeverActive)"> <value> <decimal value="1"/> </value> </item> <item displayName="$(string.EfficiencyMode_ActiveWhenUnplugged)"> <value> <decimal value="2"/> </value> </item> <item displayName="$(string.EfficiencyMode_ActiveWhenUnpluggedBatteryLow)"> <value> <decimal value="3"/> </value> </item> </enum> </elements> </policy> </policies></policyDefinitions>
+
+
+
+
+
+
+
+
+
+
+```
## Related topics
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 074b1f2d92..e1650926b3 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -145,8 +145,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica
On **MDT01**:
-1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01.
-2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
+1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120117_en_US.exe) to **D:\\setup\\adobe** on MDT01.
+2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120117_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.
diff --git a/windows/deployment/do/waas-delivery-optimization-reference.md b/windows/deployment/do/waas-delivery-optimization-reference.md
index d3311ce5e8..ce7b9f9219 100644
--- a/windows/deployment/do/waas-delivery-optimization-reference.md
+++ b/windows/deployment/do/waas-delivery-optimization-reference.md
@@ -190,7 +190,7 @@ Starting in Windows 10, version 1803, specifies the maximum foreground download
### Maximum Background Download Bandwidth
-Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
+Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers are not throttled even when this policy is set.
### Percentage of Maximum Download Bandwidth
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index 833a2b655d..f666a097be 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -90,6 +90,18 @@ When users start scanning in Windows Update through the Settings panel, the foll
- Windows Update uses the thread ID filtering to concentrate on one particular task.
+
+#### Proxy Behavior
+For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP]: SimpleAuth Web Service | Microsoft Docs, [MS-WUSP]: Client Web Service | Microsoft Docs):
+- System proxy is attempted (set using the `netsh` command).
+- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it is the logged-in user).
+
+ > [!Note]
+ > For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior.
+
+For WU URLs that _aren't_ used for update detection, such as for download or reporting:
+- User proxy is attempted.
+- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then the system proxy is attempted.
#### Identifies service IDs
diff --git a/windows/deployment/update/wufb-wsus.md b/windows/deployment/update/wufb-wsus.md
index 37ad4990d7..e90960de49 100644
--- a/windows/deployment/update/wufb-wsus.md
+++ b/windows/deployment/update/wufb-wsus.md
@@ -1,5 +1,5 @@
---
-title: Use Windows Update for Business (WUfB) and Windows Server Update Services (WSUS) together
+title: Use Windows Update for Business and Windows Server Update Services (WSUS) together
description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
ms.prod: w10
ms.mktglfcycl: manage
@@ -23,7 +23,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business (WUfB) service.
+The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business service.
We added the scan source policy starting with the [September 1, 2021—KB5005101 (OS Builds 19041.1202, 19042.1202, and 19043.1202) Preview](https://support.microsoft.com/help/5005101) update and it applies to Window 10, version 2004 and above and Windows 11. This policy changes the way devices determine whether to scan against a local WSUS server or Windows Update service.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 5e5a751b1b..fc82f5a509 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -6809,7 +6809,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@@ -6823,7 +6823,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@@ -6864,7 +6864,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index bcfa0ba684..e660f2df49 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -8296,7 +8296,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@@ -8310,7 +8310,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@@ -8351,7 +8351,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded
@@ -9584,8 +9584,8 @@ The following fields are available:
- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU.
- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed.
- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed.
-- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed.
-- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed.
+- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed.
- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is.
- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected.
- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU.
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 6d2cc70a0c..2dd8d27ae5 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -3627,7 +3627,7 @@ The following fields are available:
- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated.
- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications.
- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services).
-- **IsDeviceWUFBManaged** If device is WUfB managed.
+- **IsDeviceWUFBManaged** If device is Windows Update for Business managed.
- **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft.
- **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count.
- **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device.
@@ -6257,8 +6257,8 @@ The following fields are available:
- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU.
- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed.
- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed.
-- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed.
-- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed.
+- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed.
- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is.
- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected.
- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU.
@@ -6374,7 +6374,7 @@ The following fields are available:
- **CV** Correlation vector.
- **GlobalEventCounter** The global event counter counts the total events for the provider.
- **PackageVersion** The version for the current package.
-- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for WUFB cloud membership.
+- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for Windows Update for Business cloud membership.
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
@@ -8457,7 +8457,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** This is the device info.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@@ -8472,7 +8472,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Represents the device info.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@@ -8509,7 +8509,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Device in the General Availability Channel.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index adcfe8c9a9..3f2cf6b3ae 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -58,6 +58,11 @@ The following sections list the components that make network connections to Micr
The following table lists management options for each setting, For Windows 10 (beginning with Windows 10 Enterprise version 1607) and Windows 11.
+ > [!IMPORTANT]
+> **If you need assistance with troubleshooting issues, please refer to**:
+> - [Keep your device running smoothly](https://support.microsoft.com/topic/keep-your-device-running-smoothly-with-recommended-troubleshooting-ec76fe10-4ac8-ce9d-49c6-757770fe68f1)
+> - [CSP - Troubleshooting](/windows/client-management/mdm/policy-csp-troubleshooting)
+
| Setting | UI | Group Policy | Registry |
| - | :-: | :-: | :-: |
@@ -861,6 +866,8 @@ Use Settings > Privacy & security to configure some settings that may be importa
- [18.23 Voice Activation](#bkmk-voice-act)
+- [18.24 News and interests](#bkmk-priv-news)
+
### 18.1 General
**General** includes options that don't fall into other areas.
@@ -1528,6 +1535,13 @@ To turn this Off in the UI:
- Create a REG_DWORD registry setting named **LetAppsActivateWithVoiceAboveLock** in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy** with a **value of 2 (two)**
+### 18.24 News and interests
+
+In the **Windows Feeds** area, you can choose which apps have access to your diagnostic information.
+
+To turn this off:
+
+- Create a REG_DWORD registry setting named **EnableFeeds** in **HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Feeds** with a **value of 0 (zero)**.
### 19. Software Protection Platform
diff --git a/windows/privacy/manage-windows-11-endpoints.md b/windows/privacy/manage-windows-11-endpoints.md
index d2770a3edf..1370d95086 100644
--- a/windows/privacy/manage-windows-11-endpoints.md
+++ b/windows/privacy/manage-windows-11-endpoints.md
@@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@@ -55,8 +55,8 @@ The following methodology was used to derive these network endpoints:
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@@ -154,4 +154,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md
index b9a121fa15..f6b2a11c6d 100644
--- a/windows/privacy/manage-windows-1809-endpoints.md
+++ b/windows/privacy/manage-windows-1809-endpoints.md
@@ -164,6 +164,10 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
## Certificates
+Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
+
+If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.
+
The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It's possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that isn't recommended because when root certificates are updated over time, applications and websites may stop working because they didn't receive an updated root certificate the application uses.
Additionally, it's used to download certificates that are publicly known to be fraudulent.
diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md
index 7c2bf27999..41d1c6b46b 100644
--- a/windows/privacy/manage-windows-1903-endpoints.md
+++ b/windows/privacy/manage-windows-1903-endpoints.md
@@ -37,11 +37,11 @@ The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
-3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
-7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
+7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
> [!NOTE]
@@ -52,10 +52,10 @@ The following methodology was used to derive these network endpoints:
|Area|Description|Protocol|Destination|
|----------------|----------|----------|------------|
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
-||The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com|
-|||HTTP|tile-service.weather.microsoft.com
-|||HTTP|tile-service.weather.microsoft.com
-||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US
+||The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|`blob.weather.microsoft.com`|
+|||HTTP|tile-service.weather.microsoft.com|
+|||HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US|
||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*|
||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net|
@@ -68,7 +68,7 @@ The following methodology was used to derive these network endpoints:
|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com|
|||HTTPS|ris-prod-atm.trafficmanager.net|
|||HTTPS|validation-v2.sls.trafficmanager.net|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||HTTP|ctldl.windowsupdate.com|
|Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions.|HTTPS|store-images.*microsoft.com|
@@ -186,5 +186,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
-- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-1909-endpoints.md b/windows/privacy/manage-windows-1909-endpoints.md
index da29e4f457..b5dfff14b9 100644
--- a/windows/privacy/manage-windows-1909-endpoints.md
+++ b/windows/privacy/manage-windows-1909-endpoints.md
@@ -36,10 +36,10 @@ The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
-3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
+3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@@ -54,8 +54,8 @@ The following methodology was used to derive these network endpoints:
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
|||HTTP|tile-service.weather.microsoft.com/en-us/livetile/preinstall|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com*|
@@ -136,5 +136,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
-- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index 48879ed467..2b302dbf62 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -39,7 +39,7 @@ The following methodology was used to derive these network endpoints:
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@@ -53,9 +53,9 @@ The following methodology was used to derive these network endpoints:
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoints are used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|blob.weather.microsoft.com|
|||HTTP|tile-service.weather.microsoft.com|
-||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2|evoke-windowsservices-tas.msedge.net|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*|
@@ -137,5 +137,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
-- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-20H2-endpoints.md b/windows/privacy/manage-windows-20H2-endpoints.md
index 8035ebc8d5..9d1ec6d001 100644
--- a/windows/privacy/manage-windows-20H2-endpoints.md
+++ b/windows/privacy/manage-windows-20H2-endpoints.md
@@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@@ -54,8 +54,8 @@ The following methodology was used to derive these network endpoints:
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@@ -82,7 +82,7 @@ The following methodology was used to derive these network endpoints:
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
-||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won't be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
@@ -155,4 +155,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-21H1-endpoints.md b/windows/privacy/manage-windows-21H1-endpoints.md
index 940115bae8..bd760cb5c0 100644
--- a/windows/privacy/manage-windows-21H1-endpoints.md
+++ b/windows/privacy/manage-windows-21H1-endpoints.md
@@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@@ -52,10 +52,10 @@ The following methodology was used to derive these network endpoints:
|Area|Description|Protocol|Destination|
|----------------|----------|----------|------------|
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
-||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
-||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
+||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@@ -66,9 +66,11 @@ The following methodology was used to derive these network endpoints:
||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
|||HTTP|dmd.metaservices.microsoft.com|
-|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
+|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
-||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
+|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com|
+|||HTTP|www.microsoft.com|
+||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: **Administrative Templates** > **Windows Components** > **Windows Error Reporting** > **Disable Windows Error Reporting**. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
|||HTTPS|fs.microsoft.com|
@@ -80,8 +82,8 @@ The following methodology was used to derive these network endpoints:
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
-||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won’t be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
-|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
+||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won't be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
+|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead, disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
@@ -107,10 +109,10 @@ The following methodology was used to derive these network endpoints:
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
|||HTTPS|settings.data.microsoft.com|
-|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
+|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
|||HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
-|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
+|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||HTTPS/TLSv1.2|wdcp.microsoft.com|
@@ -124,7 +126,7 @@ The following methodology was used to derive these network endpoints:
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
|||HTTP|*.windowsupdate.com|
-||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
+||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Microsoft Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
@@ -137,6 +139,7 @@ The following methodology was used to derive these network endpoints:
To view endpoints for other versions of Windows 10 Enterprise, see:
- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
+- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20H2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
@@ -145,6 +148,7 @@ To view endpoints for other versions of Windows 10 Enterprise, see:
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
+- [Windows 10, version 20H2, connection endpoints for non-Enterprise editions](windows-endpoints-20H2-non-enterprise-editions.md)
- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
@@ -153,4 +157,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/manage-windows-21h2-endpoints.md b/windows/privacy/manage-windows-21h2-endpoints.md
index 1988d81396..d8c926a1fc 100644
--- a/windows/privacy/manage-windows-21h2-endpoints.md
+++ b/windows/privacy/manage-windows-21h2-endpoints.md
@@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
-6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
+6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@@ -54,8 +54,8 @@ The following methodology was used to derive these network endpoints:
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
-||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
+|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@@ -152,4 +152,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
-- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
\ No newline at end of file
+- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index ee4c6b4726..084f8f8a9e 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -6328,7 +6328,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** This is the device info.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@@ -6343,7 +6343,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Represents the device info.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@@ -6380,7 +6380,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Device in the General Availability Channel.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 6a226268c2..b37678708d 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -5789,8 +5789,8 @@ The following fields are available:
- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU.
- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed.
- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed.
-- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed.
-- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed.
+- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed.
+- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed.
- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is.
- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected.
- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU.
@@ -5917,7 +5917,7 @@ The following fields are available:
- **CV** Correlation vector.
- **GlobalEventCounter** The global event counter for counting total events for the provider.
- **PackageVersion** The version for the current package.
-- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for WUFB cloud membership.
+- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for Windows Update for Business cloud membership.
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
@@ -7212,7 +7212,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** This is the device info.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@@ -7227,7 +7227,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Represents the device info.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@@ -7270,7 +7270,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Device in the General Availability Channel.
-- **wUfBConnected** Result of WUfB connection check.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index 9a30c84314..8564378d9c 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -21,7 +21,9 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
+- Windows 11
- Windows Server 2016
+- Windows Server 2019
This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system.
@@ -208,7 +210,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.|
| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.|
| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.|
-| S-1-5-17 | IIS_USRS| An account that is used by the default Internet Information Services (IIS) user.|
+| S-1-5-17 | IUSR| An account that is used by the default Internet Information Services (IIS) user.|
| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem. System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token. When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.|
| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.|
| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.|
@@ -243,6 +245,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
|S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.|
|S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.|
|S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.|
+|S-1-5-32-568|Builtin\IIS_IUSRS|An alias. A built-in group account for IIS users.|
|S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.|
|S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.|
|S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.|
@@ -314,6 +317,19 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCache
All Capability SIDs are prefixed by S-1-15-3
+## Examples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition
+
+You may see the following registry keys under AllCachedCapabilities:
+
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
+HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
+
+All Capability SIDs are prefixed by S-1-15-3
+
## See also
- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 1cc41effde..bb8984236d 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -24,7 +24,7 @@ ms.reviewer:
- Windows 11
**Requirements:**
-* Windows Hello for Business deployment (Hybrid or On-premises)
+* Windows Hello for Business deployment (Cloud, Hybrid or On-premises)
* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
* Windows 10, version 1709 or newer, or Windows 11
* Bluetooth, Bluetooth capable phone - optional
@@ -396,4 +396,4 @@ Multi-factor unlock writes events to event log under **Application and Services
|5520|Unlock policy not configured|
|6520|Warning event|
|7520|Error event|
-|8520|Success event|
\ No newline at end of file
+|8520|Success event|
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index fdd927d52e..04d4d3b8b1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -13,8 +13,9 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
-ms.date: 4/30/2021
-ms.reviewer:
+ms.date: 05/04/2022
+ms.reviewer: prsriva
+
---
# Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
@@ -25,7 +26,7 @@ ms.reviewer:
- Hybrid deployment
- Key trust
-You are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
+You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
> [!NOTE]
> Before proceeding, you should familiarize yourself with device registration concepts such as:
@@ -33,27 +34,30 @@ You are ready to configure device registration for your hybrid environment. Hybr
> * Azure AD joined devices
> * Hybrid Azure AD joined devices
>
-> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction)
+> You can learn about this and more by reading [What is a device identity](/azure/active-directory/devices/overview)
-## Configure Azure for Device Registration
+## Configure Hybrid Azure AD join
-Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
+Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
-To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal).
+Follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment.
-Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
+If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps:
+- Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD.
+- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD.
-
+You can learn more about this scenario by reading [Review on-premises UPN support for Hybrid Azure Ad join](/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join).
-
+> [!NOTE]
+> Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD.
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
-3. [New Installation Baseline](hello-hybrid-key-new-install.md)
-4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
-5. Configure Azure Device Registration (*You are here*)
+3. [New installation baseline](hello-hybrid-key-new-install.md)
+4. [Configure directory synchronization](hello-hybrid-key-trust-dirsync.md)
+5. Configure Azure Device Registration (*you're here*)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
+7. [Sign-in and provision](hello-hybrid-key-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index 28c80840a2..705b84df66 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -36,6 +36,13 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active
+If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps:
+- Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD.
+- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD.
+
+> [!NOTE]
+> Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD.
+
## Follow the Windows Hello for Business hybrid key trust deployment guide
@@ -46,4 +53,4 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active
4. Configure Directory Synchronization (*You are here*)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index b1e9071045..bbc7256c6d 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -60,7 +60,7 @@ With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for
The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt.
-
+:::image type="content" source="images/uacconsentprompt.png" alt-text="UAC consent prompt.":::
**The credential prompt**
@@ -68,7 +68,7 @@ The credential prompt is presented when a standard user attempts to perform a ta
The following is an example of the UAC credential prompt.
-
+:::image type="content" source="images/uaccredentialprompt.png" alt-text="UAC credential prompt.":::
**UAC elevation prompts**
@@ -85,7 +85,7 @@ The elevation prompt color-coding is as follows:
Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item.
-
+:::image type="content" source="images/uacshieldicon.png" alt-text="UAC Shield Icon in Date and Time Properties":::
The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.
diff --git a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif
deleted file mode 100644
index ec65e67586..0000000000
Binary files a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif and /dev/null differ
diff --git a/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png
new file mode 100644
index 0000000000..1a84a4cfd7
Binary files /dev/null and b/windows/security/identity-protection/user-account-control/images/uacconsentprompt.png differ
diff --git a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif
deleted file mode 100644
index 86374d118b..0000000000
Binary files a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif and /dev/null differ
diff --git a/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png
new file mode 100644
index 0000000000..df0077b91b
Binary files /dev/null and b/windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png differ
diff --git a/windows/security/identity-protection/user-account-control/images/uacshieldicon.png b/windows/security/identity-protection/user-account-control/images/uacshieldicon.png
index 8df37f2c12..5c9e4de2f7 100644
Binary files a/windows/security/identity-protection/user-account-control/images/uacshieldicon.png and b/windows/security/identity-protection/user-account-control/images/uacshieldicon.png differ
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 59a725fa26..441d05936f 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -77,7 +77,7 @@ Should a management tool remove or add the same profile name back and set **Alwa
## Trusted network detection
-This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
+This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffixes. The VPN stack will look at the network name of the physical interface connection profile and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
index e89957070a..3463eceedc 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
@@ -87,6 +87,9 @@ If you don't set or you disable this policy, the PKU2U protocol won't be used to
If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work.
+### Fix/Remediation
+
+This vulnerability was fixed on February 9, 2021, in the [CVE-2021-25195](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-25195) Security Update.
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 9e1b49b4c8..68bc7639b6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -162,3 +162,80 @@ To add this CLSID to the existing policy, follow these steps:
```
+### Default COM Object Allow List
+
+
+
+| File Name | CLSID |
+|--------|-----------|
+| scrrun.dll | EE09B103-97E0-11CF-978F-00A02463E06F |
+| scrrun.dll | 0D43FE01-F093-11CF-8940-00A0C9054228 |
+| vbscript.dll | 3F4DACA4-160D-11D2-A8E9-00104B365C9F |
+| WEX.Logger.Log | 70B46225-C474-4852-BB81-48E0D36F9A5A |
+| TE.Common.TestData | 1d68f3c0-b5f8-4abd-806a-7bc57cdce35a |
+| TE.Common.RuntimeParameters | 9f3d4048-6028-4c5b-a92d-01bc977af600 |
+| TE.Common.Verify | e72cbabf-8e48-4d27-b14e-1f347f6ec71a |
+| TE.Common.Interruption | 5850ba6f-ce72-46d4-a29b-0d3d9f08cc0b |
+| msxml6.dll | 2933BF90-7B36-11d2-B20E-00C04F983E60 |
+| msxml6.dll | ED8C108E-4349-11D2-91A4-00C04F7969E8 |
+| mmcndmgr.dll | ADE6444B-C91F-4E37-92A4-5BB430A33340 |
+| puiobj.dll | B021FF57-A928-459C-9D6C-14DED0C9BED2 |
+| wdtf.dll | 041E868E-0C7D-48C6-965F-5FD576530E5B |
+| wdtfedtaction.dll | 0438C02B-EB9C-4E42-81AD-407F6CD6CDE1 |
+| wdtfioattackaction.dll | 078B1F7D-C34C-4B13-A7C3-9663901650F1 |
+| wdtfmutt2tcdsimpleioaction.dll | 0ABB2961-2CC1-4F1D-BE8E-9D330D06B77D |
+| wdtfdriverpackageaction.dll | 0D7237E6-930F-4682-AD0A-52EBFFD3AEE3 |
+| wdtf.dll | 0D972387-817B-46E7-913F-E9993FF401EB |
+| wdtf.dll | 0E770B12-7221-4A5D-86EE-77310A5506BB |
+| wdtfdriversetupdeviceaction.dll | 0FA57208-5100-4CD6-955C-FE69F8898973 |
+| wdtf.dll | 1080A020-2B47-4DA9-8095-DBC9CEFFFC04 |
+| wdtfnetworksimpleioaction.dll | 10CF2E12-1681-4C53-ADC0-932C84832CD8 |
+| wdtf.dll | 140F2286-3B39-4DE1-AF94-E083DEEA6BB9 |
+| wdtfinterfaces.dll | 1A7D6D61-4FE5-42E2-8F23-4FC1731C474F |
+| wdtfaudiosimpleioaction.dll | 1C658D42-4256-4743-A4C5-90BF3A3A186A |
+| wdtf.dll | 2236B1F3-4A33-48C2-B22C-A1F93A626F05 |
+| wdtfsystemaction.dll | 23440924-1AB0-41F2-A732-B75069E5C823 |
+| wdtfdriversetupsystemaction.dll | 238C0AEB-1DFC-4575-AAF3-C67FE15C1819 |
+| wdtffuzztestaction.dll | 23D0E542-0390-4873-9AC7-EF86E95E5215 |
+| wdtf.dll | 240FA08C-1D70-40CB-BDB3-2CC41A45496B |
+| wdtf.dll | 26CC4211-A9A6-4E5C-A30D-3C659BB4CDC9 |
+| wdtf.dll | 28EE5F0B-97D8-4A59-BAC8-A8A80E11F56B |
+| wdtf.dll | 2C9AF7D6-2589-4413-A2BA-9926EBCFD67C |
+| wdtf.dll | 32A9798D-987F-489E-8DB6-2EFB240248BD |
+| wdtfinterfaces.dll | 3C0B0D50-611A-4368-AC87-4488D6E0C4A7 |
+| wdtfcdromsimpleioaction.dll | 3F2C07F3-199B-4165-A948-B8B59A97FCC5 |
+| wdtf.dll | 485785D3-8820-4C3D-A532-4C0F66392A30 |
+| wdtfinterfaces.dll | 5EAE59BE-6946-44B7-A7B3-1D59811B246A |
+| wdtfiospyaction.dll | 698F6A82-7833-4499-8BA5-2145D604ABD4 |
+| wdtfdevicesupportaction.dll | 69D94D1B-0833-40D4-9AE7-7FC6F64F2624 |
+| wdtf.dll | 6EE5B280-3B0F-4358-9E20-99F169FAA700 |
+| wdtfmuttsimpleioaction.dll | 7776915A-0370-49A7-90B7-20EB36E80B6D |
+| wdtfcpuutilizationsystemaction.dll | 7926C7DE-299C-4B09-BB1B-649A4B917ED0 |
+| wdtfwirelesssimpleioaction.dll | 7A686BCD-9203-435C-8B06-9D7E7A518F98 |
+| wdtfbluetoothsimpleioaction.dll | 7E6C4615-6184-4077-A150-5D30F29993A4 |
+| wdtf.dll | 9663A00A-5B72-4810-9014-C77108062949 |
+| wdtfinterfaces.dll | 9C261B2B-DBD6-4087-B636-ABE1607989E8 |
+| wdtfwebcamsimpleioaction.dll | A1B74619-F02D-4574-8091-2AADD46A5B2B |
+| wdtf.dll | A2FD15D7-64F0-4080-AABD-884380202022 |
+| wdtfvolumesimpleioaction.dll | AC91E813-B116-4676-AE33-2988B590F3C7 |
+| wdtfconcurrentioaction.dll | AE278430-ABC2-49D1-AF30-910B9A88CB1E |
+| wdtf.dll | B43FF7F1-629C-4DE5-9559-1D09E0A07037 |
+| wdtfdriververifiersystemaction.dll | B7770265-B643-4600-A60B-93F9BA9F4B24 |
+| wdtfpnpaction.dll | B8D74985-4EB9-46AA-B2ED-DD2D918849DF |
+| wdtfmobilebroadbandsimpleioaction.dll | BCFBBB02-4DA5-466C-9DA7-DC672877B075 |
+| wdtf.dll | BE56FAD1-A489-4508-ABB7-3348E1C2C885 |
+| wdtfpnpaction.dll | C0B6C572-D37D-47CC-A89D-E6B9E0852764 |
+| wdtfioattackaction.dll | C88B324E-6B26-49BC-9D05-A221F15D7E13 |
+| wdtfsensorsiosimpleioaction.dll | C8BF7EC0-C746-4DE8-BA46-34528C6329FB |
+| wdtfanysimpleioaction.dll | C8C574DA-367B-4130-AED6-1EA61A5C6A4B |
+| simpleio_d3dtest.dll | CBC36BDB-A6BC-4383-8194-659470553488 |
+| wdtfsystemaction.dll | D30E1E07-AA39-4086-A7E6-9245FBD0A730 |
+| wdtf.dll | DD34E741-139D-4F4C-A1E2-D4184FCDD4F9 |
+| wdtfsupaction.dll | EA48171B-4265-48C3-B56B-70B175A7FDFA |
+| wdtfinterfaces.dll | EB9DB874-D23D-44D5-A988-85E966322843 |
+| wdtfinterfaces.dll | ED05EF76-09A9-4409-90CA-C5D0711CA057 |
+| wdtfwpdsimpleioaction.dll | EEA17F2B-8E8E-41A3-9776-A87FACD625D0 |
+| wdtfinterfaces.dll | F30FC2BB-F424-4A1F-8F95-68CFEE935E92 |
+| wdtfedtaction.dll | F6694E02-5AD0-476D-BD2D-43F7E5D10AF6 |
+| wdtfsmartcardreadersimpleioaction.dll | FA6F7E49-76C6-490C-B50E-8B1E8E0EEE2A |
+| wdtfiospyaction.dll | FE36026D-CDA8-4514-B3D9-57BDA3870D0C |
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
index e5b26ce22e..a644bac95c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
@@ -62,6 +62,7 @@ Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML
+
```
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
index 92f944b419..bc7f23ee67 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@@ -90,3 +90,7 @@ Once you've completed configuring your chosen Managed Installer, by specifying w
```
This command will show the raw XML to verify the individual rules that were set.
+
+## Remove Managed Installer feature
+
+To remove the Managed Installed from the device, you will need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule - To clear AppLocker policies on a single system or remote systems](applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems).
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 71779ec0d3..c3bdab9f89 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -15,7 +15,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
-ms.date: 08/23/2021
+ms.date: 09/29/2021
---
# Microsoft recommended block rules
@@ -88,6 +88,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
| `Alex Ionescu` | `@aionescu`|
| `Brock Mammen`| |
| `Casey Smith` | `@subTee` |
+| `James Forshaw` | `@tiraniddo` |
| `Jimmy Bayne` | `@bohops` |
| `Kim Oppalfens` | `@thewmiguy` |
| `Lasse Trolle Borup` | `Langkjaer Cyber Defence` |
@@ -119,1437 +120,1434 @@ Microsoft recommends that you block the following Microsoft-signed applications
Select the correct version of each .dll for the Windows release you plan to support, and remove the other versions. Ensure that you also uncomment them in the signing scenarios section.
```xml
-
-
- 10.0.0.0
- {A244370E-44C9-4C06-B551-F6016E563076}
- {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}
+
+
+ 10.0.0.0
+ {A244370E-44C9-4C06-B551-F6016E563076}
+ {2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+ -->
+
+ -->
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+ -->
+
+ -->
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
- 0
-
+
+
+ 0
+
```
@@ -1558,4 +1556,4 @@ Select the correct version of each .dll for the Windows release you plan to supp
## More information
-- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
\ No newline at end of file
+- [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md)
diff --git a/windows/whats-new/whats-new-windows-10-version-1709.md b/windows/whats-new/whats-new-windows-10-version-1709.md
index bb97981cfe..905d4ff2dd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1709.md
+++ b/windows/whats-new/whats-new-windows-10-version-1709.md
@@ -46,9 +46,9 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett
## Update
-### Windows Update for Business (WUfB)
+### Windows Update for Business
-WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
+Windows Update for Business now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
### Windows Insider Program for Business
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 0afb63e954..f2f4dc5964 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -120,7 +120,7 @@ For more information, see [Windows Setup Command-Line Options](/windows-hardware
SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
-### Windows Update for Business (WUfB)
+### Windows Update for Business
Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](/intune/windows-update-for-business-configure).
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index 41c5c84b1f..3b33b31e96 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -36,9 +36,9 @@ Pre-release Windows 10 feature updates are now available to IT administrators us
The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903.
-### Windows Update for Business (WUfB)
+### Windows Update for Business
-If you are using WUfB, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
+If you are using Windows Update for Business, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
## Security