|
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]
diff --git a/education/windows/edu-take-a-test-kiosk-mode.md b/education/windows/edu-take-a-test-kiosk-mode.md
index d09c408d8a..79b60c3c9e 100644
--- a/education/windows/edu-take-a-test-kiosk-mode.md
+++ b/education/windows/edu-take-a-test-kiosk-mode.md
@@ -1,7 +1,7 @@
---
title: Configure Take a Test in kiosk mode
description: Learn how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages.
-ms.date: 09/30/2022
+ms.date: 11/08/2023
ms.topic: how-to
---
diff --git a/education/windows/federated-sign-in.md b/education/windows/federated-sign-in.md
index 4c9144fdb9..a1273e7bd7 100644
--- a/education/windows/federated-sign-in.md
+++ b/education/windows/federated-sign-in.md
@@ -13,20 +13,25 @@ ms.collection:
# Configure federated sign-in for Windows devices
-Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via web sign-in.\
-This feature is called *federated sign-in*.\
-Federated sign-in is a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
+Starting in Windows 11 SE, version 22H2 and Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1], you can enable your users to sign-in using a federated identity provider (IdP) via a web sign-in experience.
+Signing in with a federated identity can be a great way to simplify the sign-in process for your users: instead of having to remember a username and password defined in Microsoft Entra ID, they can sign-in using their existing credentials from the IdP. For example, students and educators can use QR code badges to sign-in.
## Benefits of federated sign-in
-Federated sign-in enables students to sign-in in less time, and with less friction.
+A federated sign-in experience enables students to sign-in in less time, and with less friction.
With fewer credentials to remember and a simplified sign-in process, students are more engaged and focused on learning.
+
+There are two Windows features that enable a federated sign-in experience:
+
+- *Federated sign-in*, which is designed for 1:1 student devices. For an optimal experience, you should not enable federated sign-in on shared devices
+- *Web sign-in*, which provides a similar experience to *Federated sign-in*, and can be used for shared devices
+
> [!IMPORTANT]
-> Currently, this feature is designed for 1:1 devices. For an optimal experience, you should not enable federated sign-in on shared devices.
+> *Federated sign-in* and *Web sign-in* require different configurations, which are explained in this document.
## Prerequisites
-To implement federated sign-in, the following prerequisites must be met:
+To enable a federated sign-in experience, the following prerequisites must be met:
1. A Microsoft Entra tenant, with one or multiple domains federated to a third-party IdP. For more information, see [What is federation with Microsoft Entra ID?][AZ-1] and [Use a SAML 2.0 IdP for Single Sign On][AZ-4]
>[!NOTE]
@@ -43,9 +48,9 @@ To implement federated sign-in, the following prerequisites must be met:
For more information about identity matching, see [Identity matching in Microsoft Entra ID](#identity-matching-in-azure-ad).
1. Licenses assigned to the Microsoft Entra user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Microsoft Entra ID, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Microsoft Entra ID][AZ-2]
-1. Enable federated sign-in on the Windows devices
+1. Enable Federated sign-in or Web sign-in on the Windows devices, depending if the devices are shared or assigned to a single student
-To use federated sign-in, the devices must have Internet access. This feature doesn't work without it, as the authentication is done over the Internet.
+To use Federated sign-in or Web sign-in, the devices must have Internet access. These features don't work without it, as the authentication is done over the Internet.
> [!IMPORTANT]
> WS-Fed is the only supported federated protocol to join a device to Microsoft Entra ID. If you have a SAML 2.0 IdP, it's recommended to complete the Microsoft Entra join process using one of the following methods:
@@ -54,25 +59,25 @@ To use federated sign-in, the devices must have Internet access. This feature do
[!INCLUDE [federated-sign-in](../../includes/licensing/federated-sign-in.md)]
-Federated sign-in for student assigned (1:1) devices is supported on the following Windows editions and versions:
+Federated sign-in is supported on the following Windows editions and versions:
- Windows 11 SE, version 22H2 and later
- Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1]
-Federated sign-in for shared devices is supported starting in Windows 11 SE/Pro Edu/Education, version 22H2 with [KB5026446][KB-2].
+Web sign-in is supported starting in Windows 11 SE/Pro Edu/Education, version 22H2 with [KB5026446][KB-2].
-## Configure federated sign-in
+## Configure a federated sign-in experience
-You can configure federated sign-in for student assigned (1:1) devices or student shared devices:
+You can configure a federated sign-in experience for student assigned (1:1) devices or student shared devices:
-- When federated sign-in is configured for **student assigned (1:1) devices**, the first user who signs in to the device with a federated identity becomes the *primary user*. The primary user is always displayed in the bottom left corner of the sign-in screen
-- When federated sign-in is configured for **student shared devices**, there's no primary user. The sign-in screen displays, by default, the last user who signed in to the device
+- When federated sign-in is configured for **student assigned (1:1) devices**, you use a Windows feature called *Federated sign-in*. The first user who signs in to the device with a federated identity becomes the *primary user*. The primary user is always displayed in the bottom left corner of the sign-in screen
+- When federated sign-in is configured for **student shared devices**, you use a Windows feature called *Web sign-in*. With Web sign-in there's no primary user, and the sign-in screen displays, by default, the last user who signed in to the device
The configuration is different for each scenario, and is described in the following sections.
-### Configure federated sign-in for student assigned (1:1) devices
+### Configure Federated sign-in for student assigned (1:1) devices
-To use web sign-in with a federated identity provider, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
+Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
@@ -98,7 +103,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
-To configure federated sign-in using a provisioning package, use the following settings:
+To configure Federated sign-in using a provisioning package, use the following settings:
| Setting |
|--------|
@@ -109,16 +114,16 @@ To configure federated sign-in using a provisioning package, use the following s
:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Screenshot of Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
-Apply the provisioning package to the single-user devices that require federated sign-in.
+Apply the provisioning package to the 1:1 devices that require Federated sign-in.
> [!IMPORTANT]
> There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
---
-### Configure federated sign-in for student shared devices
+### Configure Web sign-in for student shared devices
-To use web sign-in with a federated identity provider, your devices must be configured with different policies. Review the following instructions to configure your shared devices using either Microsoft Intune or a provisioning package (PPKG).
+Review the following instructions to configure your shared devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
@@ -146,7 +151,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
-To configure federated sign-in using a provisioning package, use the following settings:
+To configure web sign-in using a provisioning package, use the following settings:
| Setting |
|--------|
@@ -156,7 +161,7 @@ To configure federated sign-in using a provisioning package, use the following s
|
Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**|
|
Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**|
-Apply the provisioning package to the shared devices that require federated sign-in.
+Apply the provisioning package to the shared devices that require web sign-in.
> [!IMPORTANT]
> There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
@@ -172,7 +177,7 @@ As users enter their username, they're redirected to the identity provider sign-
:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Screenshot of Windows 11 SE sign-in using federated sign-in through Clever and QR code badge, in a student assigned (1:1) device." border="false":::
> [!IMPORTANT]
-> For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen.
+> For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the Federated sign-in flow by pressing Ctrl+Alt+Delete to get back to the standard Windows sign-in screen.
> The behavior is different for student shared devices, where the disambiguation page is always shown, unless preferred Microsoft Entra tenant name is configured.
## Important considerations
diff --git a/education/windows/index.yml b/education/windows/index.yml
index 8d3a93691a..3c3dfae79b 100644
--- a/education/windows/index.yml
+++ b/education/windows/index.yml
@@ -10,153 +10,115 @@ metadata:
ms.technology: itpro-edu
ms.collection:
- education
- - highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
- ms.date: 07/28/2023
+ ms.date: 10/30/2023
highlightedContent:
items:
- - title: Get started with Windows 11
+ - title: Get started with Windows 11 SE
itemType: get-started
- url: /windows/whats-new/windows-11-overview
+ url: windows-11-se-overview.md
- title: Windows 11, version 22H2
itemType: whats-new
url: /windows/whats-new/whats-new-windows-11-version-22H2
- - title: Windows 11, version 22H2 group policy settings reference
- itemType: download
- url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
- - title: Windows release health
- itemType: whats-new
- url: /windows/release-health
- - title: Windows commercial licensing
- itemType: overview
- url: /windows/whats-new/windows-licensing
- - title: Windows 365 documentation
- itemType: overview
- url: /windows-365
- title: Explore all Windows trainings and learning paths for IT pros
itemType: learn
url: https://learn.microsoft.com/en-us/training/browse/?products=windows&roles=administrator
- - title: Enroll Windows client devices in Microsoft Intune
+ - title: Deploy applications to Windows 11 SE with Intune
itemType: how-to-guide
- url: /mem/intune/fundamentals/deployment-guide-enrollment-windows
+ url: /education/windows/tutorial-deploy-apps-winse
productDirectory:
title: Get started
items:
-
- - title: Hardware security
- imageSrc: /media/common/i_usb.svg
+ - title: Learn how to deploy Windows
+ imageSrc: /media/common/i_deploy.svg
links:
- - url: /windows/security/hardware-security/tpm/trusted-platform-module-overview
- text: Trusted Platform Module
- - url: /windows/security/hardware-security/pluton/microsoft-pluton-security-processor
- text: Microsoft Pluton
- - url: /windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows
- text: Windows Defender System Guard
- - url: /windows-hardware/design/device-experiences/oem-vbs
- text: Virtualization-based security (VBS)
- - url: /windows-hardware/design/device-experiences/oem-highly-secure-11
- text: Secured-core PC
- - url: /windows/security/hardware-security
- text: Learn more about hardware security >
-
- - title: OS security
- imageSrc: /media/common/i_threat-protection.svg
+ - url: /education/windows/tutorial-school-deployment/
+ text: "Tutorial: deploy and manage Windows devices in a school"
+ - url: /education/windows/tutorial-school-deployment/enroll-autopilot
+ text: Enrollment in Intune with Windows Autopilot
+ - url: use-set-up-school-pcs-app.md
+ text: Deploy devices with Set up School PCs
+ - url: /windows/deployment
+ text: Learn more about Windows deployment >
+ - title: Learn how to secure Windows
+ imageSrc: /media/common/i_security-management.svg
links:
- - url: /windows/security/operating-system-security
- text: Trusted boot
- - url: /windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center
- text: Windows security settings
- - url: /windows/security/operating-system-security/data-protection/bitlocker/
- text: BitLocker
- - url: /windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines
- text: Windows security baselines
- - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/
- text: MMicrosoft Defender SmartScreen
- - url: /windows/security/operating-system-security
- text: Learn more about OS security >
-
- - title: Identity protection
- imageSrc: /media/common/i_identity-protection.svg
- links:
- - url: /windows/security/identity-protection/hello-for-business
- text: Windows Hello for Business
- - url: /windows/security/identity-protection/credential-guard
- text: Credential Guard
- - url: /windows-server/identity/laps/laps-overview
- text: Windows LAPS (Local Administrator Password Solution)
- - url: /windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection
- text: Enhanced phishing protection with SmartScreen
- - url: /education/windows/federated-sign-in
- text: Federated sign-in (EDU)
- - url: /windows/security/identity-protection
- text: Learn more about identity protection >
-
- - title: Application security
- imageSrc: /media/common/i_queries.svg
- links:
- - url: /windows/security/application-security/application-control/windows-defender-application-control/
- text: Windows Defender Application Control (WDAC)
+ - url: federated-sign-in.md
+ text: Configure federated sign-in for Windows devices
- url: /windows/security/application-security/application-control/user-account-control
text: User Account Control (UAC)
- - url: /windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules
- text: Microsoft vulnerable driver blocklist
- - url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview
- text: Microsoft Defender Application Guard (MDAG)
- - url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview
- text: Windows Sandbox
- - url: /windows/security/application-security
- text: Learn more about application security >
-
- - title: Security foundations
- imageSrc: /media/common/i_build.svg
- links:
- - url: /windows/security/security-foundations/certification/fips-140-validation
- text: FIPS 140-2 validation
- - url: /windows/security/security-foundations/certification/windows-platform-common-criteria
- text: Common Criteria Certifications
- - url: /windows/security/security-foundations/msft-security-dev-lifecycle
- text: Microsoft Security Development Lifecycle (SDL)
- - url: https://www.microsoft.com/msrc/bounty-windows-insider-preview
- text: Microsoft Windows Insider Preview bounty program
- - url: https://www.microsoft.com/security/blog/2020/09/15/microsoft-onefuzz-framework-open-source-developer-tool-fix-bugs/
- text: OneFuzz service
- - url: /windows/security/security-foundations
- text: Learn more about security foundations >
-
- - title: Cloud security
- imageSrc: /media/common/i_cloud-security.svg
- links:
- url: /mem/intune/protect/security-baselines
text: Security baselines with Intune
- url: /windows/deployment/windows-autopatch
text: Windows Autopatch
- - url: /windows/deployment/windows-autopilot
- text: Windows Autopilot
- url: /universal-print
text: Universal Print
- - url: /windows/client-management/mdm/remotewipe-csp
- text: Remote wipe
- - url: /windows/security/cloud-security
- text: Learn more about cloud security >
+ - url: /windows/security
+ text: Learn more about Windows security >
+
+ - title: Learn how to manage Windows devices
+ imageSrc: /media/common/i_management.svg
+ links:
+ - url: tutorial-school-deployment/manage-overview.md
+ text: Manage devices with Microsoft Intune
+ - url: tutorial-school-deployment/manage-surface-devices.md
+ text: Management functionalities for Surface devices
+ - url: /education/windows/get-minecraft-for-education
+ text: Get and deploy Minecraft Education
+ - url: /windows/client-management
+ text: Learn more about Windows management >
+
+ - title: Learn how to configure Windows
+ imageSrc: /media/common/i_config-tools.svg
+ links:
+ - url: /education/windows/tutorial-school-deployment/configure-devices-overview
+ text: Configure settings and applications with Microsoft Intune
+ - url: /windows/configuration/set-up-shared-or-guest-pc
+ text: Set up a shared or guest Windows device
+ - url: /education/windows/take-tests-in-windows
+ text: Take tests and assessments in Windows
+ - url: set-up-school-pcs-provisioning-package.md
+ text: Provisioning package settings
+ - url: https://www.youtube.com/watch?v=2ZLup_-PhkA
+ text: "Video: Use the Set up School PCs App"
additionalContent:
sections:
- - title: More Windows resources
- items:
+ - title: For developers # < 60 chars (optional)
+ summary: Are you an app developer looking for information about developing solutions on Microsoft Education products? Start here. # < 160 chars (optional)
+ - items:
+ # Card
+ - title: UWP apps for education
+ summary: Learn how to write universal apps for education.
+ url: /windows/uwp/apps-for-education/
+ # Card
+ - title: Take a test API
+ summary: Learn how web applications can use the API to provide a locked down experience for taking tests.
+ url: /windows/uwp/apps-for-education/take-a-test-api
- - title: Windows Server
- links:
- - text: Windows Server documentation
- url: /windows-server
- - text: What's new in Windows Server 2022?
- url: /windows-server/get-started/whats-new-in-windows-server-2022
- - text: Windows Server blog
- url: https://cloudblogs.microsoft.com/windowsserver/
+ - title: Office dev center
+ summary: Integrate with Office 365 across devices and services to extend Microsoft enterprise-scale compliance and security to students, teachers, and staff in your education app.
+ url: https://developer.microsoft.com/office/
+
+ - title: Data Streamer
+ summary: Bring new STEM experiences into the classroom with real-time data in Excel using Data Streamer. Data Streamer can send data to Excel from a sensor or application.
+ url: /microsoft-365/education/data-streamer
+ - title: For partners # < 60 chars (optional)
+ summary: Looking for resources available to Microsoft Education partners? Start here. # < 160 chars (optional)
+ - items:
+
+ - title: Microsoft Partner Network
+ summary: Discover the latest news and resources for Microsoft Education products, solutions, licensing and readiness.
+ url: https://partner.microsoft.com/explore/education
+
+ - title: Education Partner community Yammer group
+ summary: Sign in with your Microsoft Partner account and join the Education Partner community private group on Yammer.
+ url: https://www.yammer.com/mepn/
- title: Windows product site and blogs
links:
diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md
deleted file mode 100644
index 97988171bf..0000000000
--- a/education/windows/set-up-school-pcs-whats-new.md
+++ /dev/null
@@ -1,97 +0,0 @@
----
-title: What's new in the Windows Set up School PCs app
-description: Find out about app updates and new features in Set up School PCs.
-ms.topic: whats-new
-ms.date: 08/10/2022
----
-
-# What's new in Set up School PCs
-Learn what's new with the Set up School PCs app each week. Find out about new app features and functionality, see updated screenshots, and find information about past releases.
-
-## Week of August 24, 2020
-
-### Longer device names supported in app
-You can now give devices running Windows 10, version 2004 and later a name that's up to 53 characters long.
-
-## Week of September 23, 2019
-
-### Easier way to deploy Office 365 to your classroom devices
- Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Microsoft 365 Apps for enterprise. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams.
-
-## Week of June 24, 2019
-
-### Resumed support for Windows 10, version 1903 and later
-The previously mentioned provisioning problem was resolved, so the Set up School PCs app once again supports Windows 10, version 1903 and later. The Windows 10 settings that were removed are now back in the app.
-
-### Device rename made optional for Azure AD-joined devices
-When you set up your Azure AD join devices in the app, you no longer need to rename your devices. You can keep existing device names.
-
-## Week of May 23, 2019
-
-### Suspended support for Windows 10, version 1903 and later
-Due to a provisioning problem, Set up School PCs has temporarily stopped support for Windows 10, version 1903 and later. All settings in the app that were for Windows 10, version 1903 and later have been removed. When the problem is resolved, support will resume again.
-
-### Mandatory device rename for Azure AD-joined devices
-If you configure Azure AD Join, you're now required to rename your devices during setup. You can't keep existing device names.
-
-## Week of April 15, 2019
-
-### Support for Minecraft Education Edition upgrade
- Set up School PCs only adds apps to the provisioning package that meet the minimum supported version for Windows 10. For example, Minecraft is the most recent store app to upgrade; it's only installed on devices running Windows 10, version 1709 and later. If you select an earlier version of Windows, Minecraft won't be included in the provisioning package.
-
-## Week of April 8, 2019
-
-### Apps configured as non-removeable
-Apps that you deploy with Set up School PCs are configured as non-removable apps. This feature prevents students from unpinning or uninstalling the apps they need.
-
-### Domain name automatically added during sign-in
-Specify your preferred Azure Active Directory tenant domain name to automatically append it to the username on the sign-in screen. With this setting, students don't need to type out long school domain names. To sign in, they type only their unique usernames.
-
-### Set up devices with hidden Wi-Fi network
-Set up devices so that they connect to a hidden Wi-Fi network. To configure a hidden network, open the app. When you get to **Wireless network**, choose **Add a Wi-Fi network**. Enter in your Wi-Fi information and select **Hidden network**.
-
-
-## Week of December 31, 2018
-
-### Add Microsoft Whiteboard to provisioning package
-Microsoft Whiteboard is now a Microsoft-recommended app for schools. Whiteboard is a freeform digital canvas where ideas, content, and people come together; students can create and collaborate in real time in the classroom. Add the app to your provisioning package on the **Add apps** page. For more information, see [Use Set up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package).
-
-## Week of November 5, 2018
-
-### Sync school app inventory from Microsoft Store
-During setup, you can now add apps from your school's Microsoft Store inventory. After you sign in with your school's Office 365 account, Set up School PCs will sync the apps from Microsoft Store, and make them visible on the **Add apps** page. For more information about adding apps, see [Use Set Up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package).
-
-
-## Week of October 15, 2018
-
-The Set up School PCs app was updated with the following changes:
-
-### Three new setup screens added to the app
-The following screens and functionality were added to the setup workflow. Select a screen name to view the relevant steps and screenshots in the Set Up School PCs docs.
-
-* [**Package name**](use-set-up-school-pcs-app.md#package-name): Customize a package name to make it easy to recognize it from your school's other packages. Azure Active Directory generates the name. It appears as the filename, and as the token name in Azure AD in the Azure portal.
-
-* [**Product key**](use-set-up-school-pcs-app.md#product-key): Enter a product key to upgrade your current edition of Windows 10, or change the existing product key.
-
-* [**Personalization**](use-set-up-school-pcs-app.md#personalization): Upload images from your computer to customize how the lock screen and background appears on student devices.
-
-### Azure AD token expiration extended to 180 days
-Packages now expire 180 days from the date you create them.
-
-### Updated apps with more helpful, descriptive text
-The **Skip** buttons in the app now communicate the intent of each action. An **Exit** button also appears on the last page of the app.
-
-### Option to keep existing device names
-The [**Name these devices** screen](use-set-up-school-pcs-app.md#device-names) now gives you the option to keep the original or existing names of your student devices.
-
-### Skype and Messaging apps to be removed from student PCs by default
-The Skype and Messaging apps are part of a selection of apps that are, by default, removed from student devices.
-
-
-## Next steps
-Learn how to create provisioning packages and set up devices in the app.
-* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)
-* [Set up School PCs technical reference](set-up-school-pcs-technical.md)
-* [Set up Windows 10 devices for education](set-up-windows-10.md)
-
-When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).
\ No newline at end of file
diff --git a/education/windows/take-a-test-app-technical.md b/education/windows/take-a-test-app-technical.md
index da1540090d..f7c44f77e7 100644
--- a/education/windows/take-a-test-app-technical.md
+++ b/education/windows/take-a-test-app-technical.md
@@ -1,7 +1,7 @@
---
title: Take a Test app technical reference
description: List of policies and settings applied by the Take a Test app.
-ms.date: 03/31/2023
+ms.date: 11/02/2023
ms.topic: reference
---
@@ -11,11 +11,11 @@ Take a Test is an application that locks down a device and displays an online as
Whether you're a teacher or IT administrator, you can configure Take a Test to meet your testing needs. For high-stakes tests, the app creates a browser-based, locked-down environment. This environment means that students taking the tests that don't have copy/paste privileges, can't access to files and applications, and are free from distractions. For simple tests and quizzes, Take a Test can be configured to use the teacher's preferred assessment website to deliver digital assessments.
-Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test Javascript API](/windows/uwp/apps-for-education/take-a-test-api).
+Assessment vendors can use Take a Test as a platform to lock down the operating system. Take a Test supports the [SBAC browser API standard](https://www.smarterapp.org/documents/SecureBrowserRequirementsSpecifications_0-3.pdf) for high stakes common core testing. For more information, see [Take a Test JavaScript API](/windows/uwp/apps-for-education/take-a-test-api).
## PC lock-down for assessment
- When the assessment page initiates lock-down, the student's desktop will be locked and the app will be launched above the Windows lock screen to provide a sandbox that ensures the student can only interact with the Take a Test app. After transitioning to the lock screen, Take a Test will apply local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lock-down. The lock-down process is atomic, which means that if any part of the lock-down operation fails, the app won't be above lock and won't have any of the policies applied.
+ When the assessment page initiates lock-down, the student's desktop is locked and the app executes above the Windows lock screen. This provides a sandbox that ensures the student can only interact with the Take a Test app. After transitioning to the lock screen, Take a Test applies local MDM policies to further lock down the device. The whole process of going above the lock screen and applying policies is what defines lock-down. The lock-down process is atomic, which means that if any part of the lock-down operation fails, the app won't be above lock and won't have any of the policies applied.
When running above the lock screen:
@@ -25,7 +25,7 @@ When running above the lock screen:
- System clipboard is cleared
- Web apps can query the processes currently running in the user's device
- Extended display shows up as black
-- Auto-fill is disabled
+- Autofill is disabled
## Mobile device management (MDM) policies
@@ -36,7 +36,7 @@ When Take a Test is running, the following MDM policies are applied to lock down
| AllowToasts | Disables toast notifications from being shown | 0 |
| AllowAppStoreAutoUpdate | Disables automatic updates for Store apps that are installed on the PC | 0 |
| AllowDeviceDiscovery | Disables UI for screen sharing | 0 |
-| AllowInput Panel | Disables the onscreen keyboard, which will disable auto-fill | 0 |
+| AllowInput Panel | Disables the onscreen keyboard, which disables autofill | 0 |
| AllowCortana | Disables Cortana functionality | 0 |
| AllowAutoupdate | Disables Windows Update from starting OS updates | 5 |
@@ -61,7 +61,7 @@ When Take a Test is running, the following functionality is available to student
- Magnifier is available through Win++
- The student can press Alt+Tab when locked down. This key press results in the student being able to switch between the following elements:
- Take a Test
- - Assistive technology that may be running
+ - Assistive technology that might be running
- Lock screen (not available if student is using a dedicated test account)
> [!NOTE]
@@ -77,22 +77,22 @@ When permissive mode is triggered in lock-down mode, Take a Test transitions fro
When running tests in this mode, keep the following points in mind:
- Permissive mode isn't supported in kiosk mode (dedicated test account)
-- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it will launch in permissive mode
+- Permissive mode can be triggered from the web app running within Take a Test. Alternatively, you can create a link or shortcut without "#enforcelockdown" and it launches in permissive mode
## Troubleshoot Take a Test with the event viewer
-You can use the Event Viewer to view Take a Test events and errors. Take a Test logs events when a lock-down request has been received, device enrollment has succeeded, lock-down policies were successfully applied, and more.
+You can use the Event Viewer to view Take a Test events and errors. Take a Test logs events when it receives a lock-down request, device enrollment completes, lock-down policies are successfully applied, and more.
To enable viewing events in the Event Viewer:
-1. Open the `Event Viewer`
-1. Navigate to `Applications and Services Logs > Microsoft > Windows > Management-SecureAssessment`
-1. Select `Operational` > `Enable Log`
+1. Open the Event Viewer
+1. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **Management-SecureAssessment**
+1. Select **Operational** > **Enable Log**
To save the event logs:
-1. Select `Operational` > `Save All Events As…`
+1. Select **Operational** > **Save All Events As…**
## Learn more
-[Take a Test API](/windows/uwp/apps-for-education/take-a-test-api)
\ No newline at end of file
+[Take a Test API](/windows/uwp/apps-for-education/take-a-test-api)
diff --git a/education/windows/tutorial-school-deployment/configure-device-settings.md b/education/windows/tutorial-school-deployment/configure-device-settings.md
index f9d1d2046f..fc71325532 100644
--- a/education/windows/tutorial-school-deployment/configure-device-settings.md
+++ b/education/windows/tutorial-school-deployment/configure-device-settings.md
@@ -1,7 +1,7 @@
---
title: Configure and secure devices with Microsoft Intune
description: Learn how to configure policies with Microsoft Intune in preparation for device deployment.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
ms.topic: tutorial
---
@@ -88,7 +88,7 @@ To create a security policy:
- Windows SmartScreen
For more information, see [Security][INT-4].
-
+
> [!NOTE]
> If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information:
> - [Antivirus][MEM-2]
@@ -98,7 +98,7 @@ For more information, see [Security][INT-4].
> - [Attack surface reduction][MEM-6]
> - [Account protection][MEM-7]
-________________________________________________________
+---
## Next steps
diff --git a/education/windows/tutorial-school-deployment/configure-devices-overview.md b/education/windows/tutorial-school-deployment/configure-devices-overview.md
index 667695adba..fa6e5c218a 100644
--- a/education/windows/tutorial-school-deployment/configure-devices-overview.md
+++ b/education/windows/tutorial-school-deployment/configure-devices-overview.md
@@ -1,7 +1,7 @@
---
title: Configure devices with Microsoft Intune
description: Learn how to configure policies and applications in preparation for device deployment.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
ms.topic: tutorial
---
diff --git a/education/windows/tutorial-school-deployment/enroll-aadj.md b/education/windows/tutorial-school-deployment/enroll-entra-join.md
similarity index 95%
rename from education/windows/tutorial-school-deployment/enroll-aadj.md
rename to education/windows/tutorial-school-deployment/enroll-entra-join.md
index 9cb7370124..e599fca7ac 100644
--- a/education/windows/tutorial-school-deployment/enroll-aadj.md
+++ b/education/windows/tutorial-school-deployment/enroll-entra-join.md
@@ -1,9 +1,10 @@
---
title: Enrollment in Intune with standard out-of-box experience (OOBE)
description: Learn how to join devices to Microsoft Entra ID from OOBE and automatically get them enrolled in Intune.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
ms.topic: tutorial
---
+
# Automatic Intune enrollment via Microsoft Entra join
If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Microsoft Entra tenant, and automatically enroll it in Intune.
@@ -21,7 +22,8 @@ With this process, no advance preparation is needed:
:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
-________________________________________________________
+---
+
## Next steps
With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
diff --git a/education/windows/tutorial-school-deployment/enroll-overview.md b/education/windows/tutorial-school-deployment/enroll-overview.md
index fa0b05840b..8410be0db9 100644
--- a/education/windows/tutorial-school-deployment/enroll-overview.md
+++ b/education/windows/tutorial-school-deployment/enroll-overview.md
@@ -1,7 +1,7 @@
---
title: Device enrollment overview
description: Learn about the different options to enroll Windows devices in Microsoft Intune
-ms.date: 08/31/2022
+ms.date: 11/09/2023
ms.topic: overview
---
@@ -22,9 +22,9 @@ This [table][INT-1] describes the ideal scenarios for using either option. It's
Select one of the following options to learn the next steps about the enrollment method you chose:
> [!div class="op_single_selector"]
-> - [Automatic Intune enrollment via Microsoft Entra join](enroll-aadj.md)
+> - [Automatic Intune enrollment via Microsoft Entra join](enroll-entra-join.md)
> - [Bulk enrollment with provisioning packages](enroll-package.md)
-> - [Enroll devices with Windows Autopilot ](enroll-autopilot.md)
+> - [Enroll devices with Windows Autopilot](enroll-autopilot.md)
diff --git a/education/windows/tutorial-school-deployment/enroll-package.md b/education/windows/tutorial-school-deployment/enroll-package.md
index 0223d55bd5..22f7c70443 100644
--- a/education/windows/tutorial-school-deployment/enroll-package.md
+++ b/education/windows/tutorial-school-deployment/enroll-package.md
@@ -1,7 +1,7 @@
---
title: Enrollment of Windows devices with provisioning packages
description: Learn about how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
ms.topic: tutorial
---
@@ -49,7 +49,8 @@ All settings defined in the package and in Intune will be applied to the device,
:::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false":::
-________________________________________________________
+---
+
## Next steps
With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.
diff --git a/education/windows/tutorial-school-deployment/index.md b/education/windows/tutorial-school-deployment/index.md
index a5a1998f71..6ddb3c8c54 100644
--- a/education/windows/tutorial-school-deployment/index.md
+++ b/education/windows/tutorial-school-deployment/index.md
@@ -1,7 +1,7 @@
---
title: Introduction to the tutorial deploy and manage Windows devices in a school
description: Introduction to deployment and management of Windows devices in education environments.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
ms.topic: tutorial
---
@@ -60,13 +60,14 @@ In the remainder of this document, we'll discuss the key concepts and benefits o
- **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
- **Device reset:** Resetting managed devices with Intune for Education
-________________________________________________________
+---
+
## Next steps
Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment.
> [!div class="nextstepaction"]
-> [Next: Set up Microsoft Entra ID >](set-up-azure-ad.md)
+> [Next: Set up Microsoft Entra ID >](set-up-microsoft-entra-id.md)
diff --git a/education/windows/tutorial-school-deployment/manage-overview.md b/education/windows/tutorial-school-deployment/manage-overview.md
index ff0997fad9..0a51b174b9 100644
--- a/education/windows/tutorial-school-deployment/manage-overview.md
+++ b/education/windows/tutorial-school-deployment/manage-overview.md
@@ -1,7 +1,7 @@
---
title: Manage devices with Microsoft Intune
description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
ms.topic: tutorial
---
diff --git a/education/windows/tutorial-school-deployment/manage-surface-devices.md b/education/windows/tutorial-school-deployment/manage-surface-devices.md
index 94efd0d46b..028dc739c7 100644
--- a/education/windows/tutorial-school-deployment/manage-surface-devices.md
+++ b/education/windows/tutorial-school-deployment/manage-surface-devices.md
@@ -1,7 +1,7 @@
---
title: Management functionalities for Surface devices
description: Learn about the management capabilities offered to Surface devices, including firmware management and the Surface Management Portal.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
ms.topic: tutorial
appliesto:
- ✅ Surface devices
@@ -9,7 +9,7 @@ appliesto:
# Management functionalities for Surface devices
-Microsoft Surface devices offer many advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
+Microsoft Surface devices offer advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
## Manage device firmware for Surface devices
@@ -27,20 +27,18 @@ When Surface devices are enrolled in cloud management and users sign in for the
To access and use the Surface Management Portal:
-1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
-2. Select **All services** > **Surface Management Portal**
+1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
+1. Select **All services** > **Surface Management Portal**
:::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true":::
-3. To obtain insights for all your Surface devices, select **Monitor**
+1. To obtain insights for all your Surface devices, select **Monitor**
- Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
-4. To obtain details on each insights category, select **View report**
+1. To obtain details on each insights category, select **View report**
- This dashboard displays diagnostic information that you can customize and export
-5. To obtain the device's warranty information, select **Device warranty and coverage**
-6. To review a list of support requests and their status, select **Support requests**
+1. To obtain the device's warranty information, select **Device warranty and coverage**
+1. To review a list of support requests and their status, select **Support requests**
[INT-1]: /intune/configuration/device-firmware-configuration-interface-windows
-
[MEM-1]: /mem/autopilot/dfci-management
-
[SURF-1]: /surface/surface-manage-dfci-guide
diff --git a/education/windows/tutorial-school-deployment/reset-wipe.md b/education/windows/tutorial-school-deployment/reset-wipe.md
index 1d0edf123a..9646537bac 100644
--- a/education/windows/tutorial-school-deployment/reset-wipe.md
+++ b/education/windows/tutorial-school-deployment/reset-wipe.md
@@ -1,7 +1,7 @@
---
title: Reset and wipe Windows devices
description: Learn about the reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
ms.topic: tutorial
---
@@ -104,6 +104,7 @@ Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be
For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4].
+
[MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
[MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
[MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal
diff --git a/education/windows/tutorial-school-deployment/set-up-azure-ad.md b/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
similarity index 99%
rename from education/windows/tutorial-school-deployment/set-up-azure-ad.md
rename to education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
index cbfcfae2b5..b1ab1cfc12 100644
--- a/education/windows/tutorial-school-deployment/set-up-azure-ad.md
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
@@ -1,7 +1,7 @@
---
title: Set up Microsoft Entra ID
description: Learn how to create and prepare your Microsoft Entra tenant for an education environment.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
ms.topic: tutorial
appliesto:
---
@@ -86,6 +86,7 @@ There are two options for adding users manually, either individually or in bulk:
- Select **Microsoft Entra ID** > **Users** > **All users** > **Bulk operations** > **Bulk create**
For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
+
### Create groups
Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
@@ -143,7 +144,7 @@ To allow provisioning packages to complete the Microsoft Entra join process:
1. Select Save
:::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
-________________________________________________________
+---
## Next steps
diff --git a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
index f55a5262c3..38dc58b276 100644
--- a/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
+++ b/education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
@@ -1,7 +1,7 @@
---
title: Set up device management
description: Learn how to configure the Intune service and set up the environment for education.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
ms.topic: tutorial
appliesto:
---
@@ -74,7 +74,7 @@ To disable Windows Hello for Business at the tenant level:
For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
-________________________________________________________
+---
## Next steps
diff --git a/education/windows/tutorial-school-deployment/toc.yml b/education/windows/tutorial-school-deployment/toc.yml
index a332eb8656..8abc013f68 100644
--- a/education/windows/tutorial-school-deployment/toc.yml
+++ b/education/windows/tutorial-school-deployment/toc.yml
@@ -4,7 +4,7 @@ items:
- name: 1. Prepare your tenant
items:
- name: Set up Microsoft Entra ID
- href: set-up-azure-ad.md
+ href: set-up-microsoft-entra-id.md
- name: Set up Microsoft Intune
href: set-up-microsoft-intune.md
- name: 2. Configure settings and applications
@@ -20,7 +20,7 @@ items:
- name: Overview
href: enroll-overview.md
- name: Enroll devices via Microsoft Entra join
- href: enroll-aadj.md
+ href: enroll-entra-join.md
- name: Enroll devices with provisioning packages
href: enroll-package.md
- name: Enroll devices with Windows Autopilot
diff --git a/education/windows/tutorial-school-deployment/troubleshoot-overview.md b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
index 5e27915802..0d59f1af56 100644
--- a/education/windows/tutorial-school-deployment/troubleshoot-overview.md
+++ b/education/windows/tutorial-school-deployment/troubleshoot-overview.md
@@ -1,7 +1,7 @@
---
title: Troubleshoot Windows devices
description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services.
-ms.date: 08/31/2022
+ms.date: 11/09/2023
ms.topic: tutorial
---
@@ -25,10 +25,9 @@ Here's a collection of resources to help you troubleshoot Windows devices manage
Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
-Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
-:
+Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices:
-- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
- Select **Troubleshooting + support** > **Help and support**
:::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png":::
- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index f9a55de678..d6b1fa3e62 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -2,88 +2,90 @@
title: Use Set up School PCs app
description: Learn how to use the Set up School PCs app and apply the provisioning package.
ms.topic: how-to
-ms.date: 08/10/2022
+ms.date: 11/09/2023
appliesto:
- ✅ Windows 10
---
+
# Use the Set up School PCs app
-IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings the app configures through the MDM.
+IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows devices for students. The app configures devices with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student device in Microsoft Intune. You can then manage all the settings the app configures through Intune.
-Set up School PCs also:
-* Joins each student PC to your organization's Office 365 and Microsoft Entra tenant.
-* Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state.
-* Utilizes Windows Update and maintenance hours to keep student PCs up-to-date, without interfering with class time.
-* Locks down the student PC to prevent activity that isn't beneficial to their education.
+With Set up School PCs you can:
-This article describes how to fill out your school's information in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
+- Joins student devices to your organization's Microsoft Entra tenant
+- Enable the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state
+- Use Windows Update and maintenance hours to keep student devices up-to-date, without interfering with class time
+- Lock down student devices to prevent activity that aren't beneficial to their education
-## Requirements
-Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements.
+This article describes how to use the Set up School PCs app. To learn more about the app's functionality, review the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
-* Office 365 and Microsoft Entra ID
-* [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40)
-* A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office
-* Student PCs must either:
- * Be within range of the Wi-Fi network that you configured in the app.
- * Have a wired Ethernet connection when you set them up.
+## Requirements
-### Configure USB drive for additional space
-USB drives are, by default, FAT32-formatted, and are unable to save more than 4 GB of data. If you plan to install several apps, or large apps like Microsoft Office, you'll need more space. To create more space on the USB drive, reformat it to NTFS.
-1. Insert the USB drive into your computer.
-2. Go to the **Start** > **This PC**.
-3. In the **Devices and drives** section, find your USB drive. Right-click to see its options.
-4. Select **Format** from the list to bring up the **Format drive name** window.
-5. Set **File system** to **NTFS**.
-6. Click **Start** to format the drive.
+Before you begin, make sure that your devices and your school's network are configured with the following requirements:
-### Prepare existing PC account for new setup
-Apply new packages to factory reset or new PCs. If you apply it to a PC that's already set up, you may lose the accounts and data.
+- Microsoft Entra ID and Microsoft 365 licenses
+- [Latest Set up School PCs app](https://apps.microsoft.com/detail/9NBLGGH4LS40)
+- A NTFS-formatted USB drive that is at least 1 GB
+- Student devices must either:
+ - Be within range of the Wi-Fi network that you configured in the app
+ - Have a wired Ethernet connection when you set them up
-If a PC has already been set up, and you want to apply a new package, reset the PC to a clean state.
+### Prepare existing PC account for new setup
-To begin, go to the **Settings** app on the appropriate PC.
-1. Click **Update & Security** > **Recovery**.
-2. In the **Reset this PC** section, click **Get started**.
-3. Click **Remove everything**.
+Apply new packages to factory reset or new devices. If you apply it to a device that's already set up, you may lose the accounts and data.
-You can also go to **Start** > **Power** icon. Hold down the Shift key and click **Restart** to load the Windows boot user experience. From there, follow these steps:
-1. Click **Troubleshoot** and then choose **Reset this PC**.
-2. Select **Remove everything**.
-3. If the option appears, select **Only the drive where Windows is installed**.
-4. Click **Just remove my files**.
-5. Click **Reset**.
+If a device is already set up, and you want to apply a new package, reset the device to a clean state. To reset a device, follow these steps:
-## Recommendations
-This section offers recommendations to prepare you for the best possible setup experience.
-### Run the same Windows 10 build on the admin device and the student PCs
-We recommend you run the IT administrator or technical teacher's device on the same Windows 10 build as the student PCs.
+1. Open the **Settings** app on target device
+1. Select **Update & Security** > **Recovery**
+1. In the **Reset this PC** section, select **Get started**
+1. Select **Remove everything**
-### Student PCs should meet OS requirements for the app
-Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs.
+Alternatively, you can also select **Start** > **Power** icon. Hold down Shift while selecting **Restart** to load the Windows boot user experience:
-To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements > OS**.
+1. Select **Troubleshoot** > **Reset this PC**
+1. Select **Remove everything**
+1. If the option appears, select **Only the drive where Windows is installed**
+1. Select **Just remove my files**
+1. Select **Reset**
+
+## Recommendations
+
+This section offers recommendations to prepare you for the best possible setup experience.
+
+### Run the same Windows build on the admin device and the student devices
+
+We recommend you run the IT administrator or technical teacher's device on the same Windows build as the student devices.
+
+### Student devices must meet OS requirements for the app
+
+Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows images on the student devices.
+
+To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements** > **OS**.
### Use app on a PC that is connected to your school's network
-We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you'll need to enter the information manually.
- > [!NOTE]
- > Don't use the **Set up Schools PCs** app for PCs that must connect to:
- >* Enterprise networks that require the user to accept Terms of Use.
- >* Open Wi-Fi networks that require the user to accept Terms of Use.
+We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you need to enter the information manually.
+
+>[!NOTE]
+>Don't use the **Set up Schools PCs** app for devices that must connect to enterprise or open Wi-Fi networds that require the user to accept Terms of Use.
### Run app on an open network or network that requires a basic password
-Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it.
-We recommend that you:
-* Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously.
-* Configure your IP addresses to expire after a short time--about 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues.
+Don't use Set up School PCs over a certificate-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it.
-> > [!WARNING]
-> > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.
+We recommend that you:
-### Use an additional USB drive
-To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup.
+- Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses allow you to set up many devices simultaneously
+- Configure your IP addresses to expire after a short time, for example 30 minutes. IP addresses free up quickly so you can continue to set up devices without network issues.
+
+>[!WARNING]
+>Only use the provisioning package on devices that you want to configure and lock down for students. After you apply the provisioning package to a student device, the PC must be reset to remove the settings.
+
+### Use an additional USB drive
+
+To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup.
### Limit changes to school-optimized settings
@@ -91,191 +93,172 @@ We strongly recommend that you avoid changing preset policies. Changes can slow
## Create the provisioning package
-The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your PC and click **Get started**.
-
- 
+The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your device and select **Get started**.
+
+
+
+### Package name
-### Package name
Type a unique name to help distinguish your school's provisioning packages. The name appears:
-* On the local package folder
-* In your tenant's Microsoft Entra account in the Azure portal
+- On the local package folder
+- In your tenant's Microsoft Entra account in the Azure portal
-A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 4-16-2019)*. The expiration date is 180 days after you create your package.
+A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 1-1-2024)*. The expiration date is 180 days after you create your package.
-After you click **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.
-
-To change an existing package's name, right-click the package folder on your device and select **Rename**. This action does not change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there.
+After you select **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.
+To change an existing package's name, right-click the package folder on your device and select **Rename**. This action doesn't change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there.
### Sign in
-1. Select how you want to sign in.
- a. (Recommended) To enable student PCs to automatically be connect to Office 365, Microsoft Entra ID, and management services like Intune for Education, click **Sign-in**. Then go to step 3.
- b. To complete setup without signing in, click **Continue without account**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](#wireless-network).
-2. In the new window, select the account you want to use throughout setup.
+1. Select how you want to sign in
+ 1. (Recommended) To enable student device to automatically connect and authenticate to Microsoft Entra ID, and management services like Microsoft Intune, select **Sign-in**. Then go to step 3
+ 1. To complete setup without signing in, select **Continue without account**. Student devices won't connect to your school's cloud services and their management will be more difficult later. Continue to [Wireless network](#wireless-network)
+1. In the new window, select the account you want to use throughout setup.
To add an account not listed:
- a. Click **Work or school account** > **Continue**.
- b. Type in the account username and click **Next**.
- c. Verify the user account and password, if prompted.
+ 1. Select **Work or school account** > **Continue**.
+ 1. Type in the account username and select **Next**.
+ 1. Verify the user account and password, if prompted.
-
-3. Click **Accept** to allow Set up School PCs to access your account throughout setup.
-2. When your account name appears on the page, as shown in the image below, click **Next.**
+1. Select **Accept** to allow Set up School PCs to access your account throughout setup
+1. When your account name appears on the page, select **Next**
### Wireless network
-Add and save the wireless network profile that you want student PCs to connect to. Only skip Wi-Fi setup if you have an Ethernet connection.
-Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.**
+Add and save the wireless network profile that you want student devices to connect to. Only skip Wi-Fi setup if you have an Ethernet connection.
+
+Select your organization's Wi-Fi network from the list of available wireless networks, or select **Add a wireless network** to manually configure it. Then select **Next**
### Device names
-Create a short name to add as a prefix to each PC. This name will help you recognize and manage this specific group of devices in your mobile device manager. The name must be five (5) characters or less.
-To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *Math4* as the prefix, the device names will appear as *Math4* followed by a random string of letters and numbers.
+Create a name to add as a prefix to each device. This name helps you recognize and manage this group of devices in Intune.
-To keep the default name for your devices, click **Continue with existing names**.
+To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *MATH4* as the prefix, the device names appear as *MATH4* followed by the device serial number.
+
+To keep the default name for your devices, select **Continue with existing names**.
-
-
### Settings
-Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs.
+
+Select more settings to include in the provisioning package. To begin, select the operating system on your student PCs.
-Setting selections vary based on the OS version you select. The example screenshot below shows the settings that become available when you select **Windows 10 version 1703**. The option to **Enable Autopilot Reset** is not available for this version of Windows 10.
-
+Setting selections vary based on the OS version you select.
+The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column.
-> [!NOTE]
-> The [**Time zone** setting](use-set-up-school-pcs-app.md#time-zone), shown in the sidebar of the screenshot above, is not made available to versions of Windows 10 in S mode. If you select a version in S mode, **Time zone** will become disabled.
+| Setting | What happens if I select it? | Note |
+|--|--|--|
+| Remove apps preinstalled by the device manufacturer | Uninstalls apps that came loaded on the computer by the device's manufacturer. | Adds about 30 minutes to the provisioning process. |
+| Allow local storage (not recommended for shared devices) | Lets students save files to the Desktop and Documents folder on the Student PC. | Not recommended if the device are shared between different students. |
+| Optimize device for a single student, instead of a shared cart or lab | Optimizes the device for use by a single student, rather than many students. | Recommended if the device are shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
+| Let guests sign in to these PCs | Allows guests to use student PCs without a school account. | Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to. |
+| Enable Autopilot Reset | Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM). | WinRE must be enabled on the device. |
+| Lock screen background | Change the default screen lock background to a custom image. | Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. |
-The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column.
-
-|Setting |1703|1709|1803|1809|What happens if I select it? |Note|
-|---------|---------|---------|---------|---------|---------|---------|
-|Remove apps pre-installed by the device manufacturer |X|X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.|
-|Allow local storage (not recommended for shared devices) |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be shared between different students.|
-|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
-|Let guests sign in to these PCs |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
-|Enable Autopilot Reset |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
-|Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|
-
-After you've made your selections, click **Next**.
+After you've made your selections, select **Next**.
### Time zone
> [!WARNING]
> If you are using the Autounattend.xml file to reimage your school PCs, do not specify a time zone in the file. If you set the time zone in the file *and* in this app, you will encounter an error.
-Choose the time zone where your school's PCs are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, click **Next**.
+Choose the time zone where your school's devices are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, select **Next**.
-### Product key
-Optionally, type in a 25-digit product key to:
-* Upgrade your current edition of Windows. For example, if you want to upgrade from Windows 10 Education to Windows 10 Education Pro, enter the product key for the Pro edition.
-* Change the product key. If you want to associate student devices with a new or different Windows 10 product key, enter it now.
+### Product key
+
+Optionally, type in a 25-digit product key to upgrade or change the edition of Windows on your student devices. If you don't have a product key, select **Continue without change**.
-### Take a Test
-Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device.
+### Take a Test
-1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs.
+Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student devices so that students can't access anything else on the device.
- 
+1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' devices
-2. Select from the advanced settings. Available settings include:
- * Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the PC's keyboard.
- * Allow teachers to monitor online tests: Enables screen capture in the Take a Test app.
-3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment.
-4. Click **Next**.
+ 
-### Add apps
-Choose from Microsoft recommended apps and your school's own Microsoft Store inventory. The apps you select here are added to the provisioning package and installed on student PCs. After they're assigned, apps are pinned to the device's Start menu.
+1. Select from the advanced settings. Available settings include:
+ - Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the device's keyboard
+ - Allow teachers to monitor online tests: Enables screen capture in the Take a Test app
+1. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to select or enter the link to view the assessment
+1. Select **Next**
-If there aren't any apps in your Microsoft Store inventory, or you don't have the permissions to add apps, you'll need to contact your school admin for help. If you receive a message that you can't add the selected apps, click **Continue without apps**. Contact your school admin to get these apps later.
+### Personalization
-After you've made your selections, click **Next**.
+Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.
+If you don't want to upload custom images or use the images that appear in the app, select **Continue without personalization**. This option doesn't apply any customizations, and instead uses the devices' default or preset images.
- 
+
-The following table lists the recommended apps you'll see.
+### Summary
-|App |Note |
-|---------|---------|
-|Office 365 for Windows 10 in S mode (Education Preview) | Setup is only successful on student PCs that run Windows 10 in S mode. The PC you running the Set up School PCs app is not required to have Windows 10 in S mode. |
-|Microsoft Whiteboard | None|
-|Minecraft: Education Edition | Free trial|
+Review all of the settings for accuracy and completeness
+1. To make changes now, select any page along the left side of the window
+2. When finished, select **Accept**
+
-### Personalization
-Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.
-
-If you don't want to upload custom images or use the images that appear in the app, click **Continue without personalization**. This option does not apply any customizations, and instead uses the devices' default or preset images.
-
- 
-
-
-### Summary
-Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over.
-1. To make changes now, click any page along the left side of the window.
-2. When finished, click **Accept**.
-
- 
+> [!NOTE]
+> To make changes to a saved package, you have to start over.
### Insert USB
-1. Insert a USB drive. The **Save** button will light up when your computer detects the USB.
-2. Choose your USB drive from the list and click **Save**.
- 
+1. Insert a USB drive. The **Save** button lights up when your computer detects the USB
+1. Choose your USB drive from the list and select **Save**
-3. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**.
+ 
- 
+1. When the package is ready, you see the filename and package expiration date. You can also select **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and select **Next**
-## Run package - Get PCs ready
-Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**.
-
- 
+
+
+## Run package - Get PCs ready
+
+Complete each step on the **Get PCs ready** page to prepare student devices for set-up. Then select **Next**.
+
+
## Run package - Install package on PC
-The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows 10 without reimaging the device.
+The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows without reimaging the device.
-When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student PC. This section describes how to apply the settings to a PC in your school.
+When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student device. This section describes how to apply the settings to a device in your school.
> [!IMPORTANT]
-> The PC must have a new or reset Windows 10 image and must not already have been through first-run setup (also referred to as OOBE). For instructions about how to reset a computer's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup).
+> The devices must have a new or reset Windows image and must not already have been through first-run setup experience (which is referred to as *OOBE*). For instructions about how to reset a devices's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup).
-1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 version 1803, the first-run setup screen reads, **Let's start with region. Is this right?**
+1. Start with the student device turned off or with the device on the first-run setup screen. If the device is past the account setup screen, reset the device to start over. To reset the it, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**
- If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
-
- 
+ 
-2. Insert the USB drive. Windows automatically recognizes and installs the package.
-
- 
-3. When you receive the message that it's okay to remove the USB drive, remove it from the PC. If there are more PCs to set up, insert the USB drive into the next PC.
+1. Insert the USB drive. Windows automatically recognizes and installs the package
+
+ 
+
+1. When you receive the message that it's okay to remove the USB drive, remove it from the device. If there are more devices to set up, insert the USB drive into the next one
-4. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience. If you did configure the package with Microsoft Entra join, the computer is ready for use and no further configurations are required.
+1. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience. If you did configure the package with Microsoft Entra join, the device is ready for use and no further configurations are required
- If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources.
+If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources.
diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md
index 85683ac20e..e82eb8a227 100644
--- a/education/windows/windows-11-se-overview.md
+++ b/education/windows/windows-11-se-overview.md
@@ -2,18 +2,17 @@
title: Windows 11 SE Overview
description: Learn about Windows 11 SE, and the apps that are included with the operating system.
ms.topic: overview
-ms.date: 08/03/2023
+ms.date: 11/02/2023
appliesto:
- ✅ Windows 11 SE
ms.collection:
- - highpri
- education
- tier1
---
# Windows 11 SE Overview
-Windows 11 SE is an edition of Windows that's designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately).
+Windows 11 SE is an edition of Windows designed for education. Windows SE runs on web-first devices that use essential education apps, and it comes with Microsoft Office 365 preinstalled (subscription sold separately).
For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits:
@@ -35,8 +34,8 @@ The following table lists the different application types available in Windows o
| --- | --- | :---: | ---|
|Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.|
| Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. |
-|`Win32`| `Win32` applications are Windows classic applications that may require installation |⛔| If users try to install or execute `Win32` applications that haven't been allowed to run, they fail.|
-|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they fail.|
+|`Win32`| `Win32` applications are Windows classic applications that might require installation |⛔| If users try to install or execute `Win32` applications that aren't allowed to run, they fail.|
+|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and might require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they fail.|
> [!IMPORTANT]
> If there are specific `Win32` or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications).
@@ -48,33 +47,33 @@ The following table lists all the applications included in Windows 11 SE and the
| App name | App type | Pinned to Start? | Pinned to taskbar? |
|:-----------------------------|:--------:|:----------------:|:------------------:|
| Alarm & Clock | UWP | | |
-| Calculator | UWP | ✅ | |
-| Camera | UWP | ✅ | |
-| Microsoft Edge | `Win32` | ✅ | ✅ |
-| Excel | `Win32` | ✅ | |
+| Calculator | UWP | ✅ | |
+| Camera | UWP | ✅ | |
+| Microsoft Edge | `Win32` | ✅ | ✅ |
+| Excel | `Win32` | ✅ | |
| Feedback Hub | UWP | | |
-| File Explorer | `Win32` | | ✅ |
+| File Explorer | `Win32` | | ✅ |
| FlipGrid | PWA | | |
| Get Help | UWP | | |
-| Media Player | UWP | ✅ | |
+| Media Player | UWP | ✅ | |
| Maps | UWP | | |
| Minecraft: Education Edition | UWP | | |
| Movies & TV | UWP | | |
| News | UWP | | |
-| Notepad | `Win32` | | |
-| OneDrive | `Win32` | | |
-| OneNote | `Win32` | ✅ | |
-| Outlook | PWA | ✅ | |
-| Paint | `Win32` | ✅ | |
+| Notepad | `Win32` | | |
+| OneDrive | `Win32` | | |
+| OneNote | `Win32` | ✅ | |
+| Outlook | PWA | ✅ | |
+| Paint | `Win32` | ✅ | |
| Photos | UWP | | |
-| PowerPoint | `Win32` | ✅ | |
-| Settings | UWP | ✅ | |
+| PowerPoint | `Win32` | ✅ | |
+| Settings | UWP | ✅ | |
| Snip & Sketch | UWP | | |
| Sticky Notes | UWP | | |
-| Teams | `Win32` | ✅ | |
+| Teams | `Win32` | ✅ | |
| To Do | UWP | | |
-| Whiteboard | UWP | ✅ | |
-| Word | `Win32` | ✅ | |
+| Whiteboard | UWP | ✅ | |
+| Word | `Win32` | ✅ | |
## Available applications
diff --git a/includes/licensing/_licensing-requirements.md b/includes/licensing/_licensing-requirements.md
index 780ba51ff0..e87793d3af 100644
--- a/includes/licensing/_licensing-requirements.md
+++ b/includes/licensing/_licensing-requirements.md
@@ -1,7 +1,7 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 09/18/2023
+ms.date: 11/02/2023
ms.topic: include
---
@@ -30,7 +30,7 @@ ms.topic: include
|**[Enhanced phishing protection with SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection)**|Yes|Yes|Yes|Yes|Yes|
|**[Federal Information Processing Standard (FIPS) 140 validation](/windows/security/security-foundations/certification/fips-140-validation)**|Yes|Yes|Yes|Yes|Yes|
-|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|Yes|Yes|❌|❌|
+|**[Federated sign-in](/education/windows/federated-sign-in)**|❌|❌|❌|Yes|Yes|
|**[FIDO2 security key](/azure/active-directory/authentication/howto-authentication-passwordless-security-key)**|Yes|Yes|Yes|Yes|Yes|
|**[Hardware-enforced stack protection](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/understanding-hardware-enforced-stack-protection/ba-p/1247815)**|Yes|Yes|Yes|Yes|Yes|
|**[Hypervisor-protected Code Integrity (HVCI)](/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity)**|Yes|Yes|Yes|Yes|Yes|
diff --git a/includes/licensing/federated-sign-in.md b/includes/licensing/federated-sign-in.md
index 701d2a3bde..35e8f24701 100644
--- a/includes/licensing/federated-sign-in.md
+++ b/includes/licensing/federated-sign-in.md
@@ -17,6 +17,6 @@ Federated sign-in license entitlements are granted by the following licenses:
|Windows Pro Education/SE|Windows Enterprise E3|Windows Enterprise E5|Windows Education A3|Windows Education A5|
|:---:|:---:|:---:|:---:|:---:|
-|Yes|Yes|Yes|No|No|
+|Yes|No|No|Yes|Yes|
For more information about Windows licensing, see [Windows licensing overview](/windows/whats-new/windows-licensing).
diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json
index ba3d25fe32..8fd22d16a4 100644
--- a/store-for-business/docfx.json
+++ b/store-for-business/docfx.json
@@ -69,7 +69,6 @@
"v-stsavell",
"beccarobins",
"Stacyrch140",
- "v-stsavell",
"American-Dipper"
]
},
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index 2cd07840b0..cc4aa9686d 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -9,7 +9,7 @@ author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.localizationpriority: medium
-ms.custom: has-azure-ad-ps-ref
+ms.custom: has-azure-ad-ps-ref, azure-ad-ref-level-one-done
ms.date: 05/24/2023
ms.reviewer:
---
@@ -36,7 +36,7 @@ You can use the PowerShell module to:
- Perform bulk operations with .csv files - automates license management for customers with larger numbers of licenses
>[!NOTE]
->Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Microsoft Entra ID Or MSOnline Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
+>Assigning apps to groups is not supported via this module. Instead, we recommend leveraging the Microsoft Entra ID or [Microsoft Graph PowerShell](/powershell/microsoftgraph/overview) Modules to save members of a group to a CSV file and follow instructions below on how to use CSV file to manage assignments.
## Requirements
To use the Microsoft Store for Business and Education PowerShell module, you'll need:
@@ -77,7 +77,7 @@ To authorize the PowerShell module, run this command. You'll need to sign-in wit
Grant-MSStoreClientAppAccess
```
-You will be prompted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Azure PowerShell cmdlets are loaded and ready to be used.
+You will be prompted to sign in with your work or school account and then to authorize the PowerShell Module to access your **Microsoft Store for Business and Education** account. Once the module has been imported into the current PowerShell session and authorized to call into your **Microsoft Store for Business and Education** account, Microsoft Graph PowerShell cmdlets are loaded and ready to be used.
## View items in Products and Services
Service management should encounter no breaking changes as a result of the separation of Azure Service Management and **Microsoft Store for Business and Education PowerShell** preview.
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index bb6d16110b..c0e3db882e 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -334,7 +334,7 @@ Customers in these markets can use Microsoft Store for Business and Education to
- Aremenia
- Azerbaijan
- Belarus
-- Bosnia
+- Bosnia and Herzegovina
- Brazil
- Georgia
- India
diff --git a/windows/application-management/index.yml b/windows/application-management/index.yml
index b08cd77d57..46ff46e15f 100644
--- a/windows/application-management/index.yml
+++ b/windows/application-management/index.yml
@@ -14,7 +14,6 @@ metadata:
ms.prod: windows-client
ms.collection:
- tier1
- - highpri
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new
diff --git a/windows/application-management/overview-windows-apps.md b/windows/application-management/overview-windows-apps.md
index 135c557b56..1c54d148ce 100644
--- a/windows/application-management/overview-windows-apps.md
+++ b/windows/application-management/overview-windows-apps.md
@@ -92,7 +92,7 @@ When you use an MDM provider like Microsoft Intune, you can create shortcuts to
## Android™️ apps
-Starting with Windows 11, you can install Android™️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with mobile apps just like others apps.
+Starting with Windows 11, you can install Android™️ apps. This feature uses the Windows Subsystem for Android, and allows users to interact with mobile apps just like other apps.
For more information, see the following articles:
diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
index e711afcc6a..853f60c4dd 100644
--- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -19,7 +19,7 @@ The enrollment into Intune is triggered by a group policy created on your local
- The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client).
- The enterprise has configured a Mobile Device Management (MDM) service.
- The on-premises Active Directory must be [integrated with Microsoft Entra ID (via Microsoft Entra Connect)](/azure/architecture/reference-architectures/identity/azure-ad).
-- Service connection point (SCP) configuration. For more information see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices).
+- Service connection point (SCP) configuration. For more information, see [configuring the SCP using Microsoft Entra Connect](/azure/active-directory/devices/how-to-hybrid-join). For environments not publishing SCP data to AD, see [Microsoft Entra hybrid join targeted deployment](/azure/active-directory/devices/hybrid-join-control#targeted-deployment-of-microsoft-entra-hybrid-join-on-windows-current-devices).
- The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents fail enrollment with `error 0x80180026`).
- The minimum Windows Server version requirement is based on the Microsoft Entra hybrid join requirement. For more information, see [How to plan your Microsoft Entra hybrid join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan).
@@ -36,7 +36,7 @@ The autoenrollment relies on the presence of an MDM service and the Microsoft En
> [!NOTE]
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
-When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multi-factor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
+When the autoenrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task uses the existing MDM service configuration from the Microsoft Entra information of the user. If multifactor authentication is required, the user gets prompted to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
- Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM.
- Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins).
@@ -52,20 +52,13 @@ To configure autoenrollment using a group policy, use the following steps:
1. Link the GPO.
1. Filter using Security Groups.
-If you don't see the policy, it may be because you don't have the ADMX for Windows 10, version 1803 or later installed. To fix the issue, use the following procedures. The latest MDM.admx is backwards compatible.
+If you don't see the policy, get the latest ADMX for your Windows version. To fix the issue, use the following procedures. The latest MDM.admx is backwards compatible.
1. Download the administrative templates for the desired version:
- - [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880)
- - [Administrative Templates (.admx) for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576)
- - [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495)
- - [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591)
- - [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445)
- - [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157)
- - [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124)
- - [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042)
- - [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677)
- - [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593)
+ - [Windows 11, version 23H2](https://www.microsoft.com/download/details.aspx?id=105667)
+ - [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593)
+ - [Windows 10, version 22H2](https://www.microsoft.com/download/details.aspx?id=104677)
1. Install the package on the Domain Controller.
@@ -96,9 +89,9 @@ This procedure is only for illustration purposes to show how the new autoenrollm
>
> **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop).
-When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
+When a group policy refresh occurs on the client, a task is created and scheduled to run every five minutes for one day. The task is called **Schedule created by enrollment client for automatically enrolling in MDM from Microsoft Entra ID**. To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
-If two-factor authentication is required, you are prompted to complete the process. Here's an example screenshot.
+If two-factor authentication is required, you're prompted to complete the process. Here's an example screenshot.
:::image type="content" source="images/autoenrollment-2-factor-auth.png" alt-text="Screenshot of Two-factor authentication notification.":::
@@ -124,10 +117,10 @@ In **Task Scheduler Library**, open **Microsoft > Windows** , then select **Ente
To see the result of the task, move the scroll bar to see the **Last Run Result**. You can see the logs in the **History** tab.
-The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`). If the device enrollment is blocked, your IT admin might have enabled the **Disable MDM Enrollment** policy.
+The message **0x80180026** is a failure message (`MENROLL_E_DEVICE_MANAGEMENT_BLOCKED`), which can be caused by enabling the **Disable MDM Enrollment** policy.
> [!NOTE]
-> The GPEdit console doesn't reflect the status of policies set by your IT admin on your device. It's only used by the user to set policies.
+> The GPEdit console doesn't reflect the status of policies set by your organization on your device. It's only used by the user to set policies.
## Related articles
diff --git a/windows/client-management/images/bing-chat-enterprise-chat-provider.png b/windows/client-management/images/bing-chat-enterprise-chat-provider.png
new file mode 100644
index 0000000000..6213a99d16
Binary files /dev/null and b/windows/client-management/images/bing-chat-enterprise-chat-provider.png differ
diff --git a/windows/client-management/manage-windows-copilot.md b/windows/client-management/manage-windows-copilot.md
index bc4adbca9d..9851b09748 100644
--- a/windows/client-management/manage-windows-copilot.md
+++ b/windows/client-management/manage-windows-copilot.md
@@ -1,31 +1,200 @@
---
title: Manage Copilot in Windows
-description: Learn how to manage Copilot in Windows using MDM and group policy.
+description: Learn how to manage Copilot in Windows for commercial environments using MDM and group policy. Learn about the chat providers available to Copilot in Windows.
ms.topic: article
-ms.date: 10/16/2023
+ms.technology: itpro-windows-copilot
+ms.date: 11/06/2023
+ms.author: mstewart
+author: mestew
appliesto:
-- ✅ Windows 11
+- ✅ Windows 11, version 22H2 or later
---
# Manage Copilot in Windows
+
+>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
-Windows is the first PC platform to provide centralized AI assistance for customers. Together, with Bing Chat, Copilot in Windows helps you bring your ideas to life, complete complex projects and collaborate instead of spending energy finding, launching and working across multiple applications.
+Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. Copilot in Windows appears as a side bar docked on the Windows desktop. It's designed to help your users get things done in Windows. Copilot in Windows can perform common tasks in Windows like changing Windows settings, which makes it different from the browser-based [Copilot in Edge](/bing-chat-enterprise/edge). However, both user experiences, Copilot in Windows and Copilot in Edge, can share the same underlying chat provider platform. It's important for organizations to properly configure the chat provider platform that Copilot in Windows uses, since it is possible for users to copy and paste sensitive information into the chat provider.
-This article lists settings available to manage Copilot in Windows. To learn more about Copilot in Windows, see [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0).
+> [!Note]
+> - Copilot in Windows is currently available as a preview. We will continue to experiment with new ideas and methods using your feedback.
+> - Copilot in Windows is being released in preview to select global markets as part of our latest update to Windows 11. The initial markets for the Copilot in Windows preview include North America and parts of Asia and South America. It is our intention to add additional markets over time.
-## Turn off Copilot in Windows
+## Configure Copilot in Windows for commercial environments
-This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot. The Copilot icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot when it's available to them.
+At a high level, managing and configuring Copilot in Windows for your organization involves the following steps:
-| | Setting |
-|------------------|---------------------------------------------------------------------------------------------------------|
-| **CSP** | ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
+1. Understand the [available chat provider platforms for Copilot in Windows](#chat-provider-platforms-for-copilot-in-windows)
+1. [Configure the chat provider platform](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) used by Copilot in Windows
+1. Ensure the [Copilot in Windows user experience](#ensure-the-copilot-in-windows-user-experience-is-enabled) is enabled
+1. Verify [other settings that might affect Copilot in Windows](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider) and its underlying chat provider
+
+Organizations that aren't ready to use Copilot in Windows can disable it until they're ready with the **Turn off Windows Copilot** policy. This policy setting allows you to turn off Copilot in Windows. If you enable this policy setting, users can't use Copilot in Windows and the icon doesn't appear on the taskbar either. If you disable or don't configure this policy setting, users can use Copilot in Windows when it's available to them.
+
+| | Setting |
+|---|---|
+| **CSP** | ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot) |
| **Group policy** | User Configuration > Administrative Templates > Windows Components > Windows Copilot > **Turn off Windows Copilot** |
+## Chat provider platforms for Copilot in Windows
-## Related articles
+Copilot in Windows can use either Bing Chat or Bing Chat Enterprise as its chat provider platform. The chat provider platform is the underlying service that Copilot in Windows uses to communicate with the user. The chat provider platform that Copilot in Windows uses is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections.
-- [Welcome to Copilot in Windows](https://support.microsoft.com/windows/welcome-to-copilot-in-windows-675708af-8c16-4675-afeb-85a5a476ccb0)
+**Bing Chat**:
-- [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/copilot-in-windows-your-data-and-privacy-3e265e82-fc76-4d0a-afc0-4a0de528b73a)
+[Bing Chat](https://www.microsoft.com/bing/do-more-with-ai/what-is-bing-chat-and-how-can-you-use-it) is a consumer experience and if a user isn't signed in with their Microsoft account, the number of chat queries per user has a daily limit. Bing Chat doesn't offer the same commercial data protection as Bing Chat Enterprise does. The following privacy and security protections apply for Bing Chat:
+ - [Copilot in Windows: Your data and privacy](https://support.microsoft.com/windows/3e265e82-fc76-4d0a-afc0-4a0de528b73a)
+ - The privacy statement for using Bing Chat follows the [Microsoft privacy statement](https://privacy.microsoft.com/privacystatement) including the product specific guidance in the Microsoft privacy statement for **Bing** under the **Search, Microsoft Edge, and artificial intelligence** section.
+
+
+**Bing Chat Enterprise**:
+
+[Bing Chat Enterprise](/bing-chat-enterprise/overview) is intended for commercial use scenarios and offers commercial data protection. The following privacy and security protections apply for Bing Chat Enterprise:
+
+- With [Bing Chat Enterprise](/bing-chat-enterprise/overview), user and organizational data is protected, chat data isn't saved, and your data isn't used to train the underlying large language models. Because of this protection, chat history, 3rd-party plugins, and the Bing mobile app for iOS or Android aren't currently supported. Bing Chat Enterprise is accessible from mobile browsers, including Edge mobile on iOS and Android. Review the Bing Chat Enterprise [privacy statement](/bing-chat-enterprise/privacy-and-protections).
+- Bing Chat Enterprise is available, at no additional cost, for the following licenses:
+ - Microsoft 365 E3 or E5
+ - Microsoft 365 A3 or A5 for faculty
+ - Microsoft 365 Business Standard
+ - Microsoft 365 Business Premium
+
+ > [!Note]
+ > Bing Chat Enterprise and Bing Chat don't have access to Microsoft Graph, unlike [Microsoft 365 Copilot](/microsoft-365-copilot/microsoft-365-copilot-overview) which can be used in the Microsoft 365 apps. This means that Bing Chat Enterprise and Bing Chat can't access Microsoft 365 Apps data, such as email, calendar, or files.
+
+## Configure the chat provider platform that Copilot in Windows uses
+
+Configuring the correct chat provider platform for Copilot in Windows is important because it is possible for users to copy and paste sensitive information into the chat provider. Each chat provider platform has different privacy and security protections. Once you have selected the chat provider platform that you want to use for Copilot in Windows, ensure it's configured for your organization's users. The following sections describe how to configure the chat provider platform that Copilot in Windows uses.
+
+### Bing Chat as the chat provider platform
+
+Bing Chat is used as the default chat provider platform for Copilot in Windows when any of the following conditions occur:
+
+- Bing Chat Enterprise isn't configured for the user
+- The user isn't assigned a license that includes Bing Chat Enterprise
+- Bing Chat Enterprise is [turned off](/bing-chat-enterprise/manage)
+- The user isn't signed in with a Microsoft Entra account that's licensed for Bing Chat Enterprise
+
+### Bing Chat Enterprise as the chat provider platform (recommended for commercial environments)
+
+To verify that Bing Chat Enterprise is enabled for the user as the chat provider platform for Copilot in Windows, use the following instructions:
+
+1. Sign into the [Microsoft 365 admin center](https://admin.microsoft.com/).
+1. In the admin center, select **Users** > **Active users** and verify that users are assigned a license that includes Bing Chat Enterprise. Bing Chat Enterprise is included and enabled by default for users that are assigned one of the following licenses:
+ - Microsoft 365 E3 or E5
+ - Microsoft 365 A3 or A5 for faculty
+ - Currently, Microsoft 365 A3 and A5 for faculty requires additional configuration. For more information, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage).
+ - Microsoft 365 Business Standard
+ - Microsoft 365 Business Premium
+1. To verify that Bing Chat Enterprise is enabled for the user, select the user's **Display name** to open the flyout menu.
+1. In the flyout, select the **Licenses & apps** tab, then expand the **Apps** list.
+1. Verify that **Bing Chat Enterprise** is enabled for the user.
+1. If you prefer to view a user's licenses from the [Azure portal](https://portal.azure.com), you will find it under **Microsoft Entra ID** > **Users**. Select the user's name, then **Licenses**. Select a license that includes Bing Chat Enterprise, and verify that it's listed as **On**.
+
+ > [!Note]
+ > If you previously disabled Bing Chat Enterprise using the URL, `https://aka.ms/TurnOffBCE`, see [Manage Bing Chat Enterprise](/bing-chat-enterprise/manage) for verifying that Bing Chat Enterprise is enabled for your users.
+
+The following sample PowerShell script connects to Microsoft Graph and lists which users that have Bing Chat Enterprise enabled and disabled:
+
+```powershell
+# Install Microsoft Graph module
+if (-not (Get-Module Microsoft.Graph.Users)) {
+ Install-Module Microsoft.Graph.Users
+}
+
+# Connect to Microsoft Graph
+Connect-MgGraph -Scopes 'User.Read.All'
+
+# Get all users
+$users = Get-MgUser -All -ConsistencyLevel eventual -Property Id, DisplayName, Mail, UserPrincipalName, AssignedPlans
+
+# Users with Bing Chat Enterprise enabled
+$users | Where-Object { $_.AssignedPlans -and $_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -eq "Enabled" } | Format-Table
+
+# Users without Bing Chat Enterprise enabled
+$users | Where-Object { -not $_.AssignedPlans -or ($_.AssignedPlans.Service -eq "Bing" -and $_.AssignedPlans.CapabilityStatus -ne "Enabled") } | Format-Table
+```
+
+When Bing Chat Enterprise is the chat provider platform, the user experience clearly states that **Your personal and company data are protected in this chat**. There's also a shield symbol labeled **Protected** at the top of the Copilot in Windows sidebar and the provider is listed under the Copilot logo when the sidebar is first opened. The following image shows the message that's displayed when Bing Chat Enterprise is the chat provider platform for Copilot in Windows:
+
+:::image type="content" source="images/bing-chat-enterprise-chat-provider.png" alt-text="Screenshot of the Copilot in Windows user experience when Bing Chat Enterprise is the chat provider." lightbox="images/bing-chat-enterprise-chat-provider.png":::
+
+## Ensure the Copilot in Windows user experience is enabled
+
+Once you've configured the chat provider platform that Copilot in Windows uses, you need to ensure that the Copilot in Windows user experience is enabled. Ensuring the Copilot in Windows user experience is enabled varies by the Windows version.
+
+### Enable the Copilot in Windows user experience for Windows 11, version 22H2 clients
+
+Copilot in Windows isn't technically enabled by default for managed Windows 11, version 22H2 devices because it's behind a [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control). For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
+
+To enable Copilot in Windows for managed Windows 11, version 22H2 devices, you need to enable features under temporary enterprise control for these devices. Since enabling features behind [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) can be impactful, you should test this change before deploying it broadly. To enable Copilot in Windows for managed Windows 11, version 22H2 devices, use the following instructions:
+
+1. Verify that the user accounts have the correct chat provider platform configured for Copilot in Windows. For more information, see the [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses) section.
+1. Apply a policy to enable features under temporary enterprise control for managed clients. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
+ - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default**
+
+ - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol)
+ - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category.
+ > [!Important]
+ > For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager, Microsoft Intune, and Windows Autopatch are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
+
+1. Copilot in Windows will be initially deployed to devices using a controlled feature rollout (CFR). Depending on how soon you start deploying Copilot in Windows, you might also need to [enable optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates) with one of the following policies:
+ - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Windows Update for Business\\**Allow updates to Windows optional features**
+ - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowOptionalUpdates](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowoptionalupdates)
+ - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow optional updates** under the **Windows Update for Business** category.
+
+ The optional updates policy applies to Windows 11, version 22H2 with [KB5029351](https://support.microsoft.com/help/5029351) and later. When setting policy for [optional updates](/windows/deployment/update/waas-configure-wufb#enable-optional-updates), ensure you select one of the following options that includes CFRs:
+ - Automatically receive optional updates (including CFRs)
+ - This selection places devices into an early CFR phase
+ - Users can select which optional updates to receive
+
+1. Windows 11, version 22H2 devices display Copilot in Windows when the CFR is enabled for the device. CFRs are enabled for devices in phases, sometimes called waves.
+
+### Enable the Copilot in Windows user experience for Windows 11, version 23H2 clients
+
+Once a managed device installs the version 23H2 update, the [temporary enterprise control](/windows/whats-new/temporary-enterprise-feature-control) for Copilot in Windows will be removed. This means that Copilot in Windows will be enabled by default for these devices.
+
+While the user experience for Copilot in Windows is enabled by default, you still need to verify that the correct chat provider platform configured for Copilot in Windows. While every effort has been made to ensure that Bing Chat Enterprise is the default chat provider for commercial organizations, it's still possible that Bing Chat might still be used if the configuration is incorrect, or if other settings are affecting Copilot in Windows. For more information, see:
+- [Configure the chat provider platform that Copilot in Windows uses](#configure-the-chat-provider-platform-that-copilot-in-windows-uses)
+- [Other settings that might affect Copilot in Windows and its underlying chat provider](#other-settings-that-might-affect-copilot-in-windows-and-its-underlying-chat-provider)
+
+Organizations that aren't ready to use Copilot in Windows can disable it until they're ready by using the following policy:
+
+- **CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](mdm/policy-csp-windowsai.md#turnoffwindowscopilot)
+- **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**
+
+## Other settings that might affect Copilot in Windows and its underlying chat provider
+
+Copilot in Windows and [Copilot in Edge](/bing-chat-enterprise/edge), can share the same underlying chat provider platform. This also means that some settings that affect Bing Chat, Bing Chat Enterprise, and Copilot in Edge can also affect Copilot in Windows. The following common settings might affect Copilot in Windows and its underlying chat provider:
+
+### Bing settings
+
+- If [SafeSearch](https://support.microsoft.com/topic/946059ed-992b-46a0-944a-28e8fb8f1814) is enabled for Bing, it can block chat providers for Copilot in Windows. The following network changes block the chat providers for Copilot in Windows and Copilot in Edge:
+ - mapping `www.bing.com` to `strict.bing.com`
+ - mapping `edgeservices.bing.com` to `strict.bing.com`
+ - blocking `bing.com`
+
+- If Bing Chat Enterprise is turned on for your organization, users will be able to access it through Edge mobile when signed in with their work account. If you would like to remove the Bing Chat button from the Edge mobile interface, you can use an [Intune Mobile Application Management (MAM) policy for Microsoft Edge](/mem/intune/apps/manage-microsoft-edge) to remove it:
+
+ |Key |Value |
+ |:---------|:------------|
+ |com.microsoft.intune.mam.managedbrowser.Chat| **true** (default) shows the interface **false** hides the interface |
+
+### Microsoft Edge policies
+
+- If [HubsSidebarEnabled](/deployedge/microsoft-edge-policies#hubssidebarenabled) is set to `disabled`, it blocks Copilot in Edge from being displayed.
+- If [DiscoverPageContextEnabled](/deployedge/microsoft-edge-policies#discoverpagecontextenabled) is set to `disabled`, it blocks Bing Chat and Bing Chat Enterprise from reading the current webpage context. The chat providers need access to the current webpage context for providing page summarizations and sending user selected strings from the webpage into the chat provider.
+
+### Search settings
+
+- Setting [ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) to `Hide` might interfere with the Copilot in Windows user experience.
+- Setting [AllowSearchHighlights](/windows/client-management/mdm/policy-csp-search#allowsearchhighlights) to `disabled` might interfere with the Copilot in Windows and the Copilot in Edge user experiences.
+
+### Account settings
+
+- The [AllowMicrosoftAccountConnection](/windows/client-management/mdm/policy-csp-accounts#allowmicrosoftaccountconnection) setting might allow users to use their personal Microsoft account with Copilot in Windows and Copilot in Edge.
+- The [RestrictToEnterpriseDeviceAuthenticationOnly](/windows/client-management/mdm/policy-csp-accounts#restricttoenterprisedeviceauthenticationonly) setting might prevent access to chat providers since it blocks user authentication.
+
+## Microsoft's commitment to responsible AI
+
+Microsoft has been on a responsible AI journey since 2017, when we defined our principles and approach to ensuring this technology is used in a way that is driven by ethical principles that put people first. For more about our responsible AI journey, the ethical principles that guide us, and the tooling and capabilities we've created to assure that we develop AI technology responsibly, see [Responsible AI](https://www.microsoft.com/ai/responsible-ai).
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 448ed58929..ab201e6028 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the BitLocker CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -18,8 +18,6 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it's also supported in Windows 10 Pro.
@@ -39,7 +37,6 @@ The following list shows the BitLocker configuration service provider nodes:
- ./Device/Vendor/MSFT/BitLocker
- [AllowStandardUserEncryption](#allowstandarduserencryption)
- - [AllowSuspensionOfBitLockerProtection](#allowsuspensionofbitlockerprotection)
- [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption)
- [ConfigureRecoveryPasswordRotation](#configurerecoverypasswordrotation)
- [EncryptionMethodByDriveType](#encryptionmethodbydrivetype)
@@ -148,64 +145,6 @@ To disable this policy, use the following SyncML:
-
-## AllowSuspensionOfBitLockerProtection
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/BitLocker/AllowSuspensionOfBitLockerProtection
-```
-
-
-
-
-This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled.
-
-> [!WARNING]
-> When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally.
-
-The expected values for this policy are:
-
-0 = Prevent BitLocker Drive Encryption protection from being suspended.
-
-1 = This is the default, when the policy isn't set. Allows suspending BitLocker Drive Encryption protection.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `int` |
-| Access Type | Add, Delete, Get, Replace |
-| Default Value | 1 |
-
-
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| 0 | Prevent BitLocker Drive Encryption protection from being suspended. |
-| 1 (Default) | This is the default, when the policy isn't set. Allows suspending BitLocker Drive Encryption protection. |
-
-
-
-
-
-
-
-
## AllowWarningForOtherDiskEncryption
@@ -312,9 +251,9 @@ Windows will attempt to silently enable BitLocker for value 0.
-Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Microsoft Entra ID and Hybrid domain joined devices.
+Allows Admin to configure Numeric Recovery Password Rotation upon use for OS and fixed drives on Microsoft Entra ID and hybrid domain joined devices.
-When not configured, Rotation is turned on by default for Microsoft Entra-only and off on Hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
+When not configured, Rotation is turned on by default for Microsoft Entra ID only and off on hybrid. The Policy will be effective only when Active Directory back up for recovery password is configured to required.
For OS drive: Turn on "Do not enable BitLocker until recovery information is stored to AD DS for operating system drives".
@@ -323,7 +262,7 @@ For Fixed drives: Turn on "Do not enable BitLocker until recovery information is
Supported Values: 0 - Numeric Recovery Passwords rotation OFF.
1 - Numeric Recovery Passwords Rotation upon use ON for Microsoft Entra joined devices. Default value
-2 - Numeric Recovery Passwords Rotation upon use ON for both Microsoft Entra ID and Hybrid devices.
+2 - Numeric Recovery Passwords Rotation upon use ON for both Microsoft Entra ID and hybrid devices.
diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md
index c6d82985f8..fb912358e4 100644
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -772,52 +772,6 @@ Supported Values: String form of request ID. Example format of request ID is GUI
-
- AllowSuspensionOfBitLockerProtection
-
-
-
-
-
-
-
- 1
- This policy setting allows suspending protection for BitLocker Drive Encryption when enabled and prevents suspending protection when disabled.
- Warning: When policy is disabled, some scenarios will be blocked and prevent those scenarios from behaving normally.
- The format is integer.
- The expected values for this policy are:
-
- 0 = Prevent BitLocker Drive Encryption protection from being suspended.
- 1 = This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 99.9.99999
- 9.9
-
-
-
- 0
- Prevent BitLocker Drive Encryption protection from being suspended.
-
-
- 1
- This is the default, when the policy is not set. Allows suspending BitLocker Drive Encryption protection.
-
-
-
- Status
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 48a1d87c37..a1936f909b 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the ClientCertificateInstall CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -165,7 +165,7 @@ Required for PFX certificate installation. A unique ID to differentiate differen
Format is node.
-Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
+Calling Delete on this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
@@ -385,7 +385,7 @@ Password that protects the PFX blob. This is required if the PFX is password pro
Optional.
-When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+When a value of "2" is contained in PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
@@ -653,7 +653,7 @@ Node for SCEP. An alert is sent after the SCEP certificate is installed.
Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
-Calling Delete on the this node, should delete the corresponding SCEP certificate.
+Calling Delete on this node, should delete the corresponding SCEP certificate.
@@ -813,7 +813,7 @@ Required for SCEP certificate enrollment. Parent node to group SCEP cert install
-Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+Optional. Specify the Microsoft Entra ID Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the Microsoft Entra ID Key present on the device. If no match is found, enrollment will fail.
@@ -1274,7 +1274,7 @@ Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for
-Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30.
+Optional. Special to SCEP. Specify device retry times when the SCEP server sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30.
The min value is 0 which means no retry.
@@ -1741,7 +1741,7 @@ Required for PFX certificate installation. A unique ID to differentiate differen
Format is node.
-Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
+Calling Delete on this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
@@ -1961,7 +1961,7 @@ Password that protects the PFX blob. This is required if the PFX is password pro
Optional.
-When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+When a value of "2" is contained in PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
@@ -2227,7 +2227,7 @@ Node for SCEP. An alert is sent after the SCEP certificate is installed.
Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
-Calling Delete on the this node, should delete the corresponding SCEP certificate.
+Calling Delete on this node, should delete the corresponding SCEP certificate.
@@ -2387,7 +2387,7 @@ Required for SCEP certificate enrollment. Parent node to group SCEP cert install
-Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
+Optional. Specify the Microsoft Entra ID Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the Microsoft Entra ID Key present on the device. If no match is found, enrollment will fail.
@@ -2848,7 +2848,7 @@ Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for
-Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30.
+Optional. Special to SCEP. Specify device retry times when the SCEP server sends pending status. Format is int. Default value is 3. Max value: the value can't be larger than 30. If it's larger than 30, the device will use 30.
The min value is 0 which means no retry.
diff --git a/windows/client-management/mdm/clouddesktop-csp.md b/windows/client-management/mdm/clouddesktop-csp.md
index 050f915ba6..b8a0a69fad 100644
--- a/windows/client-management/mdm/clouddesktop-csp.md
+++ b/windows/client-management/mdm/clouddesktop-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the CloudDesktop CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -26,16 +26,72 @@ ms.topic: reference
The following list shows the CloudDesktop configuration service provider nodes:
- ./Device/Vendor/MSFT/CloudDesktop
+ - [BootToCloudPCEnhanced](#boottocloudpcenhanced)
- [EnableBootToCloudSharedPCMode](#enableboottocloudsharedpcmode)
+
+## BootToCloudPCEnhanced
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/CloudDesktop/BootToCloudPCEnhanced
+```
+
+
+
+
+This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.
+
+
+
+
+> [!IMPORTANT]
+> If BootToCloudPCEnhanced and EnableBootToCloudSharedPCMode are both configured, BootToCloudPCEnhanced is given priority and overrides EnableBootToCloudSharedPCMode.
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | Not Configured. |
+| 1 | Enable Boot to Cloud Shared PC Mode. |
+| 2 | Enable Boot to Cloud Personal Mode (Cloud only). |
+
+
+
+
+
+
+
+
## EnableBootToCloudSharedPCMode
+> [!NOTE]
+> This policy is deprecated and may be removed in a future release.
+
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.22631.2050] |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ❌ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
@@ -46,11 +102,13 @@ The following list shows the CloudDesktop configuration service provider nodes:
-Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling boot to cloud shared pc feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.
+Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. For enabling Boot to Cloud Shared PC feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned.
+> [!IMPORTANT]
+> If BootToCloudPCEnhanced and EnableBootToCloudSharedPCMode are both configured, BootToCloudPCEnhanced is given priority and overrides EnableBootToCloudSharedPCMode.
@@ -80,66 +138,86 @@ Setting this node to "true" configures boot to cloud for Shared PC mode. Boot to
-## EnableBootToCloudSharedPCMode technical reference
+## BootToCloudPCEnhanced technical reference
-EnableBootToCloudSharedPCMode setting is used to configure **Boot to Cloud** feature for shared user mode. When you enable this setting, multiple policies are applied to achieve the intended behavior.
+BootToCloudPCEnhanced is the setting used to configure **Boot to Cloud** feature either for shared mode or personal mode. When you enable this setting, multiple policies are applied to achieve the intended behavior. If you wish to customize the **Boot to Cloud** experience, you can utilize the [BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) policy, which provides the flexibility to tailor the experience according to your requirements.
> [!NOTE]
-> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared user mode.
+> It is recommended not to set any of the policies enforced by this setting to different values, as these policies help provide a smooth UX experience for the **Boot to Cloud** feature for shared and personal mode.
-### MDM Policies
+### Boot to Cloud Shared PC Mode
-When this mode is enabled, these MDM policies are applied for the Device scope (all users):
+When the Shared PC mode is enabled by setting BootToCloudPCEnhanced value to 1:
-| Setting | Value | Value Description |
-|----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
-| [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) | 1 | Enable Boot to Cloud Desktop |
-| [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram) | 1 | Apply Lightweight Shell |
-| [ADMX_CredentialProviders/DefaultCredentialProvider](policy-csp-admx-credentialproviders.md#defaultcredentialprovider) | Enabled | Configures default credential provider to password provider |
-| [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2) | Enabled | Don't process the computer legacy run list |
-| [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1 | When no keyboard is attached |
+- Following MDM policies are applied for the Device scope (all users):
-### Group Policies
+ | Setting | Value | Value Description |
+ |----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
+ | [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) | 1 | Enable Boot to Cloud Desktop |
+ | [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram) | 1 | Apply Lightweight Shell |
+ | [ADMX_CredentialProviders/DefaultCredentialProvider](policy-csp-admx-credentialproviders.md#defaultcredentialprovider) | Enabled | Configures default credential provider to password provider |
+ | [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2) | Enabled | Don't process the computer legacy run list |
+ | [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1 | When no keyboard is attached |
-When this mode is enabled, these local group policies are configured for all users:
+- Following local group policies are configured for all users:
-| Policy setting | Status |
-|------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
-| Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
-| Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in | Enabled |
-| Control Panel/Personalization/Prevent enabling lock screen slide show | Enabled |
-| System/Logon/Block user from showing account details on sign-in | Enabled |
-| System/Logon/Enumerate local users on domain-joined computers | Disabled |
-| System/Logon/Hide entry points for Fast User Switching | Enabled |
-| System/Logon/Show first sign-in animation | Disabled |
-| System/Logon/Turn off app notifications on the lock screen | Enabled |
-| System/Logon/Turn off picture password sign-in | Enabled |
-| System/Logon/Turn on convenience PIN sign-in | Disabled |
-| Windows Components/App Package Deployment/Allow a Windows app to share application data between users | Enabled |
-| Windows Components/Biometrics/Allow the use of biometrics | Disabled |
-| Windows Components/Biometrics/Allow users to log on using biometrics | Disabled |
-| Windows Components/Biometrics/Allow domain users to log on using biometrics | Disabled |
-| Windows Components/File Explorer/Show lock in the user tile menu | Disabled |
-| Windows Components/File History/Turn off File History | Enabled |
-| Windows Components/OneDrive/Prevent the usage of OneDrive for file storage | Enabled |
-| Windows Components/Windows Hello for Business/Use biometrics | Disabled |
-| Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled |
-| Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
-| Windows Components/Microsoft Passport for Work | Disabled |
-| System/Ctrl+Alt+Del Options/Remove Task Manager | Enabled |
-| System/Ctrl+Alt+Del Options/Remove Change Password | Enabled |
-| Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled |
-| Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled |
-| System/Logon/Do not process the legacy run list | Enabled |
+ | Policy setting | Status |
+ |------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
+ | Security Settings/Local Policies/Security Options/User Account Control: Behavior of elevation prompt for standard user | Automatically deny elevation requests |
+ | Security Settings/Local Policies/Security Options/Interactive logon: Don't display last signed-in | Enabled |
+ | Control Panel/Personalization/Prevent enabling lock screen slide show | Enabled |
+ | System/Logon/Block user from showing account details on sign-in | Enabled |
+ | System/Logon/Enumerate local users on domain-joined computers | Disabled |
+ | System/Logon/Hide entry points for Fast User Switching | Enabled |
+ | System/Logon/Show first sign-in animation | Disabled |
+ | System/Logon/Turn off app notifications on the lock screen | Enabled |
+ | System/Logon/Turn off picture password sign-in | Enabled |
+ | System/Logon/Turn on convenience PIN sign-in | Disabled |
+ | Windows Components/App Package Deployment/Allow a Windows app to share application data between users | Enabled |
+ | Windows Components/Biometrics/Allow the use of biometrics | Disabled |
+ | Windows Components/Biometrics/Allow users to log on using biometrics | Disabled |
+ | Windows Components/Biometrics/Allow domain users to log on using biometrics | Disabled |
+ | Windows Components/File Explorer/Show lock in the user tile menu | Disabled |
+ | Windows Components/File History/Turn off File History | Enabled |
+ | Windows Components/OneDrive/Prevent the usage of OneDrive for file storage | Enabled |
+ | Windows Components/Windows Hello for Business/Use biometrics | Disabled |
+ | Windows Components/Windows Hello for Business/Use Windows Hello for Business | Disabled |
+ | Windows Components/Windows Logon Options/Sign-in and lock last interactive user automatically after a restart | Disabled |
+ | Windows Components/Microsoft Passport for Work | Disabled |
+ | System/Ctrl+Alt+Del Options/Remove Task Manager | Enabled |
+ | System/Ctrl+Alt+Del Options/Remove Change Password | Enabled |
+ | Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled |
+ | Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled |
+ | System/Logon/Do not process the legacy run list | Enabled |
-### Registry
+- Following registry changes are performed:
-When this mode is enabled, these registry changes are performed:
+ | Registry setting | Status |
+ |----------------------------------------------------------------------------------------------|--------|
+ | Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 |
+ | Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work) | 0 |
-| Registry setting | Status |
-|----------------------------------------------------------------------------------------------|--------|
-| Software\Policies\Microsoft\PassportForWork\Remote\Enabled (Phone sign-in/Use phone sign-in) | 0 |
-| Software\Policies\Microsoft\PassportForWork\Enabled (Use Microsoft Passport for Work) | 0 |
+### Boot to Cloud Personal Mode
+
+When the Personal mode is enabled by setting BootToCloudPCEnhanced value to 2:
+
+- Following MDM policies are applied for the Device scope (all users):
+
+ | Setting | Value | Value Description |
+ |----------------------------------------------------------------------------------------------------------------------------|---------|-------------------------------------------------------------|
+ | [CloudDesktop/BootToCloudMode](policy-csp-clouddesktop.md#boottocloudmode) | 1 | Enable Boot to Cloud Desktop |
+ | [WindowsLogon/OverrideShellProgram](policy-csp-windowslogon.md#overrideshellprogram) | 1 | Apply Lightweight Shell |
+ | [ADMX_Logon/DisableExplorerRunLegacy_2](policy-csp-admx-logon.md#disableexplorerrunlegacy_2) | Enabled | Don't process the computer legacy run list |
+ | [TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode](policy-csp-textinput.md#enabletouchkeyboardautoinvokeindesktopmode) | 1 | When no keyboard is attached |
+
+- Following local group policies are configured for all users:
+
+ | Policy setting | Status |
+ |------------------------------------------------------------------------------------------------------------------------|---------------------------------------|
+ | System/Ctrl+Alt+Del Options/Remove Change Password | Enabled |
+ | Start Menu and Taskbar/Notifications/Turn off toast notifications | Enabled |
+ | Start Menu and Taskbar/Notifications/Remove Notifications and Action Center | Enabled |
+ | System/Logon/Do not process the legacy run list | Enabled |
diff --git a/windows/client-management/mdm/clouddesktop-ddf-file.md b/windows/client-management/mdm/clouddesktop-ddf-file.md
index 8128e3e6e5..daaccf8c6c 100644
--- a/windows/client-management/mdm/clouddesktop-ddf-file.md
+++ b/windows/client-management/mdm/clouddesktop-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 10/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -45,11 +45,55 @@ The following XML file contains the device description framework (DDF) for the C
- 22631.2050
- 1.0
- 0x4;0x30;0x31;0x7E;0x88;0xA1;0xA2;0xA4;0xA5;0xBC;0xBF;0xCD;
+ 99.9.99999
+ 9.9
+ 0x4;0x30;0x31;0x7E;0x87;0x88;0x88*;0xA1;0xA2;0xA4;0xA5;0xB4;0xBC;0xBD;0xBF;
+
+ BootToCloudPCEnhanced
+
+
+
+
+
+
+
+ 0
+ This node allows to configure different kinds of Boot to Cloud mode. Boot to cloud mode enables users to seamlessly sign-in to a Cloud PC. For using this feature, Cloud Provider application must be installed on the PC and the user must have a Cloud PC provisioned. This node supports the below options: 0. Not Configured. 1. Enable Boot to Cloud Shared PC Mode: Boot to Cloud Shared PC mode allows multiple users to sign-in on the device and use for shared purpose. 2. Enable Boot to Cloud Personal Mode (Cloud only): Personal mode allows user to sign-in on the device using various authentication mechanism configured by their organization (For ex. PIN, Biometrics etc). This mode preserves user personalization, including their profile picture and username in local machine, and facilitates fast account switching.
+
+
+
+
+
+
+
+
+
+ Boot to Cloud PC Enhanced
+
+
+
+
+ 99.9.99999
+ 9.9
+
+
+
+ 0
+ Not Configured
+
+
+ 1
+ Enable Boot to Cloud Shared PC Mode
+
+
+ 2
+ Enable Boot to Cloud Personal Mode (Cloud only)
+
+
+
+ EnableBootToCloudSharedPCMode
@@ -74,6 +118,9 @@ The following XML file contains the device description framework (DDF) for the C
+
+ 88.8.88888
+ false
@@ -84,6 +131,7 @@ The following XML file contains the device description framework (DDF) for the C
Boot to cloud shared pc mode enabled
+
diff --git a/windows/client-management/mdm/declaredconfiguration-csp.md b/windows/client-management/mdm/declaredconfiguration-csp.md
index ac422bfdcc..64297f2f14 100644
--- a/windows/client-management/mdm/declaredconfiguration-csp.md
+++ b/windows/client-management/mdm/declaredconfiguration-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DeclaredConfiguration CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 09/27/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -110,7 +110,7 @@ The Host internal node indicates that the target of the configuration request or
-This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that don't contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.
+This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that don't contain placeholders that need to be resolved later with additional data. The request is ready to be processed as is.
diff --git a/windows/client-management/mdm/declaredconfiguration-ddf-file.md b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
index 8f17e34ba0..a60936f654 100644
--- a/windows/client-management/mdm/declaredconfiguration-ddf-file.md
+++ b/windows/client-management/mdm/declaredconfiguration-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 09/27/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -80,7 +80,7 @@ The following XML file contains the device description framework (DDF) for the D
- This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that do not contain placeholders that the need to be resolved later with additional data. The request is ready to be processed as is.
+ This internal node indicates that the configuration has discrete settings values and is self-contained with complete setting and value pairs that do not contain placeholders that need to be resolved later with additional data. The request is ready to be processed as is.
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index fb4186237a..ee424411b4 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Defender CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -71,10 +71,12 @@ The following list shows the Defender configuration service provider nodes:
- [HideExclusionsFromLocalUsers](#configurationhideexclusionsfromlocalusers)
- [IntelTDTEnabled](#configurationinteltdtenabled)
- [MeteredConnectionUpdates](#configurationmeteredconnectionupdates)
+ - [NetworkProtectionReputationMode](#configurationnetworkprotectionreputationmode)
- [OobeEnableRtpAndSigUpdate](#configurationoobeenablertpandsigupdate)
- [PassiveRemediation](#configurationpassiveremediation)
- [PerformanceModeStatus](#configurationperformancemodestatus)
- [PlatformUpdatesChannel](#configurationplatformupdateschannel)
+ - [QuickScanIncludeExclusions](#configurationquickscanincludeexclusions)
- [RandomizeScheduleTaskTimes](#configurationrandomizescheduletasktimes)
- [ScanOnlyIfIdleEnabled](#configurationscanonlyifidleenabled)
- [SchedulerRandomizationTime](#configurationschedulerrandomizationtime)
@@ -348,7 +350,7 @@ Control whether network protection can improve performance by switching from rea
| Value | Description |
|:--|:--|
| 1 | Allow switching to asynchronous inspection. |
-| 0 (Default) | Don’t allow asynchronous inspection. |
+| 0 (Default) | Don't allow asynchronous inspection. |
@@ -464,7 +466,7 @@ Define the retention period in days of how much time the evidence data will be k
| Property name | Property value |
|:--|:--|
-| Format | `chr` (string) |
+| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[1-120]` |
| Default Value | 60 |
@@ -953,8 +955,8 @@ Control Device Control feature.
| Value | Description |
|:--|:--|
-| 1 | . |
-| 0 (Default) | . |
+| 1 | Device Control is enabled. |
+| 0 (Default) | Device Control is disabled. |
@@ -2186,6 +2188,46 @@ Allow managed devices to update through metered connections. Default is 0 - not
+
+### Configuration/NetworkProtectionReputationMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/NetworkProtectionReputationMode
+```
+
+
+
+
+This sets the reputation mode for Network Protection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+
+
+
+
+
### Configuration/OobeEnableRtpAndSigUpdate
@@ -2325,8 +2367,8 @@ This setting allows IT admins to configure performance mode in either enabled or
| Value | Description |
|:--|:--|
-| 0 (Default) | Performance mode is enabled (default). A service restart is required after changing this value. |
-| 1 | Performance mode is disabled. A service restart is required after changing this value. |
+| 0 (Default) | Performance mode is enabled (default). |
+| 1 | Performance mode is disabled. |
@@ -2388,6 +2430,55 @@ Enable this policy to specify when devices receive Microsoft Defender platform u
+
+### Configuration/QuickScanIncludeExclusions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1607 [10.0.14393] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Defender/Configuration/QuickScanIncludeExclusions
+```
+
+
+
+
+This setting allows you to scan excluded files and directories during quick scans.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Default Value | 0 |
+
+
+
+**Allowed values**:
+
+| Value | Description |
+|:--|:--|
+| 0 (Default) | If you set this setting to 0 or don't configure it, exclusions aren't scanned during quick scans. |
+| 1 | If you set this setting to 1, all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan. Exclusions that contain wildcards aren't supported and aren't scanned. |
+
+
+
+
+
+
+
+
### Configuration/RandomizeScheduleTaskTimes
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 22e2b101f9..60fd484a13 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/29/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -2098,11 +2098,50 @@ The following XML file contains the device description framework (DDF) for the D
0
- Performance mode is enabled (default). A service restart is required after changing this value.
+ Performance mode is enabled (default).1
- Performance mode is disabled. A service restart is required after changing this value.
+ Performance mode is disabled.
+
+
+
+
+
+ QuickScanIncludeExclusions
+
+
+
+
+
+
+
+ 0
+ This setting allows you to scan excluded files and directories during quick scans.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+
+ 0
+ If you set this setting to 0 or do not configure it, exclusions are not scanned during quick scans.
+
+
+ 1
+ If you set this setting to 1, all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan. Exclusions that contain wildcards are not supported and are not scanned.
@@ -2382,7 +2421,7 @@ The following XML file contains the device description framework (DDF) for the D
60Define the retention period in days of how much time the evidence data will be kept on the client machine should any transfer to the remote locations would occur.
-
+
@@ -2432,13 +2471,11 @@ The following XML file contains the device description framework (DDF) for the D
1
-
-
+ Device Control is enabled0
-
-
+ Device Control is disabled
@@ -2650,6 +2687,35 @@ The following XML file contains the device description framework (DDF) for the D
+
+ NetworkProtectionReputationMode
+
+
+
+
+
+
+
+ 0
+ This sets the reputation mode for Network Protection.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 10.0.14393
+ 1.3
+
+
+ AllowSwitchToAsyncInspection
diff --git a/windows/client-management/mdm/devicepreparation-csp.md b/windows/client-management/mdm/devicepreparation-csp.md
index d8b4a5ca6e..1998989619 100644
--- a/windows/client-management/mdm/devicepreparation-csp.md
+++ b/windows/client-management/mdm/devicepreparation-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DevicePreparation CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -27,12 +27,11 @@ The following list shows the DevicePreparation configuration service provider no
- ./Device/Vendor/MSFT/DevicePreparation
- [BootstrapperAgent](#bootstrapperagent)
- - [ClassID](#bootstrapperagentclassid)
- [ExecutionContext](#bootstrapperagentexecutioncontext)
- - [InstallationStatusUri](#bootstrapperagentinstallationstatusuri)
- - [MdmAgentInstalled](#mdmagentinstalled)
- [MDMProvider](#mdmprovider)
+ - [MdmAgentInstalled](#mdmprovidermdmagentinstalled)
- [Progress](#mdmproviderprogress)
+ - [RebootRequired](#mdmproviderrebootrequired)
- [PageEnabled](#pageenabled)
- [PageSettings](#pagesettings)
- [PageStatus](#pagestatus)
@@ -55,7 +54,7 @@ The following list shows the DevicePreparation configuration service provider no
-The subnodes configure settings for the Bootstrapper Agent.
+Parent node for configuring agent that orchestrates provisioning and communicate status to Device Preparation page.
@@ -77,45 +76,6 @@ The subnodes configure settings for the Bootstrapper Agent.
-
-### BootstrapperAgent/ClassID
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/ClassID
-```
-
-
-
-
-This node stores the class ID for the Bootstrapper Agent WinRT object.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `chr` (string) |
-| Access Type | Get, Replace |
-
-
-
-
-
-
-
-
### BootstrapperAgent/ExecutionContext
@@ -155,85 +115,6 @@ This node holds opaque data that will be passed to the Bootstrapper Agent as a p
-
-### BootstrapperAgent/InstallationStatusUri
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/DevicePreparation/BootstrapperAgent/InstallationStatusUri
-```
-
-
-
-
-This node holds a URI that can be queried for the status of the Bootstrapper Agent installation.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `chr` (string) |
-| Access Type | Get, Replace |
-
-
-
-
-
-
-
-
-
-## MdmAgentInstalled
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
-
-
-
-```Device
-./Device/Vendor/MSFT/DevicePreparation/MdmAgentInstalled
-```
-
-
-
-
-This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | `bool` |
-| Access Type | Get, Replace |
-| Default Value | false |
-
-
-
-
-
-
-
-
## MDMProvider
@@ -251,7 +132,7 @@ This node indicates whether the MDM agent was installed or not. When set to true
-The subnode configures the settings for the MDMProvider.
+Parent node for configuring the MDM provider that interacts with the BootstrapperAgent.
@@ -273,6 +154,46 @@ The subnode configures the settings for the MDMProvider.
+
+### MDMProvider/MdmAgentInstalled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/MDMProvider/MdmAgentInstalled
+```
+
+
+
+
+This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Get, Replace |
+| Default Value | False |
+
+
+
+
+
+
+
+
### MDMProvider/Progress
@@ -290,7 +211,7 @@ The subnode configures the settings for the MDMProvider.
-Node for reporting progress status as opaque data.
+Node for reporting progress status as opaque data. Contract for data is between the server and EMM agent that reads the data.
@@ -303,7 +224,7 @@ Node for reporting progress status as opaque data.
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
-| Access Type | Get, Replace |
+| Access Type | Add, Delete, Get, Replace |
@@ -312,6 +233,46 @@ Node for reporting progress status as opaque data.
+
+### MDMProvider/RebootRequired
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/DevicePreparation/MDMProvider/RebootRequired
+```
+
+
+
+
+This node indicates whether an MDM policy was provisioned that requires a reboot.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `bool` |
+| Access Type | Get |
+| Default Value | False |
+
+
+
+
+
+
+
+
## PageEnabled
@@ -329,7 +290,7 @@ Node for reporting progress status as opaque data.
-This node determines whether to enable or show the Device Preparation page.
+This node determines whether to show the Device Preparation page during OOBE.
@@ -346,15 +307,6 @@ This node determines whether to enable or show the Device Preparation page.
| Default Value | false |
-
-**Allowed values**:
-
-| Value | Description |
-|:--|:--|
-| false (Default) | The page isn't enabled. |
-| true | The page is enabled. |
-
-
@@ -378,7 +330,7 @@ This node determines whether to enable or show the Device Preparation page.
-This node configures specific settings for the Device Preparation page.
+This node configures the Device Preparation page settings.
@@ -417,7 +369,7 @@ This node configures specific settings for the Device Preparation page.
-This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.
+This node provides status of the Device Preparation page.
@@ -441,8 +393,8 @@ This node provides status of the Device Preparation page. Values are an enum: 0
| 0 | Disabled. |
| 1 | Enabled. |
| 2 | InProgress. |
-| 3 | Succeeded. |
-| 4 | Failed. |
+| 3 | ExitOnSuccess. |
+| 4 | ExitOnFailure. |
diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md
index 4f948ac7b5..ed2c59bec4 100644
--- a/windows/client-management/mdm/devicepreparation-ddf-file.md
+++ b/windows/client-management/mdm/devicepreparation-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -31,7 +31,7 @@ The following XML file contains the device description framework (DDF) for the D
- Parent node for the CSP.
+ Parent node for configuring the Device Preparation page in OOBE settings and configuring
@@ -42,7 +42,7 @@ The following XML file contains the device description framework (DDF) for the D
-
+ 99.9.99999
@@ -58,7 +58,7 @@ The following XML file contains the device description framework (DDF) for the D
false
- This node determines whether to enable or show the Device Preparation page.
+ This node determines whether to show the Device Preparation page during OOBE.
@@ -71,16 +71,6 @@ The following XML file contains the device description framework (DDF) for the D
-
-
- false
- The page is not enabled
-
-
- true
- The page is enabled
-
-
@@ -90,7 +80,7 @@ The following XML file contains the device description framework (DDF) for the D
- This node provides status of the Device Preparation page. Values are an enum: 0 = Disabled; 1 = Enabled; 2 = InProgress; 3 = ExitedOnSuccess; 4 = ExitedOnFailure.
+ This node provides status of the Device Preparation page.
@@ -118,11 +108,11 @@ The following XML file contains the device description framework (DDF) for the D
3
- Succeeded
+ ExitOnSuccess4
- Failed
+ ExitOnFailure
@@ -134,7 +124,7 @@ The following XML file contains the device description framework (DDF) for the D
- This node configures specific settings for the Device Preparation page.
+ This node configures the Device Preparation page settings.
@@ -147,7 +137,8 @@ The following XML file contains the device description framework (DDF) for the D
-
+
+ {"AgentDownloadTimeoutSeconds": 900, "PageTimeoutSeconds": 3600, "ErrorMessage": "This is an error message.", "AllowSkipOnFailure": true, "AllowDiagnostics": true }
@@ -157,7 +148,7 @@ The following XML file contains the device description framework (DDF) for the D
- The subnodes configure settings for the Bootstrapper Agent.
+ Parent node for configuring agent that orchestrage provioning and communicate status to Device Preparation page.
@@ -171,30 +162,6 @@ The following XML file contains the device description framework (DDF) for the D
-
- ClassID
-
-
-
-
-
- This node stores the class ID for the Bootstrapper Agent WinRT object.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- ExecutionContext
@@ -215,32 +182,6 @@ The following XML file contains the device description framework (DDF) for the D
-
-
-
-
-
- InstallationStatusUri
-
-
-
-
-
- This node holds a URI that can be queried for the status of the Bootstrapper Agent installation.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
@@ -250,7 +191,7 @@ The following XML file contains the device description framework (DDF) for the D
- The subnode configures the settings for the MDMProvider.
+ Parent node for configuring the MDM provider that interacts with the BootstrapperAgent.
@@ -268,10 +209,12 @@ The following XML file contains the device description framework (DDF) for the D
Progress
+
+
- Noode for reporting progress status as opaque data.
+ Node for reporting progress status as opaque data. Contract for data is between the server and EMM agent that reads the data.
@@ -286,29 +229,51 @@ The following XML file contains the device description framework (DDF) for the D
-
-
- MdmAgentInstalled
-
-
-
-
-
- false
- This node indicates whether the MDM agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+ MdmAgentInstalled
+
+
+
+
+
+ False
+ This node indicates whether the mdm agent was installed or not. When set to true sets the AUTOPILOT_MDM_AGENT_REGISTERED WNF event.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ RebootRequired
+
+
+
+
+ False
+ This node indicates whether an MDM policy was provisioned that requires a reboot.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index ae23d729eb..baa3ca8990 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DiagnosticLog CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -182,7 +182,7 @@ This node is to trigger snapping of the Device Management state data with "SNAP"
-Root note for archive definition and collection.
+Root node for archive definition and collection.
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index 5a4154759f..91624a95d6 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DMAcc CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -751,7 +751,7 @@ Specifies the authentication type. If AAuthLevel is CLCRED, the supported types
-Specifies the application identifier for the OMA DM account.. The only supported value is w7.
+Specifies the application identifier for the OMA DM account. The only supported value is w7.
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index 9a5f3cadbf..e1447e368b 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the DMClient CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 09/27/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -351,7 +351,7 @@ For more information about Microsoft Entra enrollment, see [Microsoft Entra inte
-For Microsoft Entra backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
+For Microsoft Entra ID backed enrollments, this will cause the client to send a Device Token if the User Token can't be obtained.
@@ -1209,7 +1209,7 @@ The node contains the secondary certificate - the public key to use.
-This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
+This node specifies how the client will perform the app layer signing and encryption. 0: no op; 1: sign-only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
@@ -1568,7 +1568,7 @@ This node decides whether or not the MDM progress page displays the Collect Logs
-Device Only. This node determines whether or not the MDM progress page is blocking in the AADJ or DJ++ case, as well as which remediation options are available.
+Device Only. This node determines whether or not the MDM progress page is blocking in the Microsoft Entra joined or DJ++ case, as well as which remediation options are available.
@@ -1994,7 +1994,7 @@ This node is set by the server to inform the UX that the server has finished pro
-Device only. This node decides whether or not the MDM device progress page skips after AADJ or Hybrid AADJ in OOBE.
+Device only. This node decides whether or not the MDM device progress page skips after Microsoft Entra joined or Microsoft Entra hybrid joined in OOBE.
@@ -2043,7 +2043,7 @@ Device only. This node decides whether or not the MDM device progress page skips
-Device only. This node decides whether or not the MDM user progress page skips after AADJ or DJ++ after user login.
+Device only. This node decides whether or not the MDM user progress page skips after Microsoft Entra joined or DJ++ after user login.
@@ -2206,7 +2206,7 @@ Force device to send device Microsoft Entra token during check-in as a separate
| 0 | ForceAadTokenNotDefined: the value isn't defined(default). |
| 1 | AlwaysSendAadDeviceTokenCheckIn: always send Microsoft Entra device token during check-in as a separate header section(not as Bearer token). |
| 2 | Reserved for future. AlwaysSendAadUserTokenCheckin: always send Microsoft Entra user token during check-in as a separate header section(not as Bearer token). |
-| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send Microsoft Entra Device token for auth as Bearer token. |
+| 4 | SendAadDeviceTokenForAuth: to replace AADSendDeviceToken, send Microsoft Entra device token for auth as Bearer token. |
| 8 | Reserved for future. ForceAadTokenMaxAllowed: max value allowed. |
@@ -2428,7 +2428,7 @@ The interior node for linked enrollment.
-Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint isn't set, client will return an rmpty string with S_OK.
+Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint isn't set, client will return an empty string with S_OK.
@@ -4576,7 +4576,7 @@ This node, when doing a get, tells the server if the "First Syncs" are done and
| Value | Description |
|:--|:--|
-| false | The user isn't finished provisioning. |
+| false | The user hasn't finished provisioning. |
| true | The user has finished provisioning. |
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index f47fafa391..8ab416c84b 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 09/27/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -341,11 +341,11 @@ The following XML file contains the device description framework (DDF) for the D
false
- The user is not finished provisioning
+ The user has not finished provisioningtrue
- The user has finished provisoining.
+ The user has finished provisioning.
@@ -381,7 +381,7 @@ The following XML file contains the device description framework (DDF) for the D
2
- Provisoining is in progress.
+ Provisioning is in progress.
@@ -1264,7 +1264,7 @@ The following XML file contains the device description framework (DDF) for the D
2
- Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during checkin as a separate header section(not as Bearer toekn).
+ Reserved for future. AlwaysSendAadUserTokenCheckin: always send AAD user token during checkin as a separate header section(not as Bearer token).4
@@ -2020,7 +2020,7 @@ The following XML file contains the device description framework (DDF) for the D
true
- The device has finished provisoining.
+ The device has finished provisioning.
@@ -2056,7 +2056,7 @@ The following XML file contains the device description framework (DDF) for the D
2
- Provisoining is in progress.
+ Provisioning is in progress.
@@ -2679,7 +2679,7 @@ The following XML file contains the device description framework (DDF) for the D
- Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint is not set, client will return an rmpty string with S_OK.
+ Endpoint Discovery is the process where a specific URL (the "discovery endpoint") is accessed, which returns a directory of endpoints for using the system including enrollment. On Get, if the endpoint is not set, client will return an empty string with S_OK.
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 6bfcf539e2..9fb784e982 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Firewall CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -2151,7 +2151,7 @@ When setting this field in a firewall rule, the protocol field must also be set,
Specifies the list of authorized local users for the app container.
-This is a string in Security Descriptor Definition Language (SDDL) format\.
+This is a string in Security Descriptor Definition Language (SDDL) format.
diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml
index c05832ef83..7944d29d03 100644
--- a/windows/client-management/mdm/index.yml
+++ b/windows/client-management/mdm/index.yml
@@ -1,21 +1,20 @@
### YamlMime:Landing
title: Configuration Service Provider # < 60 chars
-summary: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # < 160 chars
+summary: Learn more about the configuration service provider (CSP) policies available on Windows devices. # < 160 chars
metadata:
title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars.
- description: Learn more about the configuration service provider (CSP) policies available on Windows 10 and Windows 11. # Required; article description that is displayed in search results. < 160 chars.
+ description: Learn more about the configuration service provider (CSP) policies available on Windows devices. # Required; article description that is displayed in search results. < 160 chars.
ms.topic: landing-page
ms.technology: itpro-manage
ms.prod: windows-client
ms.collection:
- - highpri
- tier1
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
- ms.date: 08/04/2022
+ ms.date: 10/25/2023
localization_priority: medium
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new
@@ -35,8 +34,8 @@ landingContent:
url: configuration-service-provider-ddf.md
- text: BitLocker CSP
url: bitlocker-csp.md
- - text: DynamicManagement CSP
- url: dynamicmanagement-csp.md
+ - text: Declared Configuration protocol
+ url: ../declared-configuration.md
# Card (optional)
diff --git a/windows/client-management/mdm/laps-csp.md b/windows/client-management/mdm/laps-csp.md
index d77060ac98..a010675895 100644
--- a/windows/client-management/mdm/laps-csp.md
+++ b/windows/client-management/mdm/laps-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the LAPS CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -449,7 +449,7 @@ Use this setting to configure which directory the local admin account password i
The allowable settings are:
0=Disabled (password won't be backed up)
-1=Backup the password to Microsoft Entra-only
+1=Backup the password to Microsoft Entra ID only
2=Backup the password to Active Directory only.
If not specified, this setting will default to 0.
@@ -475,7 +475,7 @@ If not specified, this setting will default to 0.
| Value | Description |
|:--|:--|
| 0 (Default) | Disabled (password won't be backed up). |
-| 1 | Backup the password to Microsoft Entra-only. |
+| 1 | Backup the password to Microsoft Entra ID only. |
| 2 | Backup the password to Active Directory only. |
@@ -745,7 +745,7 @@ If not specified, this setting will default to 3 (Reset the password and logoff
| Value | Description |
|:--|:--|
| 1 | Reset password: upon expiry of the grace period, the managed account password will be reset. |
-| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated. |
+| 3 (Default) | Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will be terminated. |
| 5 | Reset the password and reboot: upon expiry of the grace period, the managed account password will be reset and the managed device will be immediately rebooted. |
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 29e995b12d..14c84143e8 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the PassportForWork CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -253,8 +253,8 @@ Don't start Windows Hello provisioning after sign-in.
| Value | Description |
|:--|:--|
-| false (Default) | Disabled. |
-| true | Enabled. |
+| false (Default) | Post Logon Provisioning Enabled. |
+| true | Post Logon Provisioning Disabled. |
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 6cfc4fabfc..fa9e278d82 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -883,11 +883,11 @@ If you disable or do not configure this policy setting, the PIN recovery secret
false
- Disabled
+ Post Logon Provisioning Enabledtrue
- Enabled
+ Post Logon Provisioning Disabled
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index 5e4eb9b6d2..6625fb8a84 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the Personalization CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/26/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,24 +16,147 @@ ms.topic: reference
# Personalization CSP
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
-The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
+The Personalization CSP can set the lock screen, desktop background images and company branding on sign-in screen ([BootToCloud mode](policy-csp-clouddesktop.md#boottocloudmode) only). Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package.
> [!IMPORTANT]
-> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional only when SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set.
+> Personalization CSP is supported in Windows Enterprise and Education SKUs. It works in Windows Professional only when SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set, or when the device is configured in [Shared PC mode with BootToCloudPCEnhanced policy](clouddesktop-csp.md#boottocloudpcenhanced).
The following list shows the Personalization configuration service provider nodes:
- ./Vendor/MSFT/Personalization
+ - [CompanyLogoStatus](#companylogostatus)
+ - [CompanyLogoUrl](#companylogourl)
+ - [CompanyName](#companyname)
- [DesktopImageStatus](#desktopimagestatus)
- [DesktopImageUrl](#desktopimageurl)
- [LockScreenImageStatus](#lockscreenimagestatus)
- [LockScreenImageUrl](#lockscreenimageurl)
+
+## CompanyLogoStatus
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Personalization/CompanyLogoStatus
+```
+
+
+
+
+This represents the status of the Company Logo. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. This setting is currently available for boot to cloud shared pc mode only.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Get |
+
+
+
+
+
+
+
+
+
+## CompanyLogoUrl
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Personalization/CompanyLogoUrl
+```
+
+
+
+
+An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+
+
+
+
+
+## CompanyName
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Vendor/MSFT/Personalization/CompanyName
+```
+
+
+
+
+The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Regular Expression: `^.{1,30}$` |
+
+
+
+
+
+
+
+
## DesktopImageStatus
@@ -90,7 +213,7 @@ This represents the status of the DesktopImage. 1 - Successfully downloaded or c
-A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image.
+An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to be used as the Desktop Image.
@@ -168,7 +291,7 @@ This represents the status of the LockScreenImage. 1 - Successfully downloaded o
-A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
+An http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image.
diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md
index a57ddb1e63..d9f8bf627c 100644
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF)
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 06/02/2023
+ms.date: 10/25/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -49,7 +49,7 @@ The following XML file contains the device description framework (DDF) for the P
10.0.162991.0
- 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD;
+ 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBD;0xBF;0xCA;0xCB;
@@ -146,6 +146,92 @@ The following XML file contains the device description framework (DDF) for the P
+
+ CompanyLogoUrl
+
+
+
+
+
+
+
+ A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Company Logo or a file Url to a local image on the file system that needs to be used as the Company Logo. This setting is currently available for boot to cloud shared pc mode only.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 2.0
+
+
+
+
+
+
+ CompanyLogoStatus
+
+
+
+
+ This represents the status of the Company Logo. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. This setting is currently available for boot to cloud shared pc mode only.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 2.0
+
+
+
+
+ CompanyName
+
+
+
+
+
+
+
+ The name of the company to be displayed on the sign-in screen. This setting is currently available for boot to cloud shared pc mode only.
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 99.9.99999
+ 2.0
+
+
+ ^.{1,30}$
+
+
+
```
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index bc9ea26ab4..8ca51cb2f9 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -4,7 +4,7 @@ description: Learn about the ADMX-backed policies in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -2145,6 +2145,7 @@ This article lists the ADMX-backed policies in Policy CSP.
- [EnableAllowedSources](policy-csp-desktopappinstaller.md)
- [EnableMSAppInstallerProtocol](policy-csp-desktopappinstaller.md)
- [EnableWindowsPackageManagerCommandLineInterfaces](policy-csp-desktopappinstaller.md)
+- [EnableWindowsPackageManagerConfiguration](policy-csp-desktopappinstaller.md)
## DeviceInstallation
@@ -2475,11 +2476,12 @@ This article lists the ADMX-backed policies in Policy CSP.
## MSSecurityGuide
- [ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](policy-csp-mssecurityguide.md)
-- [ConfigureSMBV1Server](policy-csp-mssecurityguide.md)
- [ConfigureSMBV1ClientDriver](policy-csp-mssecurityguide.md)
+- [ConfigureSMBV1Server](policy-csp-mssecurityguide.md)
- [EnableStructuredExceptionHandlingOverwriteProtection](policy-csp-mssecurityguide.md)
-- [WDigestAuthentication](policy-csp-mssecurityguide.md)
+- [NetBTNodeTypeConfiguration](policy-csp-mssecurityguide.md)
- [TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](policy-csp-mssecurityguide.md)
+- [WDigestAuthentication](policy-csp-mssecurityguide.md)
## MSSLegacy
@@ -2530,6 +2532,8 @@ This article lists the ADMX-backed policies in Policy CSP.
## RemoteDesktopServices
+- [LimitServerToClientClipboardRedirection](policy-csp-remotedesktopservices.md)
+- [LimitClientToServerClipboardRedirection](policy-csp-remotedesktopservices.md)
- [DoNotAllowPasswordSaving](policy-csp-remotedesktopservices.md)
- [AllowUsersToConnectRemotely](policy-csp-remotedesktopservices.md)
- [DoNotAllowDriveRedirection](policy-csp-remotedesktopservices.md)
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index a1d5758c14..aec0cd363b 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -691,8 +691,24 @@ This article lists the policies in Policy CSP that have a group policy mapping.
## SystemServices
+- [ConfigureComputerBrowserServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureHomeGroupListenerServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureHomeGroupProviderServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureIISAdminServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureInfraredMonitorServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureInternetConnectionSharingServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureLxssManagerServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureMicrosoftFTPServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureRemoteProcedureCallLocatorServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureRoutingAndRemoteAccessServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureSimpleTCPIPServicesStartupMode](policy-csp-systemservices.md)
+- [ConfigureSpecialAdministrationConsoleHelperServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureSSDPDiscoveryServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureUPnPDeviceHostServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureWebManagementServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureWindowsMobileHotspotServiceStartupMode](policy-csp-systemservices.md)
+- [ConfigureWorldWideWebPublishingServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureXboxAccessoryManagementServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureXboxLiveAuthManagerServiceStartupMode](policy-csp-systemservices.md)
- [ConfigureXboxLiveGameSaveServiceStartupMode](policy-csp-systemservices.md)
@@ -829,6 +845,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [LogOnAsService](policy-csp-userrights.md)
- [IncreaseProcessWorkingSet](policy-csp-userrights.md)
- [DenyLogOnAsService](policy-csp-userrights.md)
+- [AdjustMemoryQuotasForProcess](policy-csp-userrights.md)
+- [AllowLogOnThroughRemoteDesktop](policy-csp-userrights.md)
## VirtualizationBasedTechnology
@@ -895,6 +913,8 @@ This article lists the policies in Policy CSP that have a group policy mapping.
- [AllowVideoInput](policy-csp-windowssandbox.md)
- [AllowPrinterRedirection](policy-csp-windowssandbox.md)
- [AllowClipboardRedirection](policy-csp-windowssandbox.md)
+- [AllowMappedFolders](policy-csp-windowssandbox.md)
+- [AllowWriteToMappedFolders](policy-csp-windowssandbox.md)
## WirelessDisplay
diff --git a/windows/client-management/mdm/policy-csp-admx-eventlog.md b/windows/client-management/mdm/policy-csp-admx-eventlog.md
index 16a23bf7bf..e7ea263655 100644
--- a/windows/client-management/mdm/policy-csp-admx-eventlog.md
+++ b/windows/client-management/mdm/policy-csp-admx-eventlog.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_EventLog Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -955,9 +955,9 @@ This policy setting controls Event Log behavior when the log file reaches its ma
This policy setting turns on logging.
-If you enable or don't configure this policy setting, then events can be written to this log.
+- If you enable or don't configure this policy setting, then events can be written to this log.
-If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
+- If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.
diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
index f462eeaba0..2ed270ebf6 100644
--- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
+++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_MicrosoftDefenderAntivirus Area in Policy
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -838,7 +838,7 @@ Microsoft Defender Antivirus automatically determines which applications should
Enabled:
-Specify additional allowed applications in the Options section..
+Specify additional allowed applications in the Options section.
Disabled:
@@ -1283,12 +1283,12 @@ This policy, if defined, will prevent antimalware from using the configured prox
This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order):
1. Proxy server (if specified)
-2. Proxy .pac URL (if specified)
+1. Proxy .pac URL (if specified)
-3. None
-4. Internet Explorer proxy settings.
+1. None
+1. Internet Explorer proxy settings.
-5. Autodetect.
+1. Autodetect.
- If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above.
@@ -1349,12 +1349,12 @@ This policy setting defines the URL of a proxy .pac file that should be used whe
This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order):
1. Proxy server (if specified)
-2. Proxy .pac URL (if specified)
+1. Proxy .pac URL (if specified)
-3. None
-4. Internet Explorer proxy settings.
+1. None
+1. Internet Explorer proxy settings.
-5. Autodetect.
+1. Autodetect.
- If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either https:// or https://.
diff --git a/windows/client-management/mdm/policy-csp-admx-msi.md b/windows/client-management/mdm/policy-csp-admx-msi.md
index d4bedbcaf2..881922d5e8 100644
--- a/windows/client-management/mdm/policy-csp-admx-msi.md
+++ b/windows/client-management/mdm/policy-csp-admx-msi.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_MSI Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -668,11 +668,13 @@ Also, see the "Enable user to patch elevated products" policy setting.
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
-If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
+- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential.
-This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
+This policy setting appears in the Computer Configuration and User Configuration folders.
+
+- If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
@@ -729,11 +731,13 @@ This policy setting appears in the Computer Configuration and User Configuration
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
-If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
+- If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential.
-This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
+This policy setting appears in the Computer Configuration and User Configuration folders.
+
+- If the policy setting is enabled in either folder, it's considered be enabled, even if it's explicitly disabled in the other folder.
diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md
index 35907c1d3b..62d426d98e 100644
--- a/windows/client-management/mdm/policy-csp-admx-nca.md
+++ b/windows/client-management/mdm/policy-csp-admx-nca.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_nca Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -53,9 +53,9 @@ Important.
At least one of the entries must be a PING: resource.
-- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page don't matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:https://myserver.corp.contoso.com/ or HTTP:https://2002:836b:1::1/.
+- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page don't matter. The syntax is "HTTP:" followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:https://myserver.corp.contoso.com/ or HTTP:https://2002:836b:1::1/.
-- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file don't matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
+- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file don't matter. The syntax is "FILE:" followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
You must configure this setting to have complete NCA functionality.
diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
index d1e099f8ba..6fe146e767 100644
--- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
+++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_OfflineFiles Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1755,7 +1755,7 @@ This policy setting is triggered by the configured round trip network latency va
- If you enable this policy setting, transparent caching is enabled and configurable.
-- If you disable or don't configure this policy setting, remote files will be not be transparently cached on client computers.
+- If you disable or don't configure this policy setting, remote files won't be transparently cached on client computers.
@@ -1939,7 +1939,7 @@ Reminder balloons appear when the user's connection to a network file is lost or
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
> [!TIP]
-> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
+> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every .. minutes" option.
@@ -2002,7 +2002,7 @@ Reminder balloons appear when the user's connection to a network file is lost or
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
> [!TIP]
-> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
+> To set reminder balloon frequency without establishing a setting, in Windows Explorer, on the Tools menu, click Folder Options, and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every .. minutes" option.
diff --git a/windows/client-management/mdm/policy-csp-admx-power.md b/windows/client-management/mdm/policy-csp-admx-power.md
index ca002f8ab0..df3ab6fb49 100644
--- a/windows/client-management/mdm/policy-csp-admx-power.md
+++ b/windows/client-management/mdm/policy-csp-admx-power.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_Power Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -102,7 +102,7 @@ This policy setting allows you to control the network connectivity state in stan
This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.
-- If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate).
+- If you enable this policy setting, an application or service may prevent the system from sleeping (hybrid Sleep, Stand By, or Hibernate).
- If you disable or don't configure this policy setting, users control this setting.
@@ -885,7 +885,7 @@ This policy setting allows you to control the network connectivity state in stan
This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.
-- If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate).
+- If you enable this policy setting, an application or service may prevent the system from sleeping (hybrid Sleep, Stand By, or Hibernate).
- If you disable or don't configure this policy setting, users control this setting.
diff --git a/windows/client-management/mdm/policy-csp-admx-securitycenter.md b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
index 7195e4fc98..b485aeaea3 100644
--- a/windows/client-management/mdm/policy-csp-admx-securitycenter.md
+++ b/windows/client-management/mdm/policy-csp-admx-securitycenter.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_Securitycenter Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -48,14 +48,6 @@ Note that Security Center can only be turned off for computers that are joined t
- If you enable this policy setting, Security Center is turned on for all users.
- If you disable this policy setting, Security Center is turned off for domain members.
-
-Windows XP SP2
-----------------------
-In Windows XP SP2, the essential security settings that are monitored by Security Center include firewall, antivirus, and Automatic Updates. Note that Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP2 computers.
-
-Windows Vista
----------------------
-In Windows Vista, this policy setting monitors essential security settings to include firewall, antivirus, antispyware, Internet security settings, User Account Control, and Automatic Updates. Windows Vista computers don't require a reboot for this policy setting to take effect.
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
index 690350461f..d7950d1ff0 100644
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1362,13 +1362,13 @@ You can use this policy setting to set a limit on the color depth of any connect
Note:
-1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional.
+1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional.
-2. The value specified in this policy setting isn't applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections.
+1. The value specified in this policy setting isn't applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections.
-3. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format:
+1. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format:
-a. Value specified by this policy setting b. Maximum color depth supported by the client c. Value requested by the client.
+a. Value specified by this policy setting b. Maximum color depth supported by the client c. Value requested by the client.
If the client doesn't support at least 16 bits, the connection is terminated.
@@ -2130,19 +2130,19 @@ To allow users to overwrite the "Set RD Gateway server address" policy setting a
This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RD Session Host server farm. To participate in RD Connection Broker, the Remote Desktop Session Host role service must be installed on the server.
-If the policy setting is enabled, the RD Session Host server joins the farm that's specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that's specified in the Configure RD Connection Broker server name policy setting.
+- If the policy setting is enabled, the RD Session Host server joins the farm that's specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that's specified in the Configure RD Connection Broker server name policy setting.
-- If you disable this policy setting, the server doesn't join a farm in RD Connection Broker, and user session tracking isn't performed. If the policy setting is disabled, you can't use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
+- If you disable this policy setting, the server doesn't join a farm in RD Connection Broker, and user session tracking isn't performed.
+
+- If the policy setting is disabled, you can't use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
If the policy setting isn't configured, the policy setting isn't specified at the Group Policy level.
Note:
-1.
+1. - If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
-- If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
-
-2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
+1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
@@ -2330,7 +2330,7 @@ This policy setting allows you to specify the order in which an RD Session Host
1. Remote Desktop license servers that are published in Active Directory Domain Services.
-2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.
+1. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.
- If you disable or don't configure this policy setting, the RD Session Host server doesn't specify a license server at the Group Policy level.
@@ -2459,7 +2459,7 @@ Per Device licensing mode requires that each device connecting to this RD Sessio
- If you disable or don't configure this policy setting, the licensing mode isn't specified at the Group Policy level.
> [!NOTE]
-> AAD Per User mode is deprecated on Windows 11 and above.
+> Microsoft Entra ID Per User mode is deprecated on Windows 11 and above.
@@ -2515,7 +2515,7 @@ Per Device licensing mode requires that each device connecting to this RD Sessio
Specifies whether Remote Desktop Services limits the number of simultaneous connections to the server.
-You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, addtional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions.
+You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, additional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions.
To use this setting, enter the number of connections you want to specify as the maximum for the server. To specify an unlimited number of connections, type 999999.
@@ -3074,13 +3074,13 @@ By default, when a new user signs in to a computer, the Start screen is shown an
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
-2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
+1. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
-3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
+1. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
-4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
+1. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
-5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
+1. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
@@ -3141,13 +3141,13 @@ By default, when a new user signs in to a computer, the Start screen is shown an
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
-2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
+1. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
-3. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
+1. Full Control without user's permission: Allows the administrator to interact with the session, without the user's consent.
-4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
+1. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's consent.
-5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
+1. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
@@ -3275,7 +3275,7 @@ Note:
1. This policy setting isn't effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy.
-2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
+1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
@@ -3404,9 +3404,9 @@ Note:
1. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
-2. This policy setting isn't effective unless the Join RD Connection Broker policy setting is enabled.
+1. This policy setting isn't effective unless the Join RD Connection Broker policy setting is enabled.
-3. To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers.
+1. To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers.
@@ -4070,14 +4070,14 @@ This policy setting allows you to configure graphics encoding to use the RemoteF
-This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth.
+This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available network bandwidth.
- If you enable this policy setting, the RemoteFX experience could be set to one of the following options:
1. Let the system choose the experience for the network condition
-2. Optimize for server scalability.
+1. Optimize for server scalability.
-3. Optimize for minimum bandwidth usage.
+1. Optimize for minimum bandwidth usage.
- If you disable or don't configure this policy setting, the RemoteFX experience will change dynamically based on the network condition".
@@ -5677,7 +5677,7 @@ Note:
1. The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session.
-2. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile.
+1. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile.
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index 7796c7da9d..f51f27e3ee 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -4,7 +4,7 @@ description: Learn more about the ApplicationDefaults Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -158,7 +158,7 @@ To create the SyncML, follow these steps:
This policy setting determines whether Windows supports web-to-app linking with app URI handlers.
-Enabling this policy setting enables web-to-app linking so that apps can be launched with a http(s) URI.
+Enabling this policy setting enables web-to-app linking so that apps can be launched with an http(s) URI.
Disabling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app.
diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md
index b571cedbad..7cfb9ef14a 100644
--- a/windows/client-management/mdm/policy-csp-appvirtualization.md
+++ b/windows/client-management/mdm/policy-csp-appvirtualization.md
@@ -4,7 +4,7 @@ description: Learn more about the AppVirtualization Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -149,7 +149,7 @@ Enables Dynamic Virtualization of supported shell extensions, browser helper obj
-Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
+Enables automatic cleanup of appv packages that were added after Windows 10 anniversary release.
@@ -1443,7 +1443,7 @@ Specifies the number of times to retry a dropped session.
-Specifies that streamed package contents will be not be saved to the local hard disk.
+Specifies that streamed package contents won't be saved to the local hard disk.
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index e94015c259..7d6b0d757b 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -4,7 +4,7 @@ description: Learn more about the Authentication Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -90,7 +90,7 @@ This policy allows the Microsoft Entra tenant administrator to enable the self-s
-Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
+Allows an EAP cert-based authentication for a single sign-on (SSO) to access internal resources.
@@ -188,7 +188,7 @@ Allows EAP Fast Reconnect from being attempted for EAP Method TLS. Most restrict
-This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello.
+This policy allows users to use a companion device, such as a phone, fitness band, or IoT device, to sign-on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello.
- If you enable or don't configure this policy setting, users can authenticate to Windows Hello using a companion device.
@@ -413,7 +413,7 @@ This policy is intended for use on Shared PCs to enable a quick first sign-in ex
-Specifies whether connected users on AADJ devices receive a Passwordless experience on Windows.
+Specifies whether connected users on Microsoft Entra joined devices receive a Passwordless experience on Windows.
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 16d4f87720..c6cf0c0b0b 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -4,7 +4,7 @@ description: Learn more about the Browser Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1044,7 +1044,7 @@ To verify AllowPasswordManager is set to 0 (not allowed):
-This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on..
+This policy setting lets you decide whether to turn on Pop-up Blocker. By default, Pop-up Blocker is turned on.
- If you enable this setting, Pop-up Blocker is turned on, stopping pop-up windows from appearing.
@@ -3530,7 +3530,7 @@ Don't enable both this setting and the Keep favorites in sync between Internet E
|:--|:--|
| Name | ConfiguredFavorites |
| Friendly Name | Provision Favorites |
-| Element Name | Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Microsoft Edge and use that html file for provisioning user machines.
URL can be specified as.
1. HTTP location: https://localhost:8080/URLs.html 2. Local network: \\network\shares\URLs.html.
3. Local file: file:///c:\\Users\\``\\Documents\\URLs.html or C:\\Users\\``\\Documents\\URLs.html. |
+| Element Name | ConfiguredFavoritesPrompt |
| Location | Computer and User Configuration |
| Path | Windows Components > Microsoft Edge |
| Registry Key Name | Software\Policies\Microsoft\MicrosoftEdge\Favorites |
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 325dcb5961..bca45399aa 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1074,7 +1074,6 @@ This policy setting allows you to configure the maximum percentage CPU utilizati
- If you enable this setting, CPU utilization won't exceed the percentage specified.
- If you disable or don't configure this setting, CPU utilization won't exceed the default value.
-
@@ -1085,7 +1084,6 @@ This policy setting allows you to configure the maximum percentage CPU utilizati
>
> - [ScanOnlyIfIdle](defender-csp.md#configurationscanonlyifidleenabled): Instructs the product to scan only when the computer isn't in use.
> - [DisableCpuThrottleOnIdleScans](defender-csp.md#configurationdisablecputhrottleonidlescans): Instructs the product to disable CPU throttling on idle scans.
-
@@ -1352,7 +1350,7 @@ Microsoft Defender Antivirus automatically determines which applications should
Enabled:
-Specify additional allowed applications in the Options section..
+Specify additional allowed applications in the Options section.
Disabled:
@@ -2920,4 +2918,3 @@ Valid remediation action values are:
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)
-
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index c8b37170cf..5e4f2838af 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -4,7 +4,7 @@ description: Learn more about the DeliveryOptimization Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -1697,8 +1697,8 @@ This policy allows an IT Admin to define the following details:
-
-This policy allows you to set one or more keywords used to recognize VPN connections.
+
+This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords, separate them with commas.
@@ -1721,8 +1721,12 @@ This policy allows you to set one or more keywords used to recognize VPN connect
| Name | Value |
|:--|:--|
| Name | VpnKeywords |
-| Path | DeliveryOptimization > AT > WindowsComponents > DeliveryOptimizationCat |
-| Element Name | VpnKeywords |
+| Friendly Name | VPN Keywords |
+| Element Name | VPN Keywords. |
+| Location | Computer Configuration |
+| Path | Windows Components > Delivery Optimization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
+| ADMX File Name | DeliveryOptimization.admx |
diff --git a/windows/client-management/mdm/policy-csp-desktopappinstaller.md b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
index 700a225113..e0c33829f6 100644
--- a/windows/client-management/mdm/policy-csp-desktopappinstaller.md
+++ b/windows/client-management/mdm/policy-csp-desktopappinstaller.md
@@ -4,7 +4,7 @@ description: Learn more about the DesktopAppInstaller Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -775,6 +775,56 @@ The settings are stored inside of a .json file on the user’s system. It may be
+
+## EnableWindowsPackageManagerConfiguration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/DesktopAppInstaller/EnableWindowsPackageManagerConfiguration
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | EnableWindowsPackageManagerConfiguration |
+| ADMX File Name | DesktopAppInstaller.admx |
+
+
+
+
+
+
+
+
## SourceAutoUpdateInterval
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index dcf5e542ca..601453f34d 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -4,7 +4,7 @@ description: Learn more about the DeviceInstallation Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -365,26 +365,26 @@ Device instance IDs > Device IDs > Device setup class > Removable devices.
Device instance IDs.
1. Prevent installation of devices using drivers that match these device instance IDs
-2. Allow installation of devices using drivers that match these device instance IDs.
+1. Allow installation of devices using drivers that match these device instance IDs.
Device IDs.
-3. Prevent installation of devices using drivers that match these device IDs
-4. Allow installation of devices using drivers that match these device IDs.
+1. Prevent installation of devices using drivers that match these device IDs
+1. Allow installation of devices using drivers that match these device IDs.
Device setup class.
-5. Prevent installation of devices using drivers that match these device setup classes
-6. Allow installation of devices using drivers that match these device setup classes.
+1. Prevent installation of devices using drivers that match these device setup classes
+1. Allow installation of devices using drivers that match these device setup classes.
Removable devices.
-7. Prevent installation of removable devices.
+1. Prevent installation of removable devices.
> [!NOTE]
> This policy setting provides more granular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settings are enabled at the same time, the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will be ignored.
-If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation..". policy settings have precedence over any other policy setting that allows Windows to install a device.
+If you disable or don't configure this policy setting, the default evaluation is used. By default, all "Prevent installation.". policy settings have precedence over any other policy setting that allows Windows to install a device.
diff --git a/windows/client-management/mdm/policy-csp-federatedauthentication.md b/windows/client-management/mdm/policy-csp-federatedauthentication.md
index efda2740d9..18426abce1 100644
--- a/windows/client-management/mdm/policy-csp-federatedauthentication.md
+++ b/windows/client-management/mdm/policy-csp-federatedauthentication.md
@@ -4,7 +4,7 @@ description: Learn more about the FederatedAuthentication Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -63,7 +63,7 @@ Specifies whether web-based sign-in is enabled with the Primary User experience.
|:--|:--|
| 0 (Default) | Feature defaults as appropriate for edition and device capabilities. As of now, all editions/devices exhibit Disabled behavior by default. However, this may change for future editions/devices. |
| 1 | Enabled. Web Sign-in Credential Provider will be enabled for device sign-in. |
-| 2 | Disabled. Web Sign-in Credential Provider isn't be enabled for device sign-in. |
+| 2 | Disabled. Web Sign-in Credential Provider won't be enabled for device sign-in. |
diff --git a/windows/client-management/mdm/policy-csp-kerberos.md b/windows/client-management/mdm/policy-csp-kerberos.md
index 60a01c822e..ed58ffd639 100644
--- a/windows/client-management/mdm/policy-csp-kerberos.md
+++ b/windows/client-management/mdm/policy-csp-kerberos.md
@@ -4,7 +4,7 @@ description: Learn more about the Kerberos Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -134,7 +134,7 @@ This policy setting allows retrieving the Microsoft Entra Kerberos Ticket Granti
| Name | Value |
|:--|:--|
| Name | CloudKerberosTicketRetrievalEnabled |
-| Friendly Name | Allow retrieving the Microsoft Entra Kerberos Ticket Granting Ticket during logon |
+| Friendly Name | Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon |
| Location | Computer Configuration |
| Path | System > Kerberos |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters |
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index f3317c93af..3edee263b1 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -4,7 +4,7 @@ description: Learn more about the LocalPoliciesSecurityOptions Area in Policy CS
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -4132,7 +4132,7 @@ User Account Control: Only elevate executable files that are signed and validate
-User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ...\Program Files\, including subfolders - ...\Windows\system32\ - ...\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
+User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - ..\Program Files\, including subfolders - ..\Windows\system32\ - ..\Program Files (x86)\, including subfolders for 64-bit versions of Windows Note: Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting. The options are: - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity. - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
diff --git a/windows/client-management/mdm/policy-csp-mssecurityguide.md b/windows/client-management/mdm/policy-csp-mssecurityguide.md
index eaf592f322..9d94c49836 100644
--- a/windows/client-management/mdm/policy-csp-mssecurityguide.md
+++ b/windows/client-management/mdm/policy-csp-mssecurityguide.md
@@ -4,7 +4,7 @@ description: Learn more about the MSSecurityGuide Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -222,6 +222,56 @@ ms.topic: reference
+
+## NetBTNodeTypeConfiguration
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/NetBTNodeTypeConfiguration
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Pol_SecGuide_0050_NetbtNodeTypeConfig |
+| ADMX File Name | SecGuide.admx |
+
+
+
+
+
+
+
+
## TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications
diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md
index a48e9dd24b..68c365431c 100644
--- a/windows/client-management/mdm/policy-csp-power.md
+++ b/windows/client-management/mdm/policy-csp-power.md
@@ -4,7 +4,7 @@ description: Learn more about the Power Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -450,7 +450,7 @@ This policy setting allows you to specify the period of inactivity before Window
- If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
@@ -510,7 +510,7 @@ This policy setting allows you to specify the period of inactivity before Window
- If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
@@ -1144,7 +1144,7 @@ This policy setting allows you to specify the period of inactivity before Window
- If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
@@ -1204,7 +1204,7 @@ This policy setting allows you to specify the period of inactivity before Window
- If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
@@ -1258,7 +1258,7 @@ If the user has configured a slide show to run on the lock screen when the machi
-This policy setting allows you to turn off hybrid sleep.
+This policy setting allows you to turn off Hybrid Sleep.
- If you enable this policy setting, a hiberfile isn't generated when the system transitions to sleep (Stand By).
@@ -1285,7 +1285,7 @@ This policy setting allows you to turn off hybrid sleep.
| Value | Description |
|:--|:--|
| 0 (Default) | . |
-| 1 | Hybrid sleep. |
+| 1 | Hybrid Sleep. |
@@ -1325,7 +1325,7 @@ This policy setting allows you to turn off hybrid sleep.
-This policy setting allows you to turn off hybrid sleep.
+This policy setting allows you to turn off Hybrid Sleep.
- If you enable this policy setting, a hiberfile isn't generated when the system transitions to sleep (Stand By).
@@ -1352,7 +1352,7 @@ This policy setting allows you to turn off hybrid sleep.
| Value | Description |
|:--|:--|
| 0 (Default) | . |
-| 1 | Hybrid sleep. |
+| 1 | Hybrid Sleep. |
@@ -1398,7 +1398,7 @@ This policy setting allows you to specify the period of inactivity before Window
- If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
@@ -1459,7 +1459,7 @@ This policy setting allows you to specify the period of inactivity before Window
- If you disable or don't configure this policy setting, users control this setting.
-If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
+If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occurring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
index dd8a3fc532..a2eceff277 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md
@@ -4,7 +4,7 @@ description: Learn more about the RemoteDesktopServices Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -18,6 +18,8 @@ ms.topic: reference
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -338,6 +340,114 @@ By default, Remote Desktop allows redirection of WebAuthn requests.
+
+## LimitClientToServerClipboardRedirection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitClientToServerClipboardRedirection
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_CLIENT_CLIPBOARDRESTRICTION_CS |
+| ADMX File Name | terminalserver.admx |
+
+
+
+
+
+
+
+
+
+## LimitServerToClientClipboardRedirection
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/LimitServerToClientClipboardRedirection
+```
+
+
+
+
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+
+[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TS_CLIENT_CLIPBOARDRESTRICTION_SC |
+| ADMX File Name | terminalserver.admx |
+
+
+
+
+
+
+
+
## PromptForPasswordUponConnection
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md
index 472bb62d54..624d6566b7 100644
--- a/windows/client-management/mdm/policy-csp-search.md
+++ b/windows/client-management/mdm/policy-csp-search.md
@@ -4,7 +4,7 @@ description: Learn more about the Search Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/24/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -102,7 +102,7 @@ Allow search and Cortana to search cloud sources like OneDrive and SharePoint.
-Allow the cortana opt-in page during windows setup out of the box experience.
+Allow the Cortana opt-in page during windows setup out of the box experience.
@@ -124,8 +124,8 @@ Allow the cortana opt-in page during windows setup out of the box experience.
| Value | Description |
|:--|:--|
-| 0 (Default) | Not allowed. The Cortana consent page won't appear in AAD OOBE during setup. |
-| 1 | Allowed. The Cortana consent page will appear in Azure AAD OOBE during setup. |
+| 0 (Default) | Not allowed. The Cortana consent page won't appear in Microsoft Entra ID OOBE during setup. |
+| 1 | Allowed. The Cortana consent page will appear in Azure Microsoft Entra ID OOBE during setup. |
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index 0d0a105c89..22ff8ce8ea 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -4,7 +4,7 @@ description: Learn more about the System Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -118,7 +118,7 @@ AllowCommercialDataPipeline configures a Microsoft Entra joined device so that M
To enable this behavior:
1. Enable this policy setting
-2. Join a Microsoft Entra account to the device.
+1. Join a Microsoft Entra account to the device.
Windows diagnostic data is collected when the Allow Telemetry policy setting is set to value 1 - Required or above. Configuring this setting doesn't change the Windows diagnostic data collection level set for the device.
@@ -198,10 +198,10 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
To enable this behavior:
1. Enable this policy setting
-2. Join a Microsoft Entra account to the device.
+1. Join a Microsoft Entra account to the device.
-3. Set Allow Telemetry to value 1 - Required, or higher
-4. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
+1. Set Allow Telemetry to value 1 - Required, or higher
+1. Set the Configure the Commercial ID setting for your Desktop Analytics workspace.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@@ -762,10 +762,10 @@ This policy setting, in combination with the Allow Telemetry and Configure the C
To enable this behavior:
1. Enable this policy setting
-2. Join a Microsoft Entra account to the device.
+1. Join a Microsoft Entra account to the device.
-3. Set Allow Telemetry to value 1 - Required, or higher
-4. Set the Configure the Commercial ID setting for your Update Compliance workspace.
+1. Set Allow Telemetry to value 1 - Required, or higher
+1. Set the Configure the Commercial ID setting for your Update Compliance workspace.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@@ -889,9 +889,9 @@ This policy setting configures a Microsoft Entra joined device so that Microsoft
To enable this behavior:
1. Enable this policy setting
-2. Join a Microsoft Entra account to the device.
+1. Join a Microsoft Entra account to the device.
-3. Set Allow Telemetry to value 1 - Required, or higher.
+1. Set Allow Telemetry to value 1 - Required, or higher.
When these policies are configured, Windows diagnostic data collected from the device will be subject to Microsoft processor commitments.
@@ -1999,10 +1999,10 @@ This policy setting, in combination with the "Allow Diagnostic Data" policy sett
To enable the behavior described above, complete the following steps:
1. Enable this policy setting
-2. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data".
+1. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data".
-3. Enable the "Limit Dump Collection" policy
-4. Enable the "Limit Diagnostic Log Collection" policy.
+1. Enable the "Limit Dump Collection" policy
+1. Enable the "Limit Diagnostic Log Collection" policy.
When these policies are configured, Microsoft will collect only required diagnostic data and the events required by Desktop Analytics, which can be viewed at< https://go.microsoft.com/fwlink/?linkid=2116020>.
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index 1ba198008c..b0e97a7454 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -4,7 +4,7 @@ description: Learn more about the SystemServices Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -20,6 +20,56 @@ ms.topic: reference
+
+## ConfigureComputerBrowserServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureComputerBrowserServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Computer Browser |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
## ConfigureHomeGroupListenerServiceStartupMode
@@ -120,6 +170,756 @@ This setting determines whether the service's start type is Automatic(2), Manual
+
+## ConfigureIISAdminServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureIISAdminServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | IIS Admin Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureInfraredMonitorServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInfraredMonitorServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Infrared Monitor Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureInternetConnectionSharingServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInternetConnectionSharingServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Internet Connection Sharing (ICS) |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureLxssManagerServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureLxssManagerServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | LxssManager |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureMicrosoftFTPServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureMicrosoftFTPServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Microsoft FTP Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureRemoteProcedureCallLocatorServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRemoteProcedureCallLocatorServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Remote Procedure Call (RPC) Locator |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureRoutingAndRemoteAccessServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRoutingAndRemoteAccessServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Routing and Remote Access |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureSimpleTCPIPServicesStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSimpleTCPIPServicesStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Simple TCP/IP Services |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureSpecialAdministrationConsoleHelperServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSpecialAdministrationConsoleHelperServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Special Administration Console Helper |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureSSDPDiscoveryServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSSDPDiscoveryServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | SSDP Discovery |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureUPnPDeviceHostServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureUPnPDeviceHostServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | UPnP Device Host |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureWebManagementServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWebManagementServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Web Management Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Windows Media Player Network Sharing Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureWindowsMobileHotspotServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMobileHotspotServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Windows Mobile Hotspot Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
+
+## ConfigureWorldWideWebPublishingServiceStartupMode
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1803 [10.0.17134] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWorldWideWebPublishingServiceStartupMode
+```
+
+
+
+
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4). Default: Manual.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[2-4]` |
+| Default Value | 3 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | World Wide Web Publishing Service |
+| Path | Windows Settings > Security Settings > System Services |
+
+
+
+
+
+
+
+
## ConfigureXboxAccessoryManagementServiceStartupMode
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index 05a793d534..96e90c4433 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -4,7 +4,7 @@ description: Learn more about the Troubleshooting Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -61,15 +61,15 @@ After setting this policy, you can use the following instructions to check devic
rem The following batch script triggers Recommended Troubleshooting schtasks /run /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner".
-2. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings.
+1. To create a new immediate task, navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings.
-3. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).
+1. Under Control Panel settings, right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).
-4. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox.
+1. Provide name and description as appropriate, then under Security Options set the user account to System and select the Run with highest privileges checkbox.
-5. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1.
+1. In the Actions tab, create a new action, select Start a Program as its type, then enter the file created in step 1.
-6. Configure the task to deploy to your domain.
+1. Configure the task to deploy to your domain.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 9c9630b5ac..5232cbd5a3 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -4,7 +4,7 @@ description: Learn more about the Update Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -292,8 +292,16 @@ Allows the IT admin to manage whether Automatic Updates accepts updates signed b
-
+
This policy enables devices to get optional updates (including gradual feature rollouts (CFRs) - learn more by visiting aka.ms/AllowOptionalContent)
+
+When the policy is configured.
+
+- If "Automatically receive optional updates (including CFRs)" is selected, the device will get the latest optional updates automatically in line with the configured quality update deferrals. This includes optional cumulative updates and gradual feature rollouts (CFRs).
+
+- If "Automatically receive optional updates" is selected, the device will only get optional cumulative updates automatically, in line with the quality update deferrals.
+
+- If "Users can select which optional updates to receive" is selected, users can select which optional updates to get by visiting Settings > Windows Update > Advanced options > Optional updates. Users can also enable the toggle "Get the latest updates as soon as they're available" to automatically receive optional updates and gradual feature rollouts.
@@ -327,7 +335,12 @@ This policy enables devices to get optional updates (including gradual feature r
| Name | Value |
|:--|:--|
| Name | AllowOptionalContent |
-| Path | WindowsUpdate > AT > WindowsComponents > WindowsUpdateCat |
+| Friendly Name | Enable optional updates |
+| Location | Computer Configuration |
+| Path | Windows Components > Windows Update > Manage updates offered from Windows Update |
+| Registry Key Name | Software\Policies\Microsoft\Windows\WindowsUpdate |
+| Registry Value Name | SetAllowOptionalContent |
+| ADMX File Name | WindowsUpdate.admx |
@@ -1958,7 +1971,7 @@ If any of the following two policies are enabled, this policy has no effect:
1. No auto-restart with logged-on users for scheduled automatic updates installations.
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
Note that the default max active hours range is 18 hours from the active hours start time unless otherwise configured via the Specify active hours range for auto-restarts policy.
@@ -2085,7 +2098,7 @@ If any of the following two policies are enabled, this policy has no effect:
1. No auto-restart with logged-on users for scheduled automatic updates installations.
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
Note that the default max active hours range is 18 hours from the active hours start time unless otherwise configured via the Specify active hours range for auto-restarts policy.
@@ -3599,7 +3612,7 @@ Enabling either of the following two policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations.
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
@@ -3664,7 +3677,7 @@ Enabling either of the following two policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations.
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
@@ -4083,9 +4096,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
@@ -4153,9 +4166,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
@@ -4223,9 +4236,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
@@ -4293,9 +4306,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
@@ -4363,9 +4376,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
@@ -4433,9 +4446,9 @@ If you disable or don't configure this policy, the PC will restart following the
Enabling any of the following policies will override the above policy:
1. No auto-restart with logged-on users for scheduled automatic updates installations
-2. Always automatically restart at scheduled time.
+1. Always automatically restart at scheduled time.
-3. Specify deadline before auto-restart for update installation.
+1. Specify deadline before auto-restart for update installation.
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index e323789f73..39a023b122 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -4,7 +4,7 @@ description: Learn more about the UserRights Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -259,6 +259,55 @@ This user right allows a process to impersonate any user without authentication.
+
+## AdjustMemoryQuotasForProcess
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/UserRights/AdjustMemoryQuotasForProcess
+```
+
+
+
+
+Adjust memory quotas for a process - This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `0xF000`) |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Adjust memory quotas for a process |
+| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
+
+
+
+
+
+
+
+
## AllowLocalLogOn
@@ -311,6 +360,55 @@ This user right determines which users can log on to the computer.
+
+## AllowLogOnThroughRemoteDesktop
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/UserRights/AllowLogOnThroughRemoteDesktop
+```
+
+
+
+
+Allow log on through Remote Desktop Services - This policy setting determines which users or groups can access the sign-in screen of a remote device through a Remote Desktop Services connection.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `chr` (string) |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | List (Delimiter: `0xF000`) |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Allow log on through Remote Desktop Services |
+| Path | Windows Settings > Security Settings > Local Policies > User Rights Assignment |
+
+
+
+
+
+
+
+
## BackupFilesAndDirectories
diff --git a/windows/client-management/mdm/policy-csp-webthreatdefense.md b/windows/client-management/mdm/policy-csp-webthreatdefense.md
index a5834287ac..e415fba8e2 100644
--- a/windows/client-management/mdm/policy-csp-webthreatdefense.md
+++ b/windows/client-management/mdm/policy-csp-webthreatdefense.md
@@ -4,7 +4,7 @@ description: Learn more about the WebThreatDefense Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,8 +16,6 @@ ms.topic: reference
# Policy CSP - WebThreatDefense
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
> [!NOTE]
@@ -30,7 +28,7 @@ ms.topic: reference
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 23H2 [10.0.22631] and later |
diff --git a/windows/client-management/mdm/policy-csp-windowsai.md b/windows/client-management/mdm/policy-csp-windowsai.md
index 5d7b09569f..bf5ad5e22a 100644
--- a/windows/client-management/mdm/policy-csp-windowsai.md
+++ b/windows/client-management/mdm/policy-csp-windowsai.md
@@ -4,7 +4,7 @@ description: Learn more about the WindowsAI Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/30/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,8 +16,6 @@ ms.topic: reference
# Policy CSP - WindowsAI
-[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
-
@@ -28,7 +26,7 @@ ms.topic: reference
| Scope | Editions | Applicable OS |
|:--|:--|:--|
-| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview [10.0.25929.1000] |
+| ❌ Device ✅ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 [10.0.22621.2360] and later ✅ Windows 11, version 23H2 [10.0.22631] and later |
diff --git a/windows/client-management/mdm/policy-csp-windowslogon.md b/windows/client-management/mdm/policy-csp-windowslogon.md
index 7e57b912b3..7f43647495 100644
--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@@ -4,7 +4,7 @@ description: Learn more about the WindowsLogon Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 10/03/2023
+ms.date: 10/24/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -104,20 +104,20 @@ After enabling this policy, you can configure its settings through the ConfigAut
-This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose "Disabled" in the "Sign-in and lock last interactive user automatically after a restart" policy, then automatic sign on won't occur and this policy doesn't need to be configured.
+This policy setting controls the configuration under which an automatic restart and sign-on and lock occurs after a restart or cold boot. If you chose "Disabled" in the "Sign-in and lock last interactive user automatically after a restart" policy, then automatic sign-on won't occur and this policy doesn't need to be configured.
- If you enable this policy setting, you can choose one of the following two options:
-1. "Enabled if BitLocker is on and not suspended" specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device's hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
+1. "Enabled if BitLocker is on and not suspended" specifies that automatic sign-on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the device's hard drive at this time if BitLocker isn't on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
BitLocker is suspended during updates if:
- The device doesn't have TPM 2.0 and PCR7, or
- The device doesn't use a TPM-only protector.
-2. "Always Enabled" specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location.
+2. "Always Enabled" specifies that automatic sign-on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker isn't enabled, personal data is accessible on the hard drive. Automatic restart and sign-on should only be run under this condition if you are confident that the configured device is in a secure physical location.
-- If you disable or don't configure this setting, automatic sign on will default to the "Enabled if BitLocker is on and not suspended" behavior.
+- If you disable or don't configure this setting, automatic sign-on will default to the "Enabled if BitLocker is on and not suspended" behavior.
@@ -574,7 +574,7 @@ The locations that Switch User interface appear are in the Logon UI, the Start m
-OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program. The policy currently supports below options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell doesn't have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features, which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application that would consume features offered by Lightweight shell. If you disable or don't configure this policy setting, then the default shell will be launched.
+OverrideShellProgram policy allows IT admin to configure the shell program for Windows OS on a device. This policy has the highest precedence over other ways of configuring the shell program. The policy currently supports below options: 1. Not Configured: Default shell will be launched. 2. Apply Lightweight Shell: Lightweight shell doesn't have a user interface and helps the device to achieve better performance as the shell consumes limited resources over default shell. Lightweight shell contains a limited set of features which could be consumed by applications. This configuration can be useful if the device needs to have a continuous running user interface application which would consume features offered by Lightweight shell. If you disable or don't configure this policy setting, then the default shell will be launched.
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
index 49f808e7e0..be6709c49c 100644
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -4,7 +4,7 @@ description: Learn more about the WindowsSandbox Area in Policy CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 11/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -16,6 +16,8 @@ ms.topic: reference
# Policy CSP - WindowsSandbox
+[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
+
@@ -148,6 +150,56 @@ This policy setting enables or disables clipboard sharing with the sandbox.
+
+## AllowMappedFolders
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders
+```
+
+
+
+
+Allow mapping folders into Windows Sandbox.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowMappedFolders |
+| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
+
+
+
+
+
+
+
+
## AllowNetworking
@@ -406,6 +458,57 @@ Note that there may be security implications of exposing host video input to the
+
+## AllowWriteToMappedFolders
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| ✅ Device ❌ User | ✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowWriteToMappedFolders
+```
+
+
+
+
+Allow Sandbox to write to mapped folders.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | `int` |
+| Access Type | Add, Delete, Get, Replace |
+| Allowed Values | Range: `[0-1]` |
+| Default Value | 1 |
+| Dependency [WindowsSandbox_AllowWriteToMappedFolders_DependencyGroup] | Dependency Type: `DependsOn` Dependency URI: `Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders` Dependency Allowed Value: `[1]` Dependency Allowed Value Type: `Range` |
+
+
+
+**Group policy mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | AllowWriteToMappedFolders |
+| Path | WindowsSandbox > AT > WindowsComponents > WindowsSandboxCat |
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md
index ce0d74fe63..1ccd2b55b5 100644
--- a/windows/client-management/mdm/secureassessment-csp.md
+++ b/windows/client-management/mdm/secureassessment-csp.md
@@ -4,7 +4,7 @@ description: Learn more about the SecureAssessment CSP.
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 08/10/2023
+ms.date: 10/23/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -327,7 +327,7 @@ Indicates if printing is required by the app.
-The user name of the test taking account. To specify a domain account, use domain\user. To specify an AAD account, use username@tenant.com. To specify a local account, use the username.
+The user name of the test taking account. To specify a domain account, use domain\user. To specify a Microsoft Entra account, use username@tenant.com. To specify a local account, use the username.
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index 9a3988642d..e825289b3c 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -8,7 +8,7 @@ ms.topic: reference
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
-ms.date: 02/23/2018
+ms.date: 11/16/2023
---
# Update CSP
@@ -40,7 +40,7 @@ The following example shows the Update configuration service provider in tree fo
----FailedUpdates
--------Failed Update Guid
------------HResult
-------------Status
+------------State
------------RevisionNumber
----InstalledUpdates
--------Installed Update Guid
@@ -63,136 +63,152 @@ The following example shows the Update configuration service provider in tree fo
```
**./Vendor/MSFT/Update**
-
The root node.
+The root node.
-
Supported operation is Get.
+Supported operation is Get.
**ApprovedUpdates**
-
Node for update approvals and EULA acceptance on behalf of the end-user.
+Node for update approvals and EULA acceptance on behalf of the end-user.
> [!NOTE]
> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
-
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
+The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.
-
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
+The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (that is, updates to the virus and spyware definitions on devices) and Security Updates (that is, product-specific updates for security-related vulnerability). The update approval list doesn't support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID.
> [!NOTE]
> For the Windows 10 build, the client may need to reboot after additional updates are added.
-
Supported operations are Get and Add.
+Supported operations are Get and Add.
**ApprovedUpdates/_Approved Update Guid_**
-
Specifies the update GUID.
+Specifies the update GUID.
-
To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
+To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These GUIDs are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
-
Supported operations are Get and Add.
+Supported operations are Get and Add.
-
Specifies the time the update gets approved.
+Specifies the time the update gets approved.
-
Supported operations are Get and Add.
+Supported operations are Get and Add.
**FailedUpdates**
-
Specifies the approved updates that failed to install on a device.
+Specifies the approved updates that failed to install on a device.
-
Supported operation is Get.
+Supported operation is Get.
**FailedUpdates/_Failed Update Guid_**
-
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
+Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install.
-
Supported operation is Get.
+Supported operation is Get.
**FailedUpdates/*Failed Update Guid*/HResult**
-
Supported operation is Get.
+Supported operation is Get.
-**FailedUpdates/*Failed Update Guid*/Status**
-
Specifies the failed update status (for example, download, install).
+**FailedUpdates/*Failed Update Guid*/State**
+Specifies the failed update state.
-
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
-
Supported operation is Get.
+Supported operation is Get.
**InstalledUpdates**
-
The updates that are installed on the device.
+The updates that are installed on the device.
-
Supported operation is Get.
+Supported operation is Get.
**InstalledUpdates/_Installed Update Guid_**
-
UpdateIDs that represent the updates installed on a device.
+UpdateIDs that represent the updates installed on a device.
-
Supported operation is Get.
+Supported operation is Get.
**InstalledUpdates/*Installed Update Guid*/RevisionNumber**
-
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
-
Supported operation is Get.
+Supported operation is Get.
**InstallableUpdates**
-
The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved.
+The updates that are applicable and not yet installed on the device. These updates include updates that aren't yet approved.
-
Supported operation is Get.
+Supported operation is Get.
**InstallableUpdates/_Installable Update Guid_**
-
Update identifiers that represent the updates applicable and not installed on a device.
+Update identifiers that represent the updates applicable and not installed on a device.
-
Supported operation is Get.
+Supported operation is Get.
**InstallableUpdates/*Installable Update Guid*/Type**
-
The UpdateClassification value of the update. Valid values are:
+The UpdateClassification value of the update. Valid values are:
- 0 - None
- 1 - Security
- 2 - Critical
-
Supported operation is Get.
+Supported operation is Get.
**InstallableUpdates/*Installable Update Guid*/RevisionNumber**
-
The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+The revision number for the update that must be passed in server to server sync to get the metadata for the update.
-
Supported operation is Get.
+Supported operation is Get.
**PendingRebootUpdates**
-
The updates that require a reboot to complete the update session.
+The updates that require a reboot to complete the update session.
-
Supported operation is Get.
+Supported operation is Get.
**PendingRebootUpdates/_Pending Reboot Update Guid_**
-
Update identifiers for the pending reboot state.
+Update identifiers for the pending reboot state.
-
Supported operation is Get.
+Supported operation is Get.
**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime**
-
The time the update is installed.
+The time the update is installed.
-
Supported operation is Get.
+Supported operation is Get.
**PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber**
-
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
+Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
-
Supported operation is Get.
+Supported operation is Get.
**LastSuccessfulScanTime**
-
The last successful scan time.
+The last successful scan time.
-
Supported operation is Get.
+Supported operation is Get.
**DeferUpgrade**
-
Upgrades deferred until the next period.
+Upgrades deferred until the next period.
-
Supported operation is Get.
+Supported operation is Get.
**Rollback**
Added in Windows 10, version 1803. Node for the rollback operations.
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index e80c753918..65937f4400 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -1,18 +1,10 @@
---
title: Configure Windows 10 taskbar
description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
-ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: how-to
-ms.localizationpriority: medium
ms.date: 08/18/2023
-ms.reviewer:
-manager: aaroncz
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
---
# Configure Windows 10 taskbar
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index c7298fc1d3..2173e2ee20 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -10,7 +10,6 @@ ms.topic: how-to
ms.localizationpriority: medium
ms.date: 08/18/2023
ms.collection:
- - highpri
- tier1
ms.technology: itpro-configure
---
diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md
index 7ef410564c..2e959a035a 100644
--- a/windows/configuration/customize-start-menu-layout-windows-11.md
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@@ -1,16 +1,9 @@
---
title: Add or remove pinned apps on the Start menu in Windows 11
description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
-manager: aaroncz
author: lizgt2000
ms.author: lizlong
ms.reviewer: ericpapa
-ms.prod: windows-client
-ms.localizationpriority: medium
-ms.collection:
- - highpri
- - tier1
-ms.technology: itpro-configure
ms.date: 01/10/2023
ms.topic: article
---
diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md
index a38e34c05c..72a4298b7c 100644
--- a/windows/configuration/customize-taskbar-windows-11.md
+++ b/windows/configuration/customize-taskbar-windows-11.md
@@ -8,7 +8,6 @@ ms.prod: windows-client
author: lizgt2000
ms.localizationpriority: medium
ms.collection:
- - highpri
- tier1
ms.technology: itpro-configure
ms.date: 08/17/2023
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 40b7d5daac..94641458ae 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -3,15 +3,8 @@ title: Customize Windows 10 Start and taskbar with group policy
description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
ms.reviewer:
manager: aaroncz
-ms.prod: windows-client
author: lizgt2000
-ms.localizationpriority: medium
ms.author: lizlong
-ms.topic: article
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json
index 04fb8e95d9..36c6607860 100644
--- a/windows/configuration/docfx.json
+++ b/windows/configuration/docfx.json
@@ -42,6 +42,8 @@
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-configure",
"ms.topic": "article",
+ "ms.prod": "windows-client",
+ "manager": "aaroncz",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",
@@ -61,7 +63,7 @@
"tiburd",
"garycentric",
"beccarobins",
- "v-stchambers",
+ "Stacyrch140",
"v-stsavell",
"American-Dipper"
],
diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
index ee9ad89242..5b78101494 100644
--- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
+++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
@@ -1,17 +1,10 @@
---
title: Find the Application User Model ID of an installed app
ms.reviewer: sybruckm
-manager: aaroncz
description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device.
author: lizgt2000
ms.author: lizlong
ms.topic: article
-ms.localizationpriority: medium
-ms.prod: windows-client
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
ms.date: 12/31/2017
---
# Find the Application User Model ID of an installed app
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index f1159c1544..95bcd1a788 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -1,16 +1,10 @@
---
title: Guidelines for choosing an app for assigned access
description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
-ms.prod: windows-client
author: lizgt2000
-ms.localizationpriority: medium
ms.author: lizlong
ms.topic: article
ms.reviewer: sybruckm
-manager: aaroncz
-ms.collection:
- - highpri
- - tier2
ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml
index 0eace6a656..6eff88270a 100644
--- a/windows/configuration/index.yml
+++ b/windows/configuration/index.yml
@@ -9,7 +9,6 @@ metadata:
ms.topic: landing-page # Required
ms.prod: windows-client
ms.collection:
- - highpri
- tier1
author: aczechowski
ms.author: aaroncz
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index e74ea773a1..0218a198e2 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -2,16 +2,11 @@
title: Set up a single-app kiosk on Windows
description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions.
ms.reviewer: sybruckm
-manager: aaroncz
ms.author: lizlong
-ms.prod: windows-client
author: lizgt2000
-ms.localizationpriority: medium
ms.topic: article
ms.collection:
- - highpri
- tier1
-ms.technology: itpro-configure
ms.date: 07/12/2023
---
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 89f93fc919..a32e707e87 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -1,26 +1,19 @@
---
title: Set up a multi-app kiosk on Windows 10
description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
-ms.prod: windows-client
-ms.technology: itpro-configure
author: lizgt2000
ms.author: lizlong
-manager: aaroncz
ms.reviewer: sybruckm
-ms.localizationpriority: medium
ms.topic: how-to
-ms.collection:
- - highpri
- - tier2
-ms.date: 12/31/2017
+ms.date: 11/08/2023
+appliesto:
+ - ✅ Windows 10 Pro
+ - ✅ Windows 10 Enterprise
+ - ✅ Windows 10 Education
---
# Set up a multi-app kiosk on Windows 10 devices
-**Applies to**
-
-- Windows 10 Pro, Enterprise, and Education
-
> [!NOTE]
> The use of multiple monitors isn't supported for multi-app kiosk mode in Windows 10.
@@ -33,13 +26,13 @@ The following table lists changes to multi-app kiosk in recent updates.
| - Configure [a single-app kiosk profile](#profile) in your XML file
- Assign [group accounts to a config profile](#config-for-group-accounts)
- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 |
| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)
- [Automatically launch an app](#allowedapps) when the user signs in
- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809
**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. |
->[!WARNING]
->The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
+> [!WARNING]
+> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
->[!TIP]
->Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
+> [!TIP]
+> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
@@ -62,7 +55,7 @@ Process:
Watch how to use a provisioning package to configure a multi-app kiosk.
->[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
+> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
@@ -71,8 +64,8 @@ If you don't want to use a provisioning package, you can deploy the configuratio
- Windows Configuration Designer (Windows 10, version 1709 or later)
- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later
->[!NOTE]
->For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
+> [!NOTE]
+> For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
### Create XML file
@@ -198,7 +191,7 @@ Starting in Windows 10 version 1809, you can explicitly allow some known folders
The following example shows how to allow user access to the Downloads folder in the common file dialog box.
->[!TIP]
+> [!TIP]
> To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk start menu.
```xml
@@ -278,8 +271,8 @@ The following example pins Groove Music, Movies & TV, Photos, Weather, Calculato
```
->[!NOTE]
->If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
+> [!NOTE]
+> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
@@ -299,8 +292,8 @@ The following example hides the taskbar:
```
->[!NOTE]
->This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
+> [!NOTE]
+> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
##### KioskModeApp
@@ -310,8 +303,8 @@ The following example hides the taskbar:
```
->[!IMPORTANT]
->The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.
+> [!IMPORTANT]
+> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.
#### Configs
@@ -325,8 +318,8 @@ You can assign:
- [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts)
- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
->[!NOTE]
->Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
+> [!NOTE]
+> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
##### Config for AutoLogon Account
@@ -356,8 +349,8 @@ Starting with Windows 10 version 1809, you can configure the display name that w
On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
->[!IMPORTANT]
->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
+> [!IMPORTANT]
+> When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
##### Config for individual accounts
@@ -367,13 +360,13 @@ Individual accounts are specified using ``.
- Domain account should be entered as `domain\account`.
- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
->[!WARNING]
->Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
+> [!WARNING]
+> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
->[!NOTE]
->For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
+> [!NOTE]
+> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
```xml
@@ -415,8 +408,8 @@ Group accounts are specified using ``. Nested groups aren't supported
```
- >[!NOTE]
- >If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
+ > [!NOTE]
+ > If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
@@ -488,8 +481,8 @@ Before you add the XML file to a provisioning package, you can [validate your co
Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
->[!IMPORTANT]
->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+> [!IMPORTANT]
+> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
1. Open Windows Configuration Designer. By default: `%systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`.
@@ -619,8 +612,8 @@ Remove Sign Out option in Security Options UI | Enabled
Remove All Programs list from the Start Menu | Enabled - Remove and disable setting
Prevent access to drives from My Computer | Enabled - Restrict all drivers
->[!NOTE]
->When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
+> [!NOTE]
+> When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
### MDM policy
@@ -663,8 +656,8 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont
- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file.
- >[!IMPORTANT]
- >Paste the full file path to the .lnk file in the **CommandFiles** field. If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk.
+ > [!IMPORTANT]
+ > Paste the full file path to the .lnk file in the **CommandFiles** field. If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk.
- Under **CommandLine**, enter `cmd /c *FileName*.bat`.
diff --git a/windows/configuration/lock-down-windows-11-to-specific-apps.md b/windows/configuration/lock-down-windows-11-to-specific-apps.md
index b2c6c66985..e8f41d7572 100644
--- a/windows/configuration/lock-down-windows-11-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-11-to-specific-apps.md
@@ -15,7 +15,7 @@ ms.topic: how-to
**Applies to**
-- Windows 11 Pro, Enterprise, and Education
+- Windows 11 Pro, Enterprise, IoT Enterprise and Education
> [!NOTE]
> The use of multiple monitors is supported for multi-app kiosk mode in Windows 11.
@@ -35,8 +35,12 @@ See the table below for the different methods to configure a multi-app kiosk in
|Configuration Method|Availability|
|--------------------|------------|
|[MDM WMI Bridge Provider](#configure-a-kiosk-using-wmi-bridge) | Available May 2023|
+
+
> [!NOTE]
> For WMI Bridge/PowerShell and Provisioning package methods, you will need to create your own multi-app kiosk XML file as specified below.
@@ -319,42 +323,69 @@ Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/
Here's an example of how to set AssignedAccess configuration:
1. Download the [psexec tool](/sysinternals/downloads/psexec).
-2. Run `psexec.exe -i -s cmd.exe`.
-3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
-4. Run the following script replacing the placeholder "your XML here, with the [XML](#create-the-xml-file) you created above.
+1. Using an elevated command prompt, run `psexec.exe -i -s cmd.exe`.
+1. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
+1. Save the following Powershell excerpt as a PowerShell script (.ps1), replacing the placeholder "your XML here" with the [Sample Assigned Access XML](#sample-assigned-access-xml) then run the script at the Powershell prompt from the previous step.
-```xml
-$nameSpaceName="root\cimv2\mdm\dmmap"
+```powershell
+$eventLogFilterHashTable = @{
+ ProviderName = "Microsoft-Windows-AssignedAccess";
+ StartTime = Get-Date -Millisecond 0
+}
+
+$namespaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
-Add-Type -AssemblyName System.Web
-$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
+$obj.Configuration = [System.Net.WebUtility]::HtmlEncode(@"
"@)
-Set-CimInstance -CimInstance $obj
+$obj = Set-CimInstance -CimInstance $obj -ErrorVariable cimSetError -ErrorAction SilentlyContinue
+if($cimSetError) {
+ Write-Output "An ERROR occurred. Displaying error record and attempting to retrieve error logs...`n"
+ Write-Error -ErrorRecord $cimSetError[0]
+
+ $timeout = New-TimeSpan -Seconds 30
+ $stopwatch = [System.Diagnostics.Stopwatch]::StartNew()
+ do{
+ $events = Get-WinEvent -FilterHashtable $eventLogFilterHashTable -ErrorAction Ignore
+ } until ($events.Count -or $stopwatch.Elapsed -gt $timeout) # wait for the log to be available
+
+ if($events.Count) {
+ $events | ForEach-Object {
+ Write-Output "$($_.TimeCreated) [$($_.LevelDisplayName.ToUpper())] $($_.Message -replace "`n|`r")"
+ }
+ } else {
+ Write-Warning "Timed-out attempting to retrieve event logs..."
+ }
+
+ Exit 1
+}
+
+Write-Output "Successfully applied Assigned Access configuration"
```
+
## Sample Assigned Access XML
-Compare the below to your XML file to check for correct formatting.
+This section contains a predefined XML file which can be used as a quickstart to get familiar with the Assigned Access multi-app kiosk feature on Windows 11.
```xml
+ xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
+ xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
-
-
-
-
-
+
+
+
+
@@ -362,11 +393,10 @@ Compare the below to your XML file to check for correct formatting.
{ "pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
- {"packagedAppId":"Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic"},
- {"packagedAppId":"Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo"},
{"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
- {"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\StartMenu\\Programs\\Accessories\\Paint.lnk"},
- {"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\StartMenu\\Programs\\Accessories\\Notepad.lnk"}
+ {"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk"},
+ {"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk"},
+ {"desktopAppLink":"C:\\Users\\MultiAppKioskUser\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk"}
] }
]]>
@@ -379,5 +409,5 @@ Compare the below to your XML file to check for correct formatting.
-
+
```
diff --git a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
index 5a71baac61..e5fbf3eb4f 100644
--- a/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
@@ -1,7 +1,6 @@
---
title: Diagnose Provisioning Packages
description: Diagnose general failures in provisioning.
-ms.reviewer:
manager: aaroncz
ms.author: lizlong
ms.topic: article
@@ -9,7 +8,6 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: lizgt2000
ms.date: 01/18/2023
-ms.collection: highpri
---
# Diagnose Provisioning Packages
@@ -26,16 +24,16 @@ To apply the power settings successfully with the [correct security context](/wi
## Unable to perform bulk enrollment in Microsoft Entra ID
-When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request will be rejected, if the user requesting a bulk token is not authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
+When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request is rejected, if the user requesting a bulk token isn't authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
> [!NOTE]
-> When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request may be rejected.
+> When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request might be rejected.
## Unable to apply a multivariant provisioning package
-When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it may be difficult to diagnose why a certain target did not get applied. There may have been improperly authored conditions that did not evaluate as expected.
+When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it might be difficult to diagnose why a certain target didn't get applied. There may have been improperly authored conditions that didn't evaluate as expected.
-Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package was not applied.
+Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package wasn't applied.
You can use the following PowerShell example to review the multivariant conditions in the `MDMDiagReport.xml` report:
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 22b8f9ad65..2f6782646c 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -1,17 +1,10 @@
---
title: Install Windows Configuration Designer
description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11.
-ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
-ms.localizationpriority: medium
ms.reviewer: kevinsheehan
-manager: aaroncz
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 96dce6d256..aed5ec0d4a 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -2,16 +2,9 @@
title: Provisioning packages overview
description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do.
ms.reviewer: kevinsheehan
-manager: aaroncz
-ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
-ms.localizationpriority: medium
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
ms.date: 12/31/2017
---
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index c8ef487740..37d205a15f 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -1,16 +1,12 @@
---
title: Set up a shared or guest Windows device
description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios.
-ms.date: 10/15/2022
+ms.date: 11/08/2023
ms.prod: windows-client
ms.technology: itpro-configure
-ms.topic: reference
-ms.localizationpriority: medium
+ms.topic: how-to
author: paolomatarazzo
ms.author: paoloma
-ms.reviewer:
-manager: aaroncz
-ms.collection: tier2
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/configuration/shared-devices-concepts.md b/windows/configuration/shared-devices-concepts.md
index 0138bae2ca..2fdab61b30 100644
--- a/windows/configuration/shared-devices-concepts.md
+++ b/windows/configuration/shared-devices-concepts.md
@@ -1,14 +1,10 @@
---
title: Manage multi-user and guest Windows devices
description: options to optimize Windows devices used in shared scenarios, such touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school.
-ms.date: 08/18/2023
-ms.prod: windows-client
-ms.technology: itpro-configure
+ms.date: 11/08/2023
ms.topic: concept-article
author: paolomatarazzo
ms.author: paoloma
-manager: aaroncz
-ms.collection: tier2
appliesto:
- ✅ Windows 10
- ✅ Windows 11
@@ -61,12 +57,10 @@ Shared devices require special considerations regarding power settings. Shared P
- To learn how to configure Shared PC, see [Set up a shared or guest Windows device](set-up-shared-or-guest-pc.md).
- For a list of settings configured by the different options offered by Shared PC, see the [Shared PC technical reference](shared-pc-technical.md).
-- For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-3].
-- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-4].
+- For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-1].
+- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-2].
------------
+
-[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
-[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
-[WIN-3]: /windows/client-management/mdm/sharedpc-csp
-[WIN-4]: /windows/configuration/wcd/wcd-sharedpc
\ No newline at end of file
+[WIN-1]: /windows/client-management/mdm/sharedpc-csp
+[WIN-2]: /windows/configuration/wcd/wcd-sharedpc
\ No newline at end of file
diff --git a/windows/configuration/shared-pc-technical.md b/windows/configuration/shared-pc-technical.md
index b0d626cff0..652336403e 100644
--- a/windows/configuration/shared-pc-technical.md
+++ b/windows/configuration/shared-pc-technical.md
@@ -1,16 +1,10 @@
---
title: Shared PC technical reference
description: List of policies and settings applied by the Shared PC options.
-ms.date: 10/15/2022
-ms.prod: windows-client
-ms.technology: itpro-configure
+ms.date: 11/08/2023
ms.topic: reference
-ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
-ms.reviewer:
-manager: aaroncz
-ms.collection: tier2
appliesto:
- ✅ Windows 10
- ✅ Windows 11
diff --git a/windows/configuration/stop-employees-from-using-microsoft-store.md b/windows/configuration/stop-employees-from-using-microsoft-store.md
index 9d33ff603e..416187989e 100644
--- a/windows/configuration/stop-employees-from-using-microsoft-store.md
+++ b/windows/configuration/stop-employees-from-using-microsoft-store.md
@@ -1,18 +1,10 @@
---
title: Configure access to Microsoft Store
description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization.
-ms.reviewer:
-manager: aaroncz
-ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: conceptual
-ms.localizationpriority: medium
ms.date: 11/29/2022
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
---
# Configure access to Microsoft Store
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index a3d8dd29c1..2603aa56ac 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -1,18 +1,10 @@
---
title: Customize and manage the Windows 10 Start and taskbar layout
description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more.
-ms.reviewer:
-manager: aaroncz
-ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
-ms.localizationpriority: medium
ms.date: 08/05/2021
-ms.collection:
- - highpri
- - tier2
-ms.technology: itpro-configure
---
# Customize the Start menu and taskbar layout on Windows 10 and later devices
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index 33bd24bcc8..b80b7b3a66 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -1,17 +1,10 @@
---
title: Configure Windows Spotlight on the lock screen
description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
-ms.reviewer:
-manager: aaroncz
-ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
-ms.localizationpriority: medium
ms.date: 04/30/2018
-ms.collection:
- - highpri
- - tier2
ms.technology: itpro-configure
---
diff --git a/windows/deployment/customize-boot-image.md b/windows/deployment/customize-boot-image.md
index 1e160b35dd..3b52b209f3 100644
--- a/windows/deployment/customize-boot-image.md
+++ b/windows/deployment/customize-boot-image.md
@@ -56,9 +56,9 @@ This walkthrough describes how to customize a Windows PE boot image including up
For this walk-through, when the Windows ADK is installed, it's only necessary to install the **Deployment Tools**. Other products, such as Microsoft Configuration Manager and Microsoft Deployment Toolkit (MDT), may require additional features installed, such as the **User State Migration Tool (USMT)**.
- One of the tools installed when installing the the **Deployment Tools** feature is the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**.
+ One of the tools installed when installing the **Deployment Tools** feature is the **Deployment and Imaging Tools Environment** command prompt. When using the **Command Line** option to run the commands in this walk-through, make sure to run the commands from an elevated **Deployment and Imaging Tools Environment** command prompt. The **Deployment and Imaging Tools Environment** command prompt can be found in the Start Menu under **Windows Kits** > **Deployment and Imaging Tools Environment**.
- The paths in this article assume the Windows ADK was installed at the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed to a different location, then adjust the paths during the walk-through accordingly.
+ The paths in this article assume the Windows ADK was installed at the default location of `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit`. If the Windows ADK was installed in a different location, then adjust the paths during the walk-through accordingly.
1. Download and install the **Windows PE add-on for the Windows ADK** from [Download and install the Windows ADK](/windows-hardware/get-started/adk-install). The **Windows PE add-on for the Windows ADK** is a separate download and install from the **Windows Assessment and Deployment Kit (Windows ADK)**. Make sure to individually download and install both.
@@ -70,13 +70,13 @@ This walkthrough describes how to customize a Windows PE boot image including up
>
> - Microsoft Deployment Toolkit (MDT) doesn't support versions of Windows or the Windows ADK beyond Windows 10. If using MDT, the recommendation is to instead use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version was the last version of the Windows ADK supported by MDT.
>
-> - The latest versions of the **Windows PE add-on for the Windows ADK** only includes 64-bit boot images. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images.
+> - The latest versions of the **Windows PE add-on for the Windows ADK** only includes a 64-bit boot image. If a 32-bit boot image is required, then the recommendation in this scenario is to also use the [ADK for Windows 10, version 2004](/windows-hardware/get-started/adk-install#other-adk-downloads). This version of the Windows ADK was the last version to include both 32-bit and 64-bit boot images.
## Step 2: Download cumulative update (CU)
1. Go to the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site and search for the latest cumulative update. The Windows version of the cumulative update should match the version of the Windows PE boot image that is being updated.
-1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four digit current year, `` is the two digit current month, and `` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search on the previous month.
+1. When searching the [Microsoft Update Catalog](https://catalog.update.microsoft.com/) site, use the search term `"- cumulative update for windows "` where `year` is the four-digit current year, `` is the two-digit current month, and `` is the version of Windows that Windows PE is based on. Make sure to include the quotes (`"`). For example, to search for the latest cumulative update for Windows 11 in August 2023, use the search term `"2023-08 cumulative update for Windows 11"`, again making sure to include the quotes. If the cumulative update hasn't been released yet for the current month, then search for the previous month.
1. Once the cumulative update has been found, download the appropriate version for the version and architecture of Windows that matches the Windows PE boot image. For example, if the version of the Windows PE boot image is Windows 11 22H2 64-bit, then download the **Cumulative Update for Windows 11 Version 22H2 for x64-based Systems** version of the update.
@@ -249,7 +249,7 @@ The cumulative update installed later in this walkthrough doesn't affect drivers
> [!TIP]
>
-> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provide basic functionality while in WinPE. In most cases, no drivers need to be added to an out of box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verified that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers.
+> A full set of drivers is not needed in Windows PE boot images. Only a small subset of drivers is needed that provides basic functionality while in WinPE. In most cases, no drivers need to be added to an out-of-box Windows ADK boot image since it already has many drivers built in. Don't add drivers to a boot image until it is verified that they are needed. When drivers do need to be added, generally only network (NIC) drivers are needed. Occasionally, mass storage (disk) may also be needed. Some Surface devices may also need keyboard and mouse drivers.
> [!IMPORTANT]
>
@@ -304,9 +304,9 @@ The cumulative update installed later in this walkthrough doesn't affect drivers
---
-1. After adding an optional component to the boot image, make sure to also add the language specific component for that optional component.
+1. After adding an optional component to the boot image, make sure to also add the language-specific component for that optional component.
- Not all optional components have the language specific component. However, for optional components that do have a language specific component, make sure that the language specific component is installed.
+ Not all optional components have the language-specific component. However, for optional components that do have a language-specific component, make sure that the language-specific component is installed.
To check if an optional component has a language component, check the `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\WinPE_OCs\\` directory to see if there's a matching language component for that optional component.
@@ -507,7 +507,7 @@ DISM Package Manager: PID= TID= Failed while processing command add-pa
---
-The problem occurs when the WinPE boot image that is being serviced requires installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE. The latest versions of the Windows ADK and Windows PE most likely don't need a servicing stack update (SSU) installed before installing the cumulative update (CU).
+The problem occurs when the WinPE boot image that is being serviced requires the installation of a servicing stack update (SSU) before installation of the cumulative update (CU) can occur. The problem usually occurs when using older Windows ADKs and older versions of Windows PE. The suggested fix is to upgrade to the latest version of the Windows ADK and Windows PE. The latest versions of the Windows ADK and Windows PE most likely don't need a servicing stack update (SSU) installed before installing the cumulative update (CU).
For scenarios where older versions of the Windows ADK and Windows PE need to be used, for example when using Microsoft Deployment Toolkit (MDT), the servicing stack update needs to be installed before installing the cumulative update. The servicing stack update (SSU) is contained within the cumulative update (CU). To obtain the servicing stack update (SSU) so that it can be applied, it can be extracted from the cumulative update (CU).
@@ -515,7 +515,7 @@ The following steps outline how to extract and then install the servicing stack
> [!IMPORTANT]
>
-> These steps are only necessary if error `0x800f0823` occurs when installing the cumulative update (CU) to the boot image. If error `0x800f0823` didn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path)
+> These steps are only necessary if the error `0x800f0823` occurs when installing the cumulative update (CU) to the boot image. If error `0x800f0823` didn't occur when installing the cumulative update (CU) to the boot image, then skip to the next step [Step 8: Copy boot files from mounted boot image to ADK installation path](#step-8-copy-boot-files-from-mounted-boot-image-to-adk-installation-path)
1. Create a folder to extract the servicing stack update (SSU) into. For example, `C:\Updates\Extract`:
@@ -627,7 +627,7 @@ For more information, see [Copy-Item](/powershell/module/microsoft.powershell.ma
### [:::image type="icon" source="images/icons/command-line-18.svg"::: **Command Line**](#tab/command-line)
-From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files its finds. When applicable, the commands need confirmation to overwrite any existing files:
+From an elevated command prompt, run the following command to copy the updated bootmgr boot files from the mounted boot image to the ADK installation path. These commands also back up any existing bootmgr boot files it finds. When applicable, the commands need confirmation to overwrite any existing files:
```cmd
copy "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.efi" "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Windows Preinstallation Environment\amd64\Media\bootmgr.bak.efi"
@@ -934,15 +934,15 @@ This process has the following advantages:
1. Helps manage components in the boot image. The process doesn't need to know what components may need to be removed from the boot image each time the boot image is rebuilt. Instead, it just needs to know what components need to be added to the boot image.
-1. It reduces the size of the boot image that can occur when components are repeatedly added to and removed from the boot image.
+1. It reduces the size of the boot image which can occur when components are repeatedly added to and removed from the boot image.
Configuration Manager updates the `boot.wim` boot image in two scenarios:
-1. When Configuration Manager is upgraded between version or a hotfix roll ups (HFRUs) is applied, `boot.wim` may be updated as part of the upgrade process.
+1. When Configuration Manager is upgraded between versions or a hotfix roll-up (HFRU) is applied, `boot.wim` may be updated as part of the upgrade process.
1. When selecting the option **Reload this boot image with the current Windows PE version from the Windows ADK** in the **Update Distribution Points Wizard**.
-In theses scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK.
+In these scenarios, the `boot.wim` boot image is updated using the `winpe.wim` boot image from the Windows ADK as described earlier in this section. This process creates a new pristine copy of the `boot.wim` boot image using the current version of the `winpe.wim` boot image that is part of the Windows ADK.
### Which boot image should be updated with the cumulative update?
@@ -954,7 +954,7 @@ The `winpe.wim` boot image from the Windows ADK should be updated because if `bo
>
> Never manually update the `boot..wim` boot image. In addition to facing the same issues when manually updating the `boot.wim` boot image, the `boot..wim` boot image will also face additional issues such as:
>
-> - Any time any changes are done to the boot image, such as adding drivers, enabling the command prompt. etc, any manual changes done to the boot image, including the cumulative update, will be lost.
+> - Any time any changes are done to the boot image (adding drivers, enabling the command prompt, etc.), any manual changes done to the boot image, including the cumulative update, will be lost.
>
> - Manually changing the `boot..wim` boot image changes the hash value of the boot image. A change in the hash value of the boot image can lead to download failures when downloading the boot image from a distribution point.
@@ -993,9 +993,9 @@ For a list of all available WinPE optional components including descriptions for
After updating the `winpe.wim` boot image from the Windows ADK, generate a new `boot.wim` boot image for Configuration Manager so that it contains the cumulative update. A new `boot.wim` boot image can be generated by using the following steps:
-1. Open the Microsoft Configuration manager console.
+1. Open the Microsoft Configuration Manager console.
-1. In the Microsoft Configuration manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**.
+1. In the Microsoft Configuration Manager console, navigate to **Software Library** > **Overview** > **Operating Systems** > **Boot Images**.
1. In the **Boot Images** pane, select the desired boot image.
@@ -1011,11 +1011,11 @@ After updating the `winpe.wim` boot image from the Windows ADK, generate a new `
1. Once the boot image finishes building, the **The task "Update Distribution Points Wizard" completed successfully**/**Completion** page appears. Select the **Close** button.
-This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE enabled distribution points.
+This process updates the boot image used by Configuration Manager. It also updates the boot image and the bootmgr boot files used by any PXE-enabled distribution points.
> [!IMPORTANT]
>
-> If there are multiple boot images used in the environment for PXE enabled distribution points, make sure to update all of the PXE enabled boot images with the same cumulative update. This will ensure that the PXE enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable).
+> If there are multiple boot images used in the environment for PXE-enabled distribution points, make sure to update all of the PXE-enabled boot images with the same cumulative update. This will ensure that the PXE-enabled distribution points all use the version of the bootmgr boot files extracted from the boot images (if applicable).
### Updating Configuration Manager boot media
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 8ad4658ea1..f94f31723e 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -14,7 +14,7 @@ ms.collection:
appliesto:
- ✅ Windows 10
- ✅ Windows 11
-ms.date: 11/23/2022
+ms.date: 11/14/2023
---
# Deploy Windows Enterprise licenses
@@ -306,6 +306,6 @@ If a device isn't able to connect to Windows Update, it can lose activation stat
## Virtual Desktop Access (VDA)
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another [qualified multitenant hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Azure or in another qualified multitenant hoster.
Virtual machines (VMs) must be configured to enable Windows Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. For more information, see [Enable VDA for Enterprise subscription activation](vda-subscription-activation.md).
diff --git a/windows/deployment/do/images/assigning-ip-2.png b/windows/deployment/do/images/assigning-ip-2.png
new file mode 100644
index 0000000000..4403b7e68b
Binary files /dev/null and b/windows/deployment/do/images/assigning-ip-2.png differ
diff --git a/windows/deployment/do/images/external-switch-1.jpg b/windows/deployment/do/images/external-switch-1.jpg
new file mode 100644
index 0000000000..7248d30ebe
Binary files /dev/null and b/windows/deployment/do/images/external-switch-1.jpg differ
diff --git a/windows/deployment/do/images/installation-complete-7.png b/windows/deployment/do/images/installation-complete-7.png
new file mode 100644
index 0000000000..8b1517348a
Binary files /dev/null and b/windows/deployment/do/images/installation-complete-7.png differ
diff --git a/windows/deployment/do/images/installation-info-4.png b/windows/deployment/do/images/installation-info-4.png
new file mode 100644
index 0000000000..41c2121e72
Binary files /dev/null and b/windows/deployment/do/images/installation-info-4.png differ
diff --git a/windows/deployment/do/images/memory-storage-5.png b/windows/deployment/do/images/memory-storage-5.png
new file mode 100644
index 0000000000..8e5b56f5c2
Binary files /dev/null and b/windows/deployment/do/images/memory-storage-5.png differ
diff --git a/windows/deployment/do/images/portal-installation-instructions-6.png b/windows/deployment/do/images/portal-installation-instructions-6.png
new file mode 100644
index 0000000000..201a1aa1d6
Binary files /dev/null and b/windows/deployment/do/images/portal-installation-instructions-6.png differ
diff --git a/windows/deployment/do/images/use-custom-dns-3.png b/windows/deployment/do/images/use-custom-dns-3.png
new file mode 100644
index 0000000000..90ef151c05
Binary files /dev/null and b/windows/deployment/do/images/use-custom-dns-3.png differ
diff --git a/windows/deployment/do/mcc-enterprise-deploy.md b/windows/deployment/do/mcc-enterprise-deploy.md
index 10f5b9cddf..65d63be915 100644
--- a/windows/deployment/do/mcc-enterprise-deploy.md
+++ b/windows/deployment/do/mcc-enterprise-deploy.md
@@ -13,7 +13,7 @@ appliesto:
- ✅ Windows 11
- ✅ Windows 10
- ✅ Microsoft Connected Cache for Enterprise and Education
-ms.date: 03/10/2023
+ms.date: 11/09/2023
---
# Deploy your cache node
@@ -29,7 +29,7 @@ To deploy MCC to your server:
1. [Create an MCC Node](#create-an-mcc-node-in-azure)
1. [Edit Cache Node Information](#edit-cache-node-information)
1. [Install MCC on a physical server or VM](#install-mcc-on-windows)
-1. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server)
+1. [Verify MCC functionality](#verify-mcc-server-functionality)
1. [Review common Issues](#common-issues) if needed.
For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
@@ -194,12 +194,15 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
>
> [D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"):
-1. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch.
+1. Choose whether you would like to create a new external virtual switch or select an existing external virtual switch.
+ If creating a new external virtual switch, name your switch and be sure to choose a Local Area Connection (USB adapters work as well however, we do not recommend using Wi-Fi). A computer restart will be required if you're creating a new switch.
> [!NOTE]
> Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted.
- If you restarted your computer after creating a switch, start from Step 2 above and skip step 5.
+ If you restarted your computer after creating a switch, start from step 2 above and skip to step 5.
+
+ If you opt to use an existing external switch, select the switch from the presented options. Local Area Connection (or USB) is preferable to Wi-Fi.
:::image type="content" source="./images/ent-mcc-script-new-switch.png" alt-text="Screenshot of the installer script running in PowerShell when a new switch is created." lightbox="./images/ent-mcc-script-new-switch.png":::
@@ -207,34 +210,46 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
:::image type="content" source="./images/ent-mcc-script-existing-switch.png" alt-text="Screenshot of the installer script running in PowerShell when using an existing switch." lightbox="./images/ent-mcc-script-existing-switch.png":::
-1. Decide whether you would like to use dynamic or static address for the Eflow VM
+1. Decide whether you would like to use dynamic or static address for the Eflow VM. If you choose to use a static IP, do not use the IP address of the server. It is a VM, and it will have its own IP.
:::image type="content" source="./images/ent-mcc-script-dynamic-address.png" alt-text="Screenshot of the installer script running in PowerShell asking if you'd like to use a dynamic address." lightbox="./images/ent-mcc-script-dynamic-address.png":::
> [!NOTE]
> Choosing a dynamic IP address might assign a different IP address when the MCC restarts. A static IP address is recommended so you don't have to change this value in your management solution when MCC restarts.
-1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for all prompts.
-
-1. Follow the Azure Device Login link and sign into the Azure portal.
-
- :::image type="content" source="./images/ent-mcc-script-device-code.png" alt-text="Screenshot of the installer script running in PowerShell displaying the code and URL to use for the Azure portal." lightbox="./images/ent-mcc-script-device-code.png":::
-
-1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
+ The IP address you assign to the EFLOW VM should be within the same subnet as the host server (based on the subnet mask) and not used by any other machine on the network.
+ For example, for host configuration where the server IP Address is 192.168.1.202 and the subnet mask is 255.255.255.0, the static IP can be anything 192.168.1.* except 192.168.1.202.
+
+ :::image type="content" source="./images/external-switch-1.jpg" alt-text="Screenshot of a sample output of ipconfig command showing example of subnet mask." lightbox="./images/external-switch-1.jpg":::
+ :::image type="content" source="./images/assigning-ip-2.png" alt-text="Screenshot of multiple installer questions about ipv4 address for Eflow." lightbox="./images/assigning-ip-2.png":::
+
+ If you would like to use your own DNS server instead of Google DNS 8.8.8.8, select **n** and set your own DNS server IP.
+ :::image type="content" source="./images/use-custom-dns-3.png" alt-text="Screenshot of multiple installer questions about setting an alternate DNS server." lightbox="./images/use-custom-dns-3.png":::
+ If you use a dynamic IP address, the DHCP server will automatically configure the IP address and DNS settings.
+
+1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for download path, install path, and virtual hard disk path.
+
+ :::image type="content" source="./images/installation-info-4.png" alt-text="Screenshot of multiple installer questions about memory and storage for EFLOW." lightbox="./images/installation-info-4.png":::
+ For more information, see [Sizing Recommendations](mcc-enterprise-prerequisites.md#sizing-recommendations) for memory, virtual storage, and CPU cores. For this example we chose the recommend values for a Branch Office/Small Enterprise deployment.
+
+ :::image type="content" source="./images/memory-storage-5.png" alt-text="Screenshot of multiple installer questions about memory and storage." lightbox="./images/memory-storage-5.png":::
+
+1. When the installation is complete, you should see the following output (the values below will be your own)
:::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png":::
-
+
+ :::image type="content" source="./images/installation-complete-7.png" alt-text="Screenshot of expected output when installation is complete." lightbox="./images/installation-complete-7.png":::
1. Your MCC deployment is now complete.
+ If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
+ - After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
+ - If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
- 1. If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
- 1. After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
- 1. If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
-
-## Verify proper functioning MCC server
+## Verify MCC server functionality
#### Verify client side
@@ -251,14 +266,20 @@ Connect to the EFLOW VM and check if MCC is properly running:
:::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png":::
-You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy.
+You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. If iotedge list times out, you can run docker ps -a to list the running containers.
+If the 3 containers are still not running, run the following commands to check if DNS resolution is working correctly:
+```bash
+ping www.microsoft.com
+resolvectl query microsoft.com
+```
+See the [common issues](#common-issues) section for more information.
#### Verify server side
-For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server.
+To validate that MCC is properly functioning, execute the following command in the EFLOW VM or any device in the network. Replace with the IP address of the cache server.
```powershell
-wget [http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]
+wget http:///mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
```
A successful test result will display a status code of 200 along with additional information.
@@ -319,3 +340,69 @@ This command will provide the current status of the starting, stopping of a cont
> [!NOTE]
> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation.
+>
+
+### DNS needs to be configured
+
+Run the following IoT Edge install state check:
+
+```bash
+sudo iotedge check --verbose
+```
+
+If you see issues with ports 5671, 443, and 8883, your IoT Edge device needs to update the DNS for Docker.
+
+To configure the device to work with your DNS, use the following steps:
+
+1. Use `ifconfig` to find the appropriate NIC adapter name.
+
+ ```bash
+ ifconfig
+ ```
+
+1. Run `nmcli device show ` to show the DNS name for the ethernet adapter. For example, to show DNS information for **eno1**:
+
+ ```bash
+ nmcli device show eno1
+ ```
+
+ :::image type="content" source="images/mcc-isp-nmcli.png" alt-text="Screenshot of a sample output of nmcli command to show network adapter information." lightbox="./images/mcc-isp-nmcli.png":::
+
+1. Open or create the Docker configuration file used to configure the DNS server.
+
+ ```bash
+ sudo nano /etc/docker/daemon.json
+ ```
+
+1. Paste the following string into the **daemon.json** file, and include the appropriate DNS server address. For example, in the previous screenshot, `IP4.DNS[1]` is `10.50.10.50`.
+
+ ```bash
+ { "dns": ["x.x.x.x"]}
+ ```
+
+1. Save the changes to daemon.json. If you need to change permissions on this file, use the following command:
+
+ ```bash
+ sudo chmod 555 /etc/docker/daemon.json
+ ```
+
+1. Restart Docker to pick up the new DNS setting. Then restart IoT Edge.
+
+ ```bash
+ sudo systemctl restart docker
+ sudo systemctl daemon-reload
+ sudo restart IoTEdge
+ ```
+
+### Resolve DNS issues
+Follow these steps if you see a DNS error when trying to resolve hostnames during the provisioning or download of container:
+Run ``` Get-EflowVmEndpoint ``` to get interface name
+
+Once you get the name
+```bash
+Set-EflowVmDNSServers -vendpointName "interface name from above" -dnsServers @("DNS_IP_ADDRESS")
+Stop-EflowVm
+Start-EflowVm
+```
+
+
diff --git a/windows/deployment/do/mcc-enterprise-update-uninstall.md b/windows/deployment/do/mcc-enterprise-update-uninstall.md
index 207c2cf5fb..a0a00f73f7 100644
--- a/windows/deployment/do/mcc-enterprise-update-uninstall.md
+++ b/windows/deployment/do/mcc-enterprise-update-uninstall.md
@@ -1,6 +1,6 @@
---
-title: Update or uninstall MCC for Enterprise and Education
-description: Details on how to update or uninstall Microsoft Connected Cache (MCC) for Enterprise and Education for your environment.
+title: Uninstall MCC for Enterprise and Education
+description: Details on how to uninstall Microsoft Connected Cache (MCC) for Enterprise and Education for your environment.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -18,6 +18,7 @@ appliesto:
ms.date: 10/12/2022
---
+
+# Uninstall MCC
Please contact the MCC Team before uninstalling to let us know if you're facing issues.
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 2ab8313425..1b24406aee 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -4,7 +4,7 @@ description: Use MBR2GPT.EXE to convert a disk from the Master Boot Record (MBR)
ms.prod: windows-client
author: frankroj
ms.author: frankroj
-ms.date: 11/23/2022
+ms.date: 10/17/2023
manager: aaroncz
ms.localizationpriority: high
ms.topic: how-to
@@ -12,19 +12,18 @@ ms.collection:
- highpri
- tier2
ms.technology: itpro-deploy
+appliesto:
+ - ✅ Windows 11
+ - ✅ Windows 10
---
# MBR2GPT.EXE
-*Applies to:*
-
-- Windows 10
-
**MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool runs from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **`/allowFullOS`** option.
-MBR2GPT.EXE is located in the **`Windows\System32`** directory on a computer running Windows 10 version 1703 or later.
+**MBR2GPT.EXE** is located in the **`Windows\System32`** directory on a computer running Windows.
-The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the Windows PE image (winpe.wim, boot.wim) with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version.
+The tool is available in both the full OS environment and Windows PE.
See the following video for a detailed description and demonstration of MBR2GPT.
@@ -34,12 +33,12 @@ You can use MBR2GPT to:
- Convert any attached MBR-formatted system disk to the GPT partition format. You can't use the tool to convert non-system disks from MBR to GPT.
- Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you'll need to delete the existing protectors and recreate them.
-- Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion.
-- Convert an operating system disk from MBR to GPT using Configuration Manager or MDT if your task sequence uses Windows PE version 1703 or later.
+- Convert an operating system disk from MBR to GPT using Microsoft Configuration Manager or Microsoft Deployment Toolkit (MDT).
-Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion.
+Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 aren't officially supported. The recommended method to convert these disks is to upgrade the operating system to a currently supported version of Windows, then perform the MBR to GPT conversion.
> [!IMPORTANT]
+>
> After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
>
> Make sure that your device supports UEFI before attempting to convert the disk.
@@ -57,9 +56,9 @@ Before any change to the disk is made, MBR2GPT validates the layout and geometry
- The disk doesn't have any extended/logical partition
- The BCD store on the system partition contains a default OS entry pointing to an OS partition
- The volume IDs can be retrieved for each volume that has a drive letter assigned
-- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
+- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the `/map` command-line option
-If any of these checks fails, the conversion won't proceed, and an error will be returned.
+If any of these checks fails, the conversion doesn't proceed, and an error is returned.
## Syntax
@@ -72,9 +71,9 @@ If any of these checks fails, the conversion won't proceed, and an error will be
|**/validate**| Instructs `MBR2GPT.exe` to perform only the disk validation steps and report whether the disk is eligible for conversion. |
|**/convert**| Instructs `MBR2GPT.exe` to perform the disk validation and to proceed with the conversion if all validation tests pass. |
|**/disk:*\***| Specifies the disk number of the disk to be converted to GPT. If not specified, the system disk is used. The mechanism used is the same as used by the diskpart.exe tool **SELECT DISK SYSTEM** command.|
-|**/logs:*\***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it will not be automatically created or overwritten.|
+|**/logs:*\***| Specifies the directory where `MBR2GPT.exe` logs should be written. If not specified, **%windir%** is used. If specified, the directory must already exist, it isn't automatically created or overwritten.|
|**/map:*\*=*\***| Specifies other partition type mappings between MBR and GPT. The MBR partition number is specified in decimal notation, not hexadecimal. The GPT GUID can contain brackets, for example: **/map:42={af9b60a0-1431-4f62-bc68-3311714a69ad}**. Multiple /map options can be specified if multiple mappings are required. |
-|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new ESP is created by shrinking the OS partition.|
+|**/allowFullOS**| By default, `MBR2GPT.exe` is blocked unless it's run from Windows PE. This option overrides this block and enables disk conversion while running in the full Windows environment. **Note**: Since the existing MBR system partition is in use while running the full Windows environment, it can't be reused. In this case, a new EFI system partition is created by shrinking the OS partition.|
## Examples
@@ -83,7 +82,7 @@ If any of these checks fails, the conversion won't proceed, and an error will be
In the following example, disk 0 is validated for conversion. Errors and warnings are logged to the default location of **`%windir%`**.
```cmd
-X:\>mbr2gpt.exe /validate /disk:0
+X:\> mbr2gpt.exe /validate /disk:0
MBR2GPT: Attempting to validate disk 0
MBR2GPT: Retrieving layout of disk
MBR2GPT: Validating layout, disk sector size is: 512
@@ -94,19 +93,24 @@ MBR2GPT: Validation completed successfully
In the following example:
-1. Using DiskPart, the current disk partition layout is displayed prior to conversion - three partitions are present on the MBR disk (disk 0): a system reserved partition, a Windows partition, and a recovery partition. A DVD-ROM is also present as volume 0.
+1. The current disk partition layout is displayed prior to conversion using DiskPart - three partitions are present on the MBR disk (disk 0):
-2. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
+ - A system reserved partition.
+ - A Windows partition.
+ - A recovery partition.
+ - A DVD-ROM is also present as volume 0.
-3. The MBR2GPT tool is used to convert disk 0.
+1. The OS volume is selected, partitions are listed, and partition details are displayed for the OS partition. The [MBR partition type](/windows/win32/fileio/disk-partition-types) is **07** corresponding to the installable file system (IFS) type.
-4. The DiskPart tool displays that disk 0 is now using the GPT format.
+1. The MBR2GPT tool is used to convert disk 0.
-5. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
+1. The DiskPart tool displays that disk 0 is now using the GPT format.
-6. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+1. The new disk layout is displayed - four partitions are present on the GPT disk: three are identical to the previous partitions and one is the new EFI system partition (volume 3).
-As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition will boot properly.
+1. The OS volume is selected again, and detail displays that it has been converted to the [GPT partition type](/windows/win32/api/winioctl/ns-winioctl-partition_information_gpt) of **ebd0a0a2-b9e5-4433-87c0-68b6b72699c7** corresponding to the **PARTITION_BASIC_DATA_GUID** type.
+
+As noted in the output from the MBR2GPT tool, you must make changes to the computer firmware so that the new EFI system partition boots properly.
@@ -240,42 +244,44 @@ Offset in Bytes: 524288000
The following steps illustrate high-level phases of the MBR-to-GPT conversion process:
1. Disk validation is performed.
-2. The disk is repartitioned to create an EFI system partition (ESP) if one doesn't already exist.
-3. UEFI boot files are installed to the ESP.
+2. The disk is repartitioned to create an EFI system partition if one doesn't already exist.
+3. UEFI boot files are installed to the EFI system partition.
4. GPT metadata and layout information are applied.
5. The boot configuration data (BCD) store is updated.
6. Drive letter assignments are restored.
### Creating an EFI system partition
-For Windows to remain bootable after the conversion, an EFI system partition (ESP) must be in place. MBR2GPT creates the ESP using the following rules:
+For Windows to remain bootable after the conversion, an EFI system partition must be in place. MBR2GPT creates the EFI system partition using the following rules:
1. The existing MBR system partition is reused if it meets these requirements:
- 1. It isn't also the OS or Windows Recovery Environment partition.
- 1. It is at least 100 MB (or 260 MB for 4K sector size disks) in size.
- 1. It's less than or equal to 1 GB in size. This size is a safety precaution to ensure it isn't a data partition.
- 1. The conversion isn't being performed from the full OS. In this case, the existing MBR system partition is in use and can't be repurposed.
-2. If the existing MBR system partition can't be reused, a new ESP is created by shrinking the OS partition. This new partition has a size of 100 MB (or 260 MB for 4K sector size disks) and is formatted FAT32.
+ - It isn't also the OS or Windows Recovery Environment partition.
+ - It is at least 100 MB (or 260 MB for 4K sector size disks) in size.
+ - It's less than or equal to 1 GB in size. This size is a safety precaution to ensure it isn't a data partition.
+ - The conversion isn't being performed from the full OS. In this case, the existing MBR system partition is in use and can't be repurposed.
-If the existing MBR system partition isn't reused for the ESP, it's no longer used by the boot process after the conversion. Other partitions aren't modified.
+2. If the existing MBR system partition can't be reused, a new EFI system partition is created by shrinking the OS partition. This new partition has a size of 100 MB (or 260 MB for 4K sector size disks) and is formatted FAT32.
->[!IMPORTANT]
->If the existing MBR system partition is not reused for the ESP, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
+If the existing MBR system partition isn't reused for the EFI system partition, it's no longer used by the boot process after the conversion. Other partitions aren't modified.
+
+> [!IMPORTANT]
+>
+> If the existing MBR system partition is not reused for the EFI system partition, it might be assigned a drive letter. If you do not wish to use this small partition, you must manually hide the drive letter.
### Partition type mapping and partition attributes
Since GPT partitions use a different set of type IDs than MBR partitions, each partition on the converted disk must be assigned a new type ID. The partition type mapping follows these rules:
-1. The ESP is always set to partition type PARTITION_SYSTEM_GUID (c12a7328-f81f-11d2-ba4b-00a0c93ec93b).
-2. If an MBR partition is of a type that matches one of the entries specified in the /map switch, the specified GPT partition type ID is used.
-3. If the MBR partition is of type 0x27, the partition is converted to a GPT partition of type PARTITION_MSFT_RECOVERY_GUID (de94bba4-06d1-4d40-a16a-bfd50179d6ac).
-4. All other MBR partitions recognized by Windows are converted to GPT partitions of type PARTITION_BASIC_DATA_GUID (ebd0a0a2-b9e5-4433-87c0-68b6b72699c7).
+1. The EFI system partition is always set to partition type **PARTITION_SYSTEM_GUID** (**c12a7328-f81f-11d2-ba4b-00a0c93ec93b**).
+2. If an MBR partition is of a type that matches one of the entries specified in the `/map` switch, the specified GPT partition type ID is used.
+3. If the MBR partition is of type **0x27**, the partition is converted to a GPT partition of type **PARTITION_MSFT_RECOVERY_GUID** (**de94bba4-06d1-4d40-a16a-bfd50179d6ac**).
+4. All other MBR partitions recognized by Windows are converted to GPT partitions of type **PARTITION_BASIC_DATA_GUID** (**ebd0a0a2-b9e5-4433-87c0-68b6b72699c7**).
In addition to applying the correct partition types, partitions of type PARTITION_MSFT_RECOVERY_GUID also have the following GPT attributes set:
-- GPT_ATTRIBUTE_PLATFORM_REQUIRED (0x0000000000000001)
-- GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER (0x8000000000000000)
+- **GPT_ATTRIBUTE_PLATFORM_REQUIRED** (**0x0000000000000001**)
+- **GPT_BASIC_DATA_ATTRIBUTE_NO_DRIVE_LETTER** (**0x8000000000000000**)
For more information about partition types, see:
@@ -284,20 +290,21 @@ For more information about partition types, see:
### Persisting drive letter assignments
-The conversion tool will attempt to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error will be displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter.
+The conversion tool attempts to remap all drive letter assignment information contained in the registry that corresponds to the volumes of the converted disk. If a drive letter assignment can't be restored, an error is displayed at the console and in the log, so that you can manually perform the correct assignment of the drive letter.
> [!IMPORTANT]
+>
> This code runs after the layout conversion has taken place, so the operation cannot be undone at this stage.
-The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It will then iterate through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry do the following:
+The conversion tool will obtain volume unique ID data before and after the layout conversion, organizing this information into a lookup table. It then iterates through all the entries in **HKLM\SYSTEM\MountedDevices**, and for each entry it does the following:
1. Check if the unique ID corresponds to any of the unique IDs for any of the volumes that are part of the converted disk.
2. If found, set the value to be the new unique ID, obtained after the layout conversion.
-3. If the new unique ID can't be set and the value name starts with \DosDevices, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment.
+3. If the new unique ID can't be set and the value name starts with **\DosDevices**, issue a console and log warning about the need for manual intervention in properly restoring the drive letter assignment.
## Troubleshooting
-The tool will display status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions don't translate properly, this is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs).
+The tool displays status information in its output. Both validation and conversion are clear if any errors are encountered. For example, if one or more partitions don't translate properly, this information is displayed and the conversion not performed. To view more detail about any errors that are encountered, see the associated [log files](#logs).
### Logs
@@ -308,16 +315,21 @@ Four log files are created by the MBR2GPT tool:
- setupact.log
- setuperr.log
-These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The setupact.log and setuperr.log files will have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion.
+These files contain errors and warnings encountered during disk validation and conversion. Information in these files can be helpful in diagnosing problems with the tool. The `setupact.log` and `setuperr.log` files have the most detailed information about disk layouts, processes, and other information pertaining to disk validation and conversion.
> [!NOTE]
-> The setupact*.log files are different than the Windows Setup files that are found in the %Windir%\Panther directory.
+>
+> The **setupact*.log** files are different than the Windows Setup files that are found in the `%Windir%\Panther` directory.
The default location for all these log files in Windows PE is **%windir%**.
### Interactive help
-To view a list of options available when using the tool, enter **`mbr2gpt.exe /?`**
+To view a list of options available when using the tool, enter the following command in an elevated command prompt:
+
+```cmd
+mbr2gpt.exe /?
+```
The following text is displayed:
@@ -378,7 +390,21 @@ MBR2GPT has the following associated return codes:
### Determining the partition type
-You can type the following command at a Windows PowerShell prompt to display the disk number and partition type. Example output is also shown:
+The partition type can be determined in one of three ways:
+
+- Using Windows PowerShell
+- Using the Disk Management tool
+- Using the DiskPart tool
+
+#### Windows PowerShell
+
+You can enter the following command at a Windows PowerShell prompt to display the disk number and partition type:
+
+```powershell
+Get-Disk | ft -Auto
+``````
+
+Example output:
```powershell
PS C:\> Get-Disk | ft -Auto
@@ -389,11 +415,43 @@ Number Friendly Name Serial Number HealthStatus OperationalStatus To
1 ST1000DM003-1ER162 Z4Y3GD8F Healthy Online 931.51 GB GPT
```
-You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example:
+#### Disk Management tool
-:::image type="content" alt-text="Volumes." source="images/mbr2gpt-volume.png":::
+You can view the partition type of a disk by using the Disk Management tool:
-If Windows PowerShell and Disk Management aren't available, such as when you're using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
+1. Right-click on the Start Menu and select **Disk Management**. Alternatively, right-click on the Start Menu and select **Run**. In the **Run** dialog box that appears, enter `diskmgmt.msc` and then select **OK**.
+
+1. In the **Disk Management** window that appears:
+
+ 1. On the bottom pane, select the disk number of interest.
+
+ 1. Select the **Action** menu and then select **All Tasks > Properties**. Alternatively, right-click on the disk number of interest and select **Properties**.
+
+ 1. In the **Properties** dialog box that appears for the disk, select the **Volumes** tab.
+
+ 1. Under the **Volumes** tab, the partition type is displayed next to **Partition style:**.
+
+#### DiskPart tool
+
+The partition type can be determined with the DiskPart tool. The DiskPart tool is useful in scenarios where the Disk Management tool and PowerShell aren't available, such as in WinPE when the PowerShell optional component in WinPE isn't loaded. To use the DiskPart tool to determine the partition type:
+
+1. Open an elevated command prompt.
+
+1. In the elevated command prompt that opens enter the following command:
+
+ ```cmd
+ DiskPart.exe
+ ```
+
+1. The **DISKPART>** prompt is displayed in the command prompt windows. At the **DISKPART>** prompt, enter the following command:
+
+ ```cmd
+ list disk
+ ```
+
+1. The partition type is displayed in the **Gpt** column. If the partition is GPT, an asterisk (**\***) is displayed in the column. If the partition is MBR, the column will be blank.
+
+The following shows an example output of the DiskPart tool showing the partition type for two disks:
```cmd
X:\>DiskPart.exe
@@ -472,6 +530,5 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from
## Related articles
-[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
- [Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+- [Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
+- [Windows 10 Specifications](https://www.microsoft.com/windows/Windows-10-specifications)
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index 89a981ff58..f5f57bd6c5 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -18,9 +18,9 @@ ms.date: 12/31/2017
# Create a deployment plan
-A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
+A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. Once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
-When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We've found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
+When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We've found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows clients are similar to the deployment groups most organizations constructed for previous major revision upgrades. They're simply a method to separate devices into a deployment timeline.
At the highest level, each ring comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
@@ -43,10 +43,10 @@ There are no definite rules for exactly how many rings to have for your deployme
## Advancing between rings
-There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project based.
+There are basically two strategies for moving deployments from one ring to the next. One is service-based, the other project-based.
-- "Red button" (service based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution.
-- Green button (project based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring.
+- "Red button" (service-based): Assumes that content is good until proven bad. Content flows until an issue is discovered, at which point the IT administrator presses the "red button" to stop further distribution.
+- "Green button" (project-based): Assumes that content is bad until proven good. Once all validation has passed, the IT administrator presses the "green button" to push the content to the next ring.
When it comes to deployments, having manual steps in the process usually impedes update velocity. A "red button" strategy is better when that is your goal.
@@ -60,9 +60,9 @@ The purpose of the Preview ring is to evaluate the new features of the update. I
### Who goes in the Preview ring?
-The Preview ring users are the most tech savvy and resilient people, who won't lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization.
+The Preview ring users are the most tech-savvy and resilient people, who won't lose productivity if something goes wrong. In general, these users are IT pros, and perhaps a few people in the business organization.
-During your plan and prepare phases, you should focus on the following activities:
+During your plan and preparation phases, you should focus on the following activities:
- Work with Windows Insider Preview builds.
- Identify the features and functionality your organization can or wants to use.
@@ -87,7 +87,7 @@ Analytics can help with defining a good Limited ring of representative devices a
The most important part of this phase is finding a representative sample of devices and applications across your network. If possible, all hardware and all applications should be represented. It's important that the people selected for this ring are using their devices regularly to generate the data you'll need to make a decision for broader deployment across your organization. The IT department, lab devices, and users with the most cutting-edge hardware usually don't have the applications or device drivers that are truly a representative sample of your network.
-During your pilot and validate phases, you should focus on the following activities:
+During your pilot and validation phases, you should focus on the following activities:
- Deploy new innovations.
- Assess and act if issues are encountered.
@@ -104,7 +104,7 @@ Once the devices in the Limited ring have had a sufficient stabilization period,
In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision), a broad deployment can occur relatively quickly.
> [!NOTE]
-> In some instances, you might hold back on mission-critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows client feature updates to mission critical-devices.
+> In some instances, you might hold back on mission-critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows client feature updates to mission-critical devices.
During the broad deployment phase, you should focus on the following activities:
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 58d36aae43..b3fa2680c5 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -27,7 +27,7 @@ Windows Update for Business product family has three elements:
- [Windows Update for Business reports](wufb-reports-overview.md) to monitor update deployment
- Deployment service APIs to approve and schedule specific updates for deployment, which are available through the Microsoft Graph and associated SDKs (including PowerShell)
-The deployment service complements existing Windows Update for Business capabilities, including existing device policies and the[Windows Update for Business reports workbook](wufb-reports-workbook.md).
+The deployment service complements existing Windows Update for Business capabilities, including existing device policies and the [Windows Update for Business reports workbook](wufb-reports-workbook.md).
:::image type="content" source="media/7512398-deployment-service-overview.png" alt-text="Diagram displaying the three elements that are parts of the Windows Update for Business family.":::
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index 6a83bab027..9352455d20 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -11,22 +11,22 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 10/31/2023
---
# Evaluate infrastructure and tools
-Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
+Before you deploy an update, assess your deployment infrastructure. For example, management systems like Configuration Manager, Microsoft Intune, or similar. Also assess current configurations such as security baselines, administrative templates, and policies that affect updates. Then set some criteria to define your operational readiness.
## Infrastructure
Do your deployment tools need updates?
-- If you use Configuration Manager, is it on the Current Branch with the latest release installed.? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
+- If you use Configuration Manager, is it on the current branch with the latest release installed? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
- Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated.
- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows client feature update.
-Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so.
+Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered.
## Device settings
@@ -36,35 +36,35 @@ Make sure your security baseline, administrative templates, and policies have th
Keep security baselines current to help ensure that your environment is secure and that new security feature in the coming Windows client update are set properly.
-- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
-- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you are about to deploy.
+- **Microsoft security baselines**: You should implement security baselines from Microsoft. They're included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
+- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you're about to deploy.
### Configuration updates
-There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately.
+There are several Windows policies that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. For example, policies set by group policy, Intune, or other methods. Check these policies to make sure they're set appropriately.
-- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 22H2](https://www.microsoft.com/download/details.aspx?id=104593).
-- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.
+- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 11, version 23H2](https://www.microsoft.com/download/details.aspx?id=105667).
+- **Policies for update compliance and end-user experience**: Several settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.
## Define operational readiness criteria
-When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
+When you deploy an update, you need to make sure the update isn't introducing new operational issues. If incidents arise, make sure the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
- **Call trend**: Define what percentage increase in calls relating to Windows client feature updates are acceptable or can be supported.
- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows client feature updates are acceptable or can be supported.
- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows client feature update.
-- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update.
+- **Process changes:** Define and update any processes that will change as a result of the Windows feature update.
-Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight.
+Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight.
## Tasks
Finally, you can begin to carry out the work needed to ensure your infrastructure and configuration can support the update. To help you keep track, you can classify the work into the following overarching tasks:
-- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they’ve all been defined.
-- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that have been identified for the update.
+- **Review infrastructure requirements**: Go over the details of requirements to support the update, and ensure they've all been defined.
+- **Validate infrastructure against requirements**: Compare your infrastructure against the requirements that you identified for the update.
- **Define infrastructure update plan**: Detail how your infrastructure must change to support the update.
-- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when it’s been deployed.
-- **Identify gaps that require attention**: Identify issues that will need to be addressed to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure?
+- **Review current support volume**: Understand the current support volume to understand how much of an effect the update has when you deploy it.
+- **Identify gaps that require attention**: Identify issues that you'll need to address to successfully deploy the update. For example, will your infrastructure engineer have to research how a new feature that comes with the update might affect the infrastructure?
- **Define operational update plan**: Detail how your operational services and processes must change to support the update.
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 58343cf36e..070ded3d1e 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -13,66 +13,70 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 11/07/2023
---
# What is Windows Update for Business?
-> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
+> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
Windows Update for Business is a free service that is available for the following editions of Windows 10 and Windows 11:
+
- Pro, including Pro for Workstations
- Education
- Enterprise, including Enterprise LTSC, IoT Enterprise, and IoT Enterprise LTSC
-Windows Update for Business enables IT administrators to keep the Windows client devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions such as Microsoft Intune to configure the Windows Update for Business settings that control how and when devices are updated.
+Windows Update for Business enables IT administrators to keep their organization's Windows client devices always up to date with the latest security updates and Windows features by directly connecting these systems to the Windows Update service. You can use Group Policy or Mobile Device Management (MDM) solutions, such as Microsoft Intune, to configure the Windows Update for Business settings that control how and when devices are updated.
Specifically, Windows Update for Business lets you control update offerings and experiences to allow for reliability and performance testing on a subset of devices before deploying updates across the organization. It also provides a positive update experience for people in your organization.
## What can I do with Windows Update for Business?
-Windows Update for Business enables commercial customers to manage which Windows Updates are received when as well as the experience a device has when it receives them.
+Windows Update for Business enables commercial customers to manage which Windows Updates are received along with the experience a device has when it receives them.
-You can control Windows Update for Business policies by using either Mobile Device Management (MDM) tools such as Microsoft Intune or Group Policy management tools such as local group policy or the Group Policy Management Console (GPMC), as well as various other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud policy).
+You can control Windows Update for Business policies by using either MDM tools or Group Policy management, such as local group policy or the Group Policy Management Console (GPMC), and various other non-Microsoft management tools. MDMs use Configuration Service Provider (CSP) policies instead of Group Policy. Intune additionally uses Cloud Policies. Not all policies are available in all formats (CSP, Group Policy, or Cloud Policy).
+### Manage deployment of Windows Updates
-### Manage deployment of Windows Updates
-By using Windows Update for Business, you can control which types of Windows Updates are offered to devices in your ecosystem, when updates are applied, and deployment to devices in your organization in waves.
+By using Windows Update for Business, you can:
+- Control the types of Windows Updates are offered to devices in your organization
+- Control when updates are applied to the devices
+- Deploy updates to devices in your organization in waves
-### Manage which updates are offered
-Windows Update for Business enables an IT administrator to receive and manage a variety of different types of Windows Updates.
+### Manage which updates are offered
+
+Windows Update for Business enables an IT administrator to receive and manage various types of Windows Updates.
## Types of updates managed by Windows Update for Business
Windows Update for Business provides management policies for several types of updates to Windows 10 devices:
-- **Feature updates:** Previously referred to as "upgrades," feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. Feature updates aren't available for LTSC devices.
-- **Quality updates:** Quality updates are traditional operating system updates, typically released on the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates.
-- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
+- **Feature updates:** Previously referred to as upgrades, feature updates contain not only security and quality revisions, but also significant feature additions and changes. Feature updates are released as soon as they become available. Feature updates aren't available for LTSC devices.
+- **Quality updates:** Quality updates are traditional operating system updates. Typically quality updates are released on the second Tuesday of each month, though they can be released at any time. These include security, critical, and driver updates.
+- **Driver updates:** Updates for non-Microsoft drivers that are relevant to your devices. Driver updates are on by default, but you can use Windows Update for Business policies to turn them off if you prefer.
- **Microsoft product updates**: Updates for other Microsoft products, such as versions of Office that are installed by using Windows Installer (MSI). Versions of Office that are installed by using Click-to-Run can't be updated by using Windows Update for Business. Product updates are off by default. You can turn them on by using Windows Update for Business policies.
-
## Offering
-You can control when updates are applied, for example by deferring when an update is installed on a device or by pausing updates for a certain period.
+
+You can control when updates are applied. For example, you can defer when an update is installed on a device or by pausing updates for a certain period.
### Manage when updates are offered
+
You can defer or pause the installation of updates for a set period of time.
#### Enroll in prerelease updates
The branch readiness level enables administrators to specify which channel of feature updates they want to receive. Today there are branch readiness level options for both prerelease and released updates:
-- Windows Insider Canary
-- Windows Insider Dev
-- Windows Insider Beta
-- Windows Insider Preview
-- General Availability Channel
+- Windows Insider Canary channel
+- Windows Insider Dev channel
+- Windows Insider Beta channel
+- Windows Insider Release Preview channel
#### Defer an update
-A Windows Update for Business administrator can defer the installation of both feature and quality updates from deploying to devices within a bounded range of time from when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they're pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it's offered to a device. That is, if you set a feature update deferral period of 365 days, the device won't install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy.
-
+An administrator can defer the installation of both feature and quality updates from deploying to devices within a range of time based on when those updates are first made available on the Windows Update service. You can use this deferral to allow time to validate deployments as they're pushed to devices. Deferrals work by allowing you to specify the number of days after an update is released before it's offered to a device. That is, if you set a feature update deferral period of 365 days, the device won't install a feature update that has been released for less than 365 days. To defer feature updates, use the **Select when Preview Builds and feature updates are Received** policy.
|Category |Maximum deferral period |
|---------|---------|
@@ -85,13 +89,12 @@ A Windows Update for Business administrator can defer the installation of both f
#### Pause an update
-If you discover a problem while deploying a feature or quality update, the IT administrator can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated.
-If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.
+If you discover a problem while deploying a feature or quality update, you can pause the update for 35 days from a specified start date to prevent other devices from installing it until the issue is mitigated. If you pause a feature update, quality updates are still offered to devices to ensure they stay secure. The pause period for both feature and quality updates is calculated from a start date that you set.
To pause feature updates, use the **Select when Preview Builds and feature updates are Received** policy and to pause quality updates use the **Select when Quality Updates are Received** policy. For more information, see [Pause feature updates](waas-configure-wufb.md#pause-feature-updates) and [Pause quality updates](waas-configure-wufb.md#pause-quality-updates).
Built-in benefits:
-When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device as well as a check to prevent repeated rollbacks.
+When updating from Windows Update, you get the added benefits of built-in compatibility checks to prevent against a poor update experience for your device and a check to prevent repeated rollbacks.
### Recommendations
@@ -104,28 +107,38 @@ For the best experience with Windows Update, follow these guidelines:
### Manage the end-user experience when receiving Windows Updates
-Windows Update for Business provides controls to help meet your organization's security standards as well as provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
+Windows Update for Business provides controls to help meet your organization's security standards and provide a great end-user experience. We do this by enabling you to set automatic updates at times that work well for people in your organization and set deadlines for quality and feature updates. Because Windows Update includes built-in intelligence, it's better to use fewer controls to manage the user experience.
#### Recommended experience settings
Features like the smart busy check (which ensure updates don't happen when a user is signed in) and active hours help provide the best experience for end users while keeping devices more secure and up to date. Follow these steps to take advantage of these features:
1. Automatically download, install, and restart (default if no restart policies are set up or enabled).
-2. Use the default notifications.
-3. Set update deadlines.
+1. Use the default notifications.
+1. Set update deadlines.
-##### Setting deadlines
+##### Setting deadlines
-A compliance deadline policy (released in June 2019) enables you to set separate deadlines and grace periods for feature and quality updates.
+A compliance deadline policy enables you to set separate deadlines and grace periods for feature and quality updates.
This policy enables you to specify the number of days from an update's publication date that it must be installed on the device. The policy also includes a configurable grace period that specifies the number of days from when the update is installed on the device until the device is forced to restart. This approach is useful in a vacation scenario as it allows, for example, users who have been away to have a bit of time before being forced to restart their devices when they return from vacation.
#### Update Baseline
+> [!NOTE]
+> The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you're using deferrals or target version to manage which updates are offered to your devices when. Update Baseline is not currently supported for Windows 11.
+
The large number of different policies offered can be overwhelming. Update Baseline provides a clear list of recommended Windows update policy settings for IT administrators who want the best user experience while also meeting their update compliance goals. The Update Baseline for Windows 10 includes policy settings recommendations covering deadline configuration, restart behavior, power policies, and more.
The Update Baseline toolkit makes it easy by providing a single command for IT Admins to apply the Update Baseline to devices. You can get the Update Baseline toolkit from the [Download Center](https://www.microsoft.com/download/details.aspx?id=101056).
->[!NOTE]
->The Update Baseline toolkit is available only for Group Policy. Update Baseline does not affect your offering policies, whether you’re using deferrals or target version to manage which updates are offered to your devices when. Update Baseline is not currently supported for Windows 11.
+## Other Windows Update for Business services
+The following services are part of the Windows Update for Business product family:
+
+- [Windows Update for Business reports](wufb-reports-overview.md) is a cloud-based solution that provides information about your Microsoft Entra joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the Azure portal. Windows Update for Business reports helps you:
+ - Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices
+ - Report on devices with update compliance issues
+ - Analyze and display your data in multiple ways
+
+- The [Windows Update for Business deployment service](deployment-service-overview.md) is a cloud service designed to work with your existing Windows Update for Business policies and Windows Update for Business reports. The deployment service provides additional control over the approval, scheduling, and safeguarding of updates delivered from Windows Update to managed devices.
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 007852b8af..18b0aa011f 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -14,7 +14,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 12/31/2017
+ms.date: 10/10/2023
---
# Manage device restarts after updates
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index 3d79d66cd5..e65bab8900 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -11,7 +11,7 @@ ms.localizationpriority: medium
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 02/28/2023
+ms.date: 10/10/2023
---
# Walkthrough: Use CSPs and MDMs to configure Windows Update for Business
@@ -39,7 +39,7 @@ You can control when updates are applied, for example by deferring when an updat
Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
-To enable Microsoft Updates, use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
+To enable Microsoft Updates, use [Update/AllowMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
Drivers are automatically enabled because they're beneficial to device systems. We recommend that you allow the driver policy to allow drivers to be updated on devices (the default), but you can turn off this setting if you prefer to manage drivers manually. If you want to disable driver updates for some reason, use Update/[ExcludeWUDriversInQualityUpdate](/windows/client-management/mdm/policy-csp-update#update-excludewudriversinqualityupdate).
@@ -136,7 +136,8 @@ We recommend that you use set specific deadlines for feature and quality updates
- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates ](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
-- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates)
- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
These policies also offer an option to opt out of automatic restarts until a deadline is reached by presenting an "engaged restart experience" until the deadline has actually expired. At that point the device will automatically schedule a restart regardless of active hours.
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 7c431a1818..372a36d6df 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -17,7 +17,7 @@ appliesto:
- ✅ Windows Server 2022
- ✅ Windows Server 2019
- ✅ Windows Server 2016
-ms.date: 08/22/2023
+ms.date: 10/10/2023
---
# Walkthrough: Use Group Policy to configure Windows Update for Business
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index e29c2d0a8e..714ea509f5 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -12,36 +12,60 @@ manager: aaroncz
appliesto:
- ✅ Windows 11
- ✅ Windows 10
-ms.date: 05/12/2023
+ms.date: 10/10/2023
---
# Enforcing compliance deadlines for updates
Deploying feature or quality updates for many organizations is only part of the equation for managing their device ecosystem. The ability to enforce update compliance is the next important part. Windows Update for Business provides controls to manage deadlines for when devices should migrate to newer versions.
-With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as four separate settings:
+With a current version, it's best to use the new policy introduced in June 2019 to Windows 10, version 1709 and later: **Specify deadlines for automatic updates and restarts**. In MDM, this policy is available as separate settings:
-- Update/ConfigureDeadlineForFeatureUpdates
-- Update/ConfigureDeadlineForQualityUpdates
-- Update/ConfigureDeadlineGracePeriod
-- Update/ConfigureDeadlineNoAutoReboot
+- [Update/ConfigureDeadlineForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforfeatureupdates)
+- [Update/ConfigureDeadlineForQualityUpdates](/windows/client-management/mdm/policy-csp-update#update-configuredeadlineforqualityupdates)
+- [Update/ConfigureDeadlineGracePeriod](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinegraceperiod)
+- [Update/ConfigureDeadlineGracePeriodForFeatureUpdates](/windows/client-management/mdm/policy-csp-update#configuredeadlinegraceperiodforfeatureupdates) (Windows 11, version 22H2 or later)
+- [Update/ConfigureDeadlineNoAutoReboot](/windows/client-management/mdm/policy-csp-update#update-configuredeadlinenoautoreboot)
-## Policy setting overview
+
+## Policy setting overview for clients running Windows 11, version 22H2 and later
+
+|Policy| Description |
+|-|-|
+| Specify deadlines for automatic updates and restarts | This policy lets you specify the number of days before quality and feature updates are installed on devices automatically, and a grace period, after which required restarts occur automatically. This policy includes an option to opt out of automatic restarts until the end of the grace period is reached. |
+
+### Suggested configurations for clients running Windows 11, version 22H2 and later
+
+| Policy | Location | Quality updates deadline in days | Quality updates grace period in days | Feature updates deadline in days | Feature updates grace period in days |
+|-|-|-|-|-|-|
+| Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 7 | 2 | 2 | 7 |
+
+When **Specify deadlines for automatic updates and restarts** is set:
+
+The deadline calculation for both quality and feature updates is based off the time the client's update scan initially discovered the update. Previously, the deadline was based off the release date of the update for quality updates and the reboot pending date for feature updates. The change for deadline calculation was made to improve the predictability of restart.
+
+The grace period for both quality and feature updates starts its countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, users are able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to schedule restarts. Once the *effective deadline* is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.) Grace periods are useful for users who may be coming back from vacation, or other extended time away from their device, to ensure a forced reboot doesn't occur immediately after they return.
+
+> [!NOTE]
+> When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
+
+## Policy setting overview for clients running Windows 11, version 21H2 and earlier
|Policy|Description |
|-|-|
| (Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | This policy includes a deadline and a configurable grace period with the option to opt out of automatic restarts until the deadline is reached. This is the recommended policy for Windows 10, version 1709 and later.|
-## Suggested configurations
+### Suggested configurations for clients running Windows 11, version 21H2 and earlier
|Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days|
|-|-|-|-|-|
-|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 2 | 2 | 5 |
+|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 2 | 7 | 2 |
When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and later):
-For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device will try to update outside of active hours. Once the *effective deadline* is reached, the device will try to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.)
+For feature updates, the deadline and grace period start their countdown from the time of a pending restart after the installation is complete. As soon as installation is complete and the device reaches pending restart, the device tries to update outside of active hours. Once the *effective deadline* is reached, the device tries to restart during active hours. (The effective deadline is whichever is the later of the restart pending date plus the specified deadline or the restart pending date plus the grace period.)
-For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device will try to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in in the background). When the pending restart time is reached, the device will notify the user and try to update outside of active hours. Once the effective deadline is reached, the device will try to restart during active hours.
+For quality updates, the deadline countdown starts from the time the update is *offered* (not downloaded or installed). The grace period countdown starts from the time of the pending restart. The device tries to download and install the update at a time based on your other download and installation policies (the default is to automatically download and install in the background). When the pending restart time is reached, the device notifies the user and tries to update outside of active hours. Once the effective deadline is reached, the device tries to restart during active hours.
> [!NOTE]
-> When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
+> - When using the newer policy that contains **Feature updates grace period in days**, this setting is ignored by clients that are running Windows 11 version 21H2 and earlier. The grace period for quality updates is used for both quality updates and feature updates for these clients.
+> - When **Specify deadlines for automatic updates and restarts** is used, download, installation, and reboot settings stemming from the [Configure Automatic Updates](waas-restart.md#schedule-update-installation) are ignored.
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index df89fc602d..aefcd10aa4 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -9,7 +9,7 @@ ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
ms.topic: how-to
-ms.date: 11/23/2022
+ms.date: 11/14/2023
---
# Configure VDA for Windows subscription activation
@@ -31,7 +31,7 @@ Deployment instructions are provided for the following scenarios:
- VMs must be running a supported version of Windows Pro edition.
- VMs must be joined to Active Directory or Microsoft Entra ID.
-- VMs must be hosted by a Qualified Multitenant Hoster (QMTH). For more information, download the PDF that describes the [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+- VMs must be hosted by a Qualified Multitenant Hoster (QMTH).
## Activation
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 1cc96ae7ed..71a14f511f 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -16,6 +16,7 @@ ms.date: 11/07/2022
**Applies to:**
+- Windows 11
- Windows 10
- Windows 8.1
- Windows 8
@@ -87,8 +88,7 @@ Telephone activation is primarily used in situations where a computer is isolate
- Active Directory-based activation
> [!NOTE]
-> Token-based activation is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
-Token-based Activation option is available for Windows 10 Enterprise LTSB editions (Version 1507 and 1607).
+> Token-based activation for Windows Enterprise (including LTSC) and Windows Server is available for specific situations when approved customers rely on a public key infrastructure in an isolated and high-security environment. For more information, contact your Microsoft Account Team or your service representative.
### Multiple activation key
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 40769fc671..11b304e822 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -225,26 +225,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf
> [!IMPORTANT]
> Don't attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, don't start the VM outside the PoC network.
-If you don't have a PC available to convert to VM, do the following steps to download an evaluation VM:
-
-1. Open the [Download virtual machines](https://developer.microsoft.com/microsoft-edge/tools/vms/) page.
-
- > [!NOTE]
- > The above link may not be available in all locales.
-
-2. Under **Virtual machine**, choose **IE11 on Win7**.
-
-3. Under **Select platform**, choose **HyperV (Windows)**.
-
-4. Select **Download .zip**. The download is 3.31 GB.
-
-5. Extract the zip file. Three directories are created.
-
-6. Open the **Virtual Hard Disks** directory and then copy **IE11 - Win7.vhd** to the **C:\VHD** directory.
-
-7. Rename **IE11 - Win7.vhd** to **w7.vhd** (don't rename the file to w7.vhdx).
-
-8. In step 5 of the [Configure Hyper-V](#configure-hyper-v) section, replace the VHD file name **w7.vhdx** with **w7.vhd**.
+
If you have a PC available to convert to VM (computer 2):
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 6b8718bf68..b5fc8eb923 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -11,7 +11,7 @@ ms.collection:
- highpri
- tier2
ms.topic: conceptual
-ms.date: 11/23/2022
+ms.date: 11/14/2023
appliesto:
- ✅ Windows 10
- ✅ Windows 11
@@ -39,7 +39,15 @@ This article covers the following information:
For more information on how to deploy Enterprise licenses, see [Deploy Windows Enterprise licenses](deploy-enterprise-licenses.md).
> [!NOTE]
-> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude the [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications), from their Conditional Access policies using **Select Excluded Cloud Apps**. For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
+>
+> Organizations that use the Subscription Activation feature to enable users to upgrade from one version of Windows to another and use Conditional Access policies to control access need to exclude one of the following cloud apps from their Conditional Access policies using **Select Excluded Cloud Apps**:
+>
+> - [Universal Store Service APIs and Web Application, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+> - [Windows Store for Business, AppID 45a330b1-b1ec-4cc1-9161-9f03992aa49f](/troubleshoot/azure/active-directory/verify-first-party-apps-sign-in#application-ids-of-commonly-used-microsoft-applications).
+>
+> Although the app ID is the same in both instances, the name of the cloud app will depend on the tenant.
+>
+> For more information about configuring exclusions in Conditional Access policies, see [Application exclusions](/azure/active-directory/conditional-access/howto-conditional-access-policy-all-users-mfa#application-exclusions).
## Subscription activation for Enterprise
@@ -239,7 +247,7 @@ For more information, see [Deploy Windows Enterprise licenses](deploy-enterprise
## Virtual Desktop Access (VDA)
-Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another [qualified multitenant hoster (QMTH)](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf).
+Subscriptions to Windows Enterprise are also available for virtualized clients. Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Microsoft Azure or in another qualified multitenant hoster (QMTH).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Microsoft Entra joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
index 34a3b93fab..6082093e6d 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-quality-update-overview.md
@@ -95,7 +95,7 @@ For the deployment rings that have passed quality updates deferral date, the OOB
2. Under the **Release Announcements** tab, you can view the knowledge base (KB) articles corresponding to deployed OOB and regular Windows quality updates. You can also view the schedules for OOB update releases in the Release Schedule tab.
> [!NOTE]
-> Announcements abd OOB update schedules will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.
+> Announcements and OOB update schedules will be **removed** from the Release announcements tab when the next quality update is released. Further, if quality updates are paused for a deployment ring, the OOB updates will also be paused.
### Pause and resume a release
diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
index 06e2e12c09..3120c809f3 100644
--- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
+++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
@@ -1,7 +1,7 @@
---
title: Microsoft 365 Apps for enterprise
description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates
-ms.date: 06/23/2023
+ms.date: 10/27/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@@ -81,7 +81,15 @@ Windows Autopatch doesn't allow you to pause or roll back an update in the Micro
## Allow or block Microsoft 365 App updates
-For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview).
+> [!IMPORTANT]
+> You must be an Intune Administrator to make changes to the setting.
+
+For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices.
+
+| Microsoft 365 App setting | Description |
+| ----- | ----- |
+| **Allow** | When set to **Allow**, Windows Autopatch moves all Autopatch managed devices to the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview) and manages updates automatically. To manage updates manually, set the Microsoft 365 App update setting to **Block**. |
+| **Block** | When set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. You can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). |
**To allow or block Microsoft 365 App updates:**
diff --git a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
index e800c3533c..24650e3a33 100644
--- a/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
+++ b/windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
@@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
-ms.date: 10/19/2023
+ms.date: 10/27/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@@ -23,6 +23,12 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
## October 2023
+### October feature releases or updates
+
+| Article | Description |
+| ----- | ----- |
+| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls) | Added more information about the Allow setting in the [Microsoft 365 Apps for enterprise update controls](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#microsoft-365-apps-for-enterprise-update-controls) section |
+
## October service release
| Message center post number | Description |
diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json
index 404d7adbfb..321c0452a5 100644
--- a/windows/hub/docfx.json
+++ b/windows/hub/docfx.json
@@ -61,7 +61,10 @@
"jborsecnik",
"tiburd",
"garycentric",
- "beccarobins"
+ "beccarobins",
+ "Stacyrch140",
+ "v-stsavell",
+ "American-Dipper"
]
},
"fileMetadata": {},
diff --git a/windows/hub/index.yml b/windows/hub/index.yml
index 83dda7c0fe..e651c1901d 100644
--- a/windows/hub/index.yml
+++ b/windows/hub/index.yml
@@ -10,24 +10,23 @@ metadata:
ms.topic: hub-page
ms.prod: windows-client
ms.collection:
- - highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
- ms.date: 09/26/2023
+ ms.date: 10/31/2023
highlightedContent:
items:
- title: Get started with Windows 11
itemType: get-started
url: /windows/whats-new/windows-11-overview
- - title: Windows 11, version 22H2
+ - title: Windows 11, version 23H2
itemType: whats-new
- url: /windows/whats-new/whats-new-windows-11-version-22H2
- - title: Windows 11, version 22H2 group policy settings reference
+ url: /windows/whats-new/whats-new-windows-11-version-23h2
+ - title: Windows 11, version 23H2 group policy settings reference
itemType: download
- url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
+ url: https://www.microsoft.com/download/details.aspx?id=105668
- title: Windows release health
itemType: whats-new
url: /windows/release-health
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index 4efbc4d3f5..c574ccb678 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -27,7 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index eea8e6ddd5..f4ff30a23c 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -27,7 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index a8356f8456..f5bdec7600 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -27,7 +27,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
index 3d03e6bc7b..56be393273 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -26,7 +26,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
index 9ae71c39f5..875429c841 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
@@ -28,7 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
diff --git a/windows/privacy/changes-to-windows-diagnostic-data-collection.md b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
index 945499c4b7..0eb6b38dc9 100644
--- a/windows/privacy/changes-to-windows-diagnostic-data-collection.md
+++ b/windows/privacy/changes-to-windows-diagnostic-data-collection.md
@@ -75,7 +75,7 @@ Customers who use services that depend on Windows diagnostic data, such as [Micr
> [!NOTE]
> The information in this section applies to the following versions of Windows:
> - Windows 10, versions 20H2, 21H2, 22H2, and newer
-> - Windows 11, versions 21H2, 22H2, and newer
+> - Windows 11, versions 21H2, 22H2, 23H2, and newer
Previously, IT admins could use policies (for example, the “Allow commercial data pipeline” policy) at the individual device level to enroll devices in the Windows diagnostic data processor configuration.
diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
index 3c8c0f57d5..c47bf6303c 100644
--- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
@@ -336,7 +336,7 @@ Tenants with billing addresses in countries or regions in the Middle East and Af
> [!NOTE]
> The information in this section applies to the following versions of Windows:
> - Windows 10, versions 20H2, 21H2, 22H2, and newer
-> - Windows 11, versions 21H2, 22H2, and newer
+> - Windows 11, versions 21H2, 22H2, 23H2, and newer
Starting with the January 2023 preview cumulative update, how you enable the processor configuration option depends on the billing address of the Azure AD tenant to which your devices are joined.
diff --git a/windows/privacy/copilot-supplemental-terms.md b/windows/privacy/copilot-supplemental-terms.md
index 55b0a3386a..caf816b1d7 100644
--- a/windows/privacy/copilot-supplemental-terms.md
+++ b/windows/privacy/copilot-supplemental-terms.md
@@ -35,9 +35,9 @@ Copilot in Windows is your AI companion that brings productivity to your fingert
3. Bing Chat
- a. Your Copilot in Windows experiences powered by Bing Chat are subject to [Bing Chat’s terms of use](https://go.microsoft.com/fwlink/p/?linkid=2247757).
+ a. Your Copilot in Windows experiences powered by Bing Chat are subject to [Bing Chat’s terms of use](https://www.bing.com/new/termsofuse).
- b. If your organization is allowing you to use Bing Chat Enterprise, your Copilot in Windows experiences will be powered by Bing Chat Enterprise and will be subject to [Bing Chat Enterprise’s terms of use](https://go.microsoft.com/fwlink/p/?linkid=2247908).
+ b. If your organization is allowing you to use Bing Chat Enterprise, your Copilot in Windows experiences will be powered by Bing Chat Enterprise and will be subject to [Bing Chat Enterprise’s terms of use](/bing-chat-enterprise/terms-of-use).
4. Using Copilot in Windows
diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json
index 35522da4b4..f4854fbb05 100644
--- a/windows/privacy/docfx.json
+++ b/windows/privacy/docfx.json
@@ -57,7 +57,7 @@
"jborsecnik",
"tiburd",
"garycentric",
- "beccarobins",
+ "beccarobins",
"Stacyrch140",
"v-stsavell",
"American-Dipper"
diff --git a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
index 6ec3eb3ad7..4ac93439c6 100644
--- a/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
+++ b/windows/privacy/required-diagnostic-events-fields-windows-11-22H2.md
@@ -1,6 +1,6 @@
---
-description: Learn more about the Windows 11, version 22H2 diagnostic data gathered.
-title: Required diagnostic events and fields for Windows 11, version 22H2
+description: Learn more about the diagnostic data gathered for Windows 11, versions 23H2 and 22H2.
+title: Required diagnostic events and fields for Windows 11, versions 23H3 and 22H2
keywords: privacy, telemetry
ms.prod: windows-client
ms.technology: itpro-privacy
@@ -8,15 +8,15 @@ localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: laurawi
-ms.date: 09/26/2023
+ms.date: 10/31/2023
ms.topic: reference
---
+# Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2
-# Required diagnostic events and fields for Windows 11, version 22H2
-
- **Applies to**
+**Applies to**
+- Windows 11, version 23H2
- Windows 11, version 22H2
Required diagnostic data gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store.
@@ -199,13 +199,14 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
-This event sends blocking data about any compatibility blocking entries on the system that are not directly related to specific applications or devices, to help keep Windows up to date.
+This event sends blocking data about any compatibility blocking entries on the system that aren't directly related to specific applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
@@ -221,13 +222,14 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
@@ -239,6 +241,7 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **SdbEntries** Deprecated in RS3.
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
@@ -273,14 +276,14 @@ The following fields are available:
- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked?
- **BlockingDevice** Is this PNP device blocking upgrade?
-- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and doesn't have a driver included with the OS?
- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device?
- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device?
- **DisplayGenericMessageGated** Indicates whether a generic message will be shown during Setup for this PNP device.
- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
-- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden?
+- **DriverBlockOverridden** Is there a driver block on the device that has been overridden?
- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
@@ -311,7 +314,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
-This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility decision data about blocking entries on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -350,7 +353,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
-This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+This event sends compatibility decision data about non-blocking entries on the system that aren't keyed by either applications or devices, to help keep Windows up to date.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -396,7 +399,7 @@ The following fields are available:
- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app?
- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade?
- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app?
-- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but isn't blocking upgrade).
### Microsoft.Windows.Appraiser.General.DecisionSModeStateAdd
@@ -498,7 +501,7 @@ The following fields are available:
- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
-- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **BoeProgramId** If there's no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
- **CompanyName** The company name of the vendor who developed this file.
- **FileId** A hash that uniquely identifies a file.
- **FileVersion** The File version field from the file metadata under Properties -> Details.
@@ -939,10 +942,10 @@ The following fields are available:
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
-- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it's understood that data events won't be received from this device.
- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
-- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and therefore is making decisions using up-to-date driver coverage information.
- **RunResult** The hresult of the Appraiser diagnostic data run.
- **ScheduledUploadDay** The day scheduled for the upload.
- **SendingUtc** Indicates whether the Appraiser client is sending events during the current diagnostic data run.
@@ -956,7 +959,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.WmdrmAdd
-This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data doesn't indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
@@ -968,7 +971,7 @@ The following fields are available:
- **WmdrmApiResult** Raw value of the API used to gather DRM state.
- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased.
-- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup wasn't dismissed.
- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
@@ -995,7 +998,7 @@ The following fields are available:
- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
- **CDJType** Represents the type of cloud domain joined for the machine.
-- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
+- **CommercialId** Represents the GUID for the commercial entity that the device is a member of. Will be used to reflect insights back to customers.
- **ContainerType** The type of container, such as process or virtual machine hosted.
- **EnrollmentType** Defines the type of MDM enrollment on the device.
- **HashedDomain** The hashed representation of the user domain used for login.
@@ -1007,7 +1010,7 @@ The following fields are available:
- **MDMServiceProvider** A hash of the specific MDM authority, such as Microsoft Intune, that is managing the device.
- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an enterprise Configuration Manager environment.
-- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
- **SystemCenterID** The Configuration Manager ID is an anonymized one-way hash of the Active Directory Organization identifier
@@ -1018,7 +1021,7 @@ This event sends data about the memory on the device, including ROM and RAM. The
The following fields are available:
- **TotalPhysicalRAM** Represents the physical memory (in MB).
-- **TotalVisibleMemory** Represents the memory that is not reserved by the system.
+- **TotalVisibleMemory** Represents the memory that isn't reserved by the system.
### Census.Network
@@ -1028,8 +1031,8 @@ This event sends data about the mobile and cellular network used by the device (
The following fields are available:
- **CellularModemHWInstanceId0** HardwareInstanceId of the embedded Mobile broadband modem, as reported and used by PnP system to identify the WWAN modem device in Windows system. Empty string (null string) indicates that this property is unknown for telemetry.
-- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
-- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft doesn't have access to mobile operator billing data so collecting this data doesn't expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft doesn't have access to mobile operator billing data so collecting this data doesn't expose or identify the user. The two fields represent phone with dual sim coverage.
- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
@@ -1046,7 +1049,7 @@ The following fields are available:
### Census.OS
-This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it's a virtual device. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -1063,7 +1066,7 @@ The following fields are available:
- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go
- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI.
- **LanguagePacks** The list of language packages installed on the device.
-- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we're running an OS License granted by the MS store.
- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
- **OSEdition** Retrieves the version of the current OS.
- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
@@ -1080,7 +1083,7 @@ The following fields are available:
- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy.
- **ServiceProductKeyID** Retrieves the License key of the KMS
- **SharedPCMode** Returns Boolean for devices that have enabled the configuration EnableSharedPCMode.
-- **Signature** Retrieves if it is a signature machine sold by Microsoft store.
+- **Signature** Retrieves if it's a signature machine sold by Microsoft store.
- **SLICStatus** Whether a SLIC table exists on the device.
- **SLICVersion** Returns OS type/version from SLIC table.
@@ -1148,12 +1151,6 @@ The following fields are available:
- **Language** String containing the incompatible language pack detected.
-### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled
-
-This event fires when HVCI is already enabled so no need to continue auto-enablement.
-
-
-
## Common data extensions
### Common Data Extensions.app
@@ -1192,7 +1189,7 @@ Describes the device-related fields.
The following fields are available:
- **deviceClass** The device classification. For example, Desktop, Server, or Mobile.
-- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **localId** A locally-defined unique ID for the device. This isn't the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
- **make** Device manufacturer.
- **model** Device model.
@@ -1262,7 +1259,7 @@ The following fields are available:
- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
- **locale** The language and region.
-- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+- **localId** Represents a unique user identity that is created locally and added by the client. This isn't the user's account ID.
### Common Data Extensions.utc
@@ -1285,7 +1282,7 @@ The following fields are available:
- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
- **providerGuid** The ETW provider ID associated with the provider name.
- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
-- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **seq** Represents the sequence field used to track absolute order of uploaded events. It's an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
- **sqmId** The Windows SQM (Software Quality Metrics—a precursor of Windows 10 Diagnostic Data collection) device identifier.
- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
- **wcmp** The Windows Shell Composer ID.
@@ -1316,6 +1313,7 @@ The following fields are available:
- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
- **xid** A list of base10-encoded XBOX User IDs.
+
## Common data fields
### Ms.Device.DeviceInventoryChange
@@ -1330,7 +1328,6 @@ The following fields are available:
- **objectType** Indicates the object type that the event applies to.
- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
-
## Component-based servicing events
### CbsServicingProvider.CbsCapabilitySessionFinalize
@@ -1357,11 +1354,11 @@ The following fields are available:
### CbsServicingProvider.CbsLateAcquisition
-This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date.
+This event sends data to indicate if some Operating System packages couldn't be updated as part of an upgrade, to help keep Windows up to date.
The following fields are available:
-- **Features** The list of feature packages that could not be updated.
+- **Features** The list of feature packages that couldn't be updated.
- **RetryID** The ID identifying the retry attempt to update the listed packages.
@@ -1440,12 +1437,12 @@ The following fields are available:
### TelClientSynthetic.AbnormalShutdown_0
-This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+This event sends data about boot IDs for which a normal clean shutdown wasn't observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event.
-- **AbsCausedbyAutoChk** This flag is set when AutoCheck forces a device restart to indicate that the shutdown was not an abnormal shutdown.
+- **AbsCausedbyAutoChk** This flag is set when AutoCheck forces a device restart to indicate that the shutdown wasn't an abnormal shutdown.
- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in.
- **BatteryLevelAtLastShutdown** The last recorded battery level.
- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown.
@@ -1486,7 +1483,7 @@ The following fields are available:
- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on.
- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
-- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition.
+- **SleepCheckpoint** Provides the last checkpoint when there's a failure during a sleep transition.
- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file.
- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid.
- **StaleBootStatData** Identifies if the data from bootstat is stale.
@@ -1514,26 +1511,26 @@ The following fields are available:
### TelClientSynthetic.AuthorizationInfo_Startup
-This event is fired by UTC at startup to signal what data we are allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
+This event is fired by UTC at startup to signal what data we're allowed to collect. The data collected with this event is used to help keep Windows up to date, secure, and performing properly.
The following fields are available:
- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise.
-- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise.
-- **CanCollectClearUserIds** True if we are allowed to collect clear user IDs, false if we can only collect omitted IDs.
+- **CanCollectAnyTelemetry** True if we're allowed to collect partner telemetry, false otherwise.
+- **CanCollectClearUserIds** True if we're allowed to collect clear user IDs, false if we can only collect omitted IDs.
- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise.
- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise.
- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise.
- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise.
-- **CanIncludeDeviceNameInDiagnosticData** True if we are allowed to add the device name to diagnostic data, false otherwise.
+- **CanIncludeDeviceNameInDiagnosticData** True if we're allowed to add the device name to diagnostic data, false otherwise.
- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise.
- **CanPerformSiufEscalations** True if we can perform System Initiated User Feedback escalation collection, false otherwise.
- **CanReportScenarios** True if we can report scenario completions, false otherwise.
- **CanReportUifEscalations** True if we can perform User Initiated Feedback escalation collection, false otherwise.
- **CanUseAuthenticatedProxy** True if we can use an authenticated proxy to send data, false otherwise.
-- **IsProcessorMode** True if it is Processor Mode, false otherwise.
+- **IsProcessorMode** True if it's Processor Mode, false otherwise.
- **PreviousPermissions** Bitmask of previous telemetry state.
-- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise.
+- **TransitionFromEverythingOff** True if we're transitioning from all telemetry being disabled, false otherwise.
### TelClientSynthetic.ConnectivityHeartBeat_0
@@ -1601,7 +1598,7 @@ The following fields are available:
- **VortexHttpAttempts** Number of attempts to contact Vortex.
- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex.
- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex.
-- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponseFailures** Number of Vortex responses that aren't 2XX or 400.
- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event.
@@ -1625,7 +1622,7 @@ The following fields are available:
### Microsoft.Windows.DriverInstall.NewDevInstallDeviceEnd
-This event sends data about the driver installation once it is completed. The data collected with this event is used to help keep Windows up to date and performing properly.
+This event sends data about the driver installation once it's completed. The data collected with this event is used to help keep Windows up to date and performing properly.
The following fields are available:
@@ -1667,7 +1664,7 @@ The following fields are available:
### Microsoft.Windows.FaultReporting.AppCrashEvent
-This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
The following fields are available:
@@ -1677,7 +1674,7 @@ The following fields are available:
- **AppVersion** The version of the app that has crashed.
- **ExceptionCode** The exception code returned by the process that has crashed.
- **ExceptionOffset** The address where the exception had occurred.
-- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
+- **Flags** Flags indicating how reporting is done. For example, queue the report, don't offer JIT debugging, or don't terminate the process after reporting.
- **FriendlyAppName** The description of the app that has crashed, if different from the AppName. Otherwise, the process name.
- **IsFatal** True/False to indicate whether the crash resulted in process termination.
- **ModName** Exception module name (e.g. bar.dll).
@@ -1731,7 +1728,7 @@ The following fields are available:
### Microsoft.Windows.HangReporting.AppHangEvent
-This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It doesn't contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
The following fields are available:
@@ -1750,13 +1747,38 @@ The following fields are available:
- **TargetAsId** The sequence number for the hanging process.
- **TypeCode** Bitmap describing the hang type.
- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
-- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
-- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it's waiting.
+- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it's waiting.
- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
## Holographic events
+### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
+
+This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **SessionID** Unique value for each attempt.
+- **TargetAsId** The sequence number for the process.
+- **windowInstanceId** Unique value for each window instance.
+
+
+### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
+
+This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
+
+The following fields are available:
+
+- **EventHistory** Unique number of event history.
+- **ExternalComponentState** State of external component.
+- **LastEvent** Unique number of last event.
+- **SessionID** Unique value for each attempt.
+- **TargetAsId** The sequence number for the process.
+- **windowInstanceId** Unique value for each window instance.
+
+
### Microsoft.Windows.Analog.Spectrum.TelemetryHolographicSpaceCreated
This event indicates the state of Windows holographic scene. The data collected with this event is used to keep Windows performing properly.
@@ -1821,7 +1843,7 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they'll always represent a count of a given object. The data collected with this event is used to keep Windows performing properly.
The following fields are available:
@@ -2124,6 +2146,23 @@ The following fields are available:
- **ServiceName** The name of the driver or service attached to the device.
+### Microsoft.Windows.Kernel.Power.AbnormalShutdown
+
+This event provides diagnostic information of the most recent abnormal shutdown.
+
+The following fields are available:
+
+- **BootEnvironment** Errors from boot environment.
+- **BootStatValid** Status of bootstat file.
+- **Bugcheck** Bugcheck information.
+- **CrashDump** Crash dump information.
+- **CurrentBootId** ID of this boot.
+- **FirmwareReset** System reset by firmware.
+- **LastShutdownBootId** BootID of last shutdown.
+- **LongPowerButtonHold** Long power button hold information.
+- **SystemStateTransition** State transition information.
+- **Watchdog** Watchdog information.
+
## Microsoft Edge events
### Aria.af397ef28e484961ba48646a5d38cf54.Microsoft.WebBrowser.Installer.EdgeUpdate.Ping
@@ -2133,7 +2172,7 @@ This Ping event sends a detailed inventory of software and hardware information
The following fields are available:
- **appAp** Any additional parameters for the specified application. Default: ''.
-- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Please see the wiki for additional information. Default: undefined.
+- **appAppId** The GUID that identifies the product. Compatible clients must transmit this attribute. Default: undefined.
- **appBrandCode** The brand code under which the product was installed, if any. A brand code is a short (4-character) string used to identify installations that took place as a result of partner deals or website promotions. Default: ''.
- **appChannel** An integer indicating the channel of the installation (i.e. Canary or Dev).
- **appClientId** A generalized form of the brand code that can accept a wider range of values and is used for similar purposes. Default: ''.
@@ -2141,15 +2180,15 @@ The following fields are available:
- **appCohortHint** A machine-readable enum indicating that the client has a desire to switch to a different release cohort. The exact legal values are app-specific and should be shared between the server and app implementations. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appCohortName** A stable non-localized human-readable enum indicating which (if any) set of messages the app should display to the user. For example, an app with a cohort Name of 'beta' might display beta-specific branding to the user. Limited to ASCII characters 32 to 127 (inclusive) and a maximum length of 1024 characters. Default: ''.
- **appConsentState** Bit flags describing the diagnostic data disclosure and response flow where 1 indicates the affirmative and 0 indicates the negative or unspecified data. Bit 1 indicates consent was given, bit 2 indicates data originated from the download page, bit 18 indicates choice for sending data about how the browser is used, and bit 19 indicates choice for sending data about websites visited.
-- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value is not known. Please see the wiki for additional information. Default: '-2'.
-- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client should not transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
+- **appDayOfInstall** The date-based counting equivalent of appInstallTimeDiffSec (the numeric calendar day that the app was installed on). This value is provided by the server in the response to the first request in the installation flow. The client MAY fuzz this value to the week granularity (e.g. send '0' for 0 through 6, '7' for 7 through 13, etc.). The first communication to the server should use a special value of '-1'. A value of '-2' indicates that this value isn't known. Default: '-2'.
+- **appExperiments** A key/value list of experiment identifiers. Experiment labels are used to track membership in different experimental groups, and may be set at install or update time. The experiments string is formatted as a semicolon-delimited concatenation of experiment label strings. An experiment label string is an experiment Name, followed by the '=' character, followed by an experimental label value. For example: 'crdiff=got_bsdiff;optimized=O3'. The client shouldn't transmit the expiration date of any experiments it has, even if the server previously specified a specific expiration date. Default: ''.
- **appInstallTime** The product install time in seconds. '0' if unknown. Default: '-1'.
- **appInstallTimeDiffSec** The difference between the current time and the install date in seconds. '0' if unknown. Default: '-1'.
- **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''.
- **appLastLaunchTime** The time when browser was last launched.
-- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Default: '0.0.0.0'.
- **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'.
-- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event was not completed before OOBE finishes; -1 means the field does not apply.
+- **appPingEventDoneBeforeOOBEComplete** Indicates whether the install or update was completed before Windows Out of the Box Experience ends. 1 means event completed before OOBE finishes; 0 means event wasn't completed before OOBE finishes; -1 means the field doesn't apply.
- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country or region code that matches to the country or region updated binaries are delivered from. E.g.: US.
- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2.
- **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'.
@@ -2161,31 +2200,31 @@ The following fields are available:
- **appPingEventDownloadMetricsUrl** For events representing a download, the CDN URL provided by the update server for the client to download the update, the URL is controlled by Microsoft servers and always maps back to either *.delivery.mp.microsoft.com or msedgesetup.azureedge.net. Default: ''.
- **appPingEventDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'.
- **appPingEventErrorCode** The error code (if any) of the operation, encoded as a signed, base-10 integer. Default: '0'.
-- **appPingEventEventResult** An enum indicating the result of the event. Please see the wiki for additional information. Default: '0'.
-- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute. Please see the wiki for additional information.
+- **appPingEventEventResult** An enum indicating the result of the event. Default: '0'.
+- **appPingEventEventType** An enum indicating the type of the event. Compatible clients MUST transmit this attribute.
- **appPingEventExtraCode1** Additional numeric information about the operation's result, encoded as a signed, base-10 integer. Default: '0'.
- **appPingEventInstallTimeMs** For events representing an install, the time elapsed between the start of the install and the end of the install, in milliseconds. For events representing an entire update flow, the sum of all such durations. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appPingEventNumBytesDownloaded** The number of bytes downloaded for the specified application. Default: '0'.
-- **appPingEventPackageCacheResult** Whether there is an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field does not apply.
+- **appPingEventPackageCacheResult** Whether there's an existing package cached in the system to update or install. 1 means that there's a cache hit under the expected key, 2 means there's a cache hit under a different key, 0 means that there's a cache miss. -1 means the field doesn't apply.
- **appPingEventSequenceId** An id that uniquely identifies particular events within one requestId. Since a request can contain multiple ping events, this field is necessary to uniquely identify each possible event.
- **appPingEventSourceUrlIndex** For events representing a download, the position of the download URL in the list of URLs supplied by the server in a "urls" tag.
- **appPingEventUpdateCheckTimeMs** For events representing an entire update flow, the time elapsed between the start of the update check and the end of the update check, in milliseconds. Sent in events that have an event type of '2' and '3' only. Default: '0'.
- **appReferralHash** The hash of the referral code used to install the product. '0' if unknown. Default: '0'.
-- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they have not.
-- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server should not return an update instruction to a version number that does not match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it is not a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
+- **appUpdateCheckIsUpdateDisabled** The state of whether app updates are restricted by group policy. True if updates have been restricted by group policy or false if they haven't.
+- **appUpdateCheckTargetVersionPrefix** A component-wise prefix of a version number, or a complete version number suffixed with the $ character. The server shouldn't return an update instruction to a version number that doesn't match the prefix or complete version number. The prefix is interpreted a dotted-tuple that specifies the exactly-matching elements; it isn't a lexical prefix (for example, '1.2.3' must match '1.2.3.4' but must not match '1.2.34'). Default: ''.
- **appUpdateCheckTtToken** An opaque access token that can be used to identify the requesting client as a member of a trusted-tester group. If non-empty, the request should be sent over SSL or another secure protocol. Default: ''.
-- **appVersion** The version of the product install. Please see the wiki for additional information. Default: '0.0.0.0'.
+- **appVersion** The version of the product install. Default: '0.0.0.0'.
- **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full.
-- **eventType** A string indicating the type of the event. Please see the wiki for additional information.
+- **eventType** A string indicating the type of the event.
- **expETag** An identifier representing all service applied configurations and experiments when current update happens. Used for testing only.
- **hwDiskType** Device’s hardware disk type.
-- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware does not support the AVX instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware does not support the SSE instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware does not support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware does not support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware does not support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware does not support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
-- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware does not support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasAvx** '1' if the client's hardware supports the AVX instruction set. '0' if the client's hardware doesn't support the AVX instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse** '1' if the client's hardware supports the SSE instruction set. '0' if the client's hardware doesn't support the SSE instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse2** '1' if the client's hardware supports the SSE2 instruction set. '0' if the client's hardware doesn't support the SSE2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse3** '1' if the client's hardware supports the SSE3 instruction set. '0' if the client's hardware doesn't support the SSE3 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse41** '1' if the client's hardware supports the SSE4.1 instruction set. '0' if the client's hardware doesn't support the SSE4.1 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSse42** '1' if the client's hardware supports the SSE4.2 instruction set. '0' if the client's hardware doesn't support the SSE4.2 instruction set. '-1' if unknown. Default: '-1'.
+- **hwHasSsse3** '1' if the client's hardware supports the SSSE3 instruction set. '0' if the client's hardware doesn't support the SSSE3 instruction set. '-1' if unknown. Default: '-1'.
- **hwLogicalCpus** Number of logical CPUs of the device.
- **hwPhysmemory** The physical memory available to the client, truncated down to the nearest gibibyte. '-1' if unknown. This value is intended to reflect the maximum theoretical storage capacity of the client, not including any hard drive or paging to a hard drive or peripheral. Default: '-1'.
- **isMsftDomainJoined** '1' if the client is a member of a Microsoft domain. '0' otherwise. Default: '0'.
@@ -2206,26 +2245,10 @@ The following fields are available:
- **requestRequestId** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha request. Each request attempt should have (with high probability) a unique request id. Default: ''.
- **requestSessionCorrelationVectorBase** A client generated random MS Correlation Vector base code used to correlate the update session with update and CDN servers. Default: ''.
- **requestSessionId** A randomly-generated (uniformly distributed) GUID. Each single update flow (e.g. update check, update application, event ping sequence) should have (with high probability) a single unique session ID. Default: ''.
-- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and should not be counted toward normal metrics. Default: ''.
+- **requestTestSource** Either '', 'dev', 'qa', 'prober', 'auto', or 'ossdev'. Any value except '' indicates that the request is a test and shouldn't be counted toward normal metrics. Default: ''.
- **requestUid** A randomly-generated (uniformly distributed) GUID, corresponding to the Omaha user. Each request attempt SHOULD have (with high probability) a unique request id. Default: ''.
-### Microsoft.Edge.Crashpad.HangEvent
-
-This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang.
-
-The following fields are available:
-
-- **app_name** The name of the hanging process.
-- **app_session_guid** Encodes the boot session, process, and process start time.
-- **app_version** The version of the hanging process.
-- **client_id_hash** Hash of the browser client id to help identify the installation.
-- **etag** Identifier to help identify running browser experiments.
-- **hang_source** Identifies how the hang was detected.
-- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc.
-- **stack_hash** A hash of the hanging stack. Currently not used or set to zero.
-
-
## OneSettings events
### Microsoft.Windows.OneSettingsClient.Status
@@ -2242,7 +2265,7 @@ The following fields are available:
### Microsoft.Windows.Shell.Oobe.ZDP.ZdpTaskCancelled
-This event is the result of an attempt to cancel ZDP task.
+This event is the result of an attempt to cancel ZDP task
The following fields are available:
@@ -2252,30 +2275,20 @@ The following fields are available:
## Other events
-### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Entered
+### Microsoft.Edge.Crashpad.HangEvent
-This event sends data indicating the start of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
+This event sends simple Product and Service Performance data on a hanging/frozen Microsoft Edge browser process to help mitigate future instances of the hang.
The following fields are available:
-- **SessionID** Unique value for each attempt.
-- **TargetAsId** The sequence number for the process.
-- **windowInstanceId** Unique value for each window instance.
-
-
-### Microsoft.Windows.Analog.HydrogenCompositor.ExclusiveMode_Leave
-
-This event sends data indicating the end of augmented reality application experience. The data collected with this event is used to keep Windows performing properly.
-
-The following fields are available:
-
-- **EventHistory** Unique number of event history.
-- **ExternalComponentState** State of external component.
-- **LastEvent** Unique number of last event.
-- **SessionID** Unique value for each attempt.
-- **TargetAsId** The sequence number for the process.
-- **windowInstanceId** Unique value for each window instance.
-
+- **app_name** The name of the hanging process.
+- **app_session_guid** Encodes the boot session, process, and process start time.
+- **app_version** The version of the hanging process.
+- **client_id_hash** Hash of the browser client id to help identify the installation.
+- **etag** Identifier to help identify running browser experiments.
+- **hang_source** Identifies how the hang was detected.
+- **process_type** The type of the hanging browser process, for example, gpu-process, renderer, etc.
+- **stack_hash** A hash of the hanging stack. Currently not used or set to zero.
### Microsoft.Windows.Defender.Engine.Maps.Heartbeat
@@ -2302,6 +2315,77 @@ The following fields are available:
- **SignatureRing** Signature ring used for deployments
- **SigVersion** Version of signature VDMs
+### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
+
+This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
+
+The following fields are available:
+
+- **CV** The correlation vector.
+- **GlobalEventCounter** The global event counter for all telemetry on the device.
+- **UpdateAssistantStateDownloading** True at the start Downloading.
+- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication.
+- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates.
+- **UpdateAssistantStateInstalling** True at the start of Installing.
+- **UpdateAssistantStatePostInstall** True at the start of PostInstall.
+- **UpdateAssistantVersion** Current package version of UpdateAssistant.
+
+
+### MicrosoftWindowsCodeIntegrityTraceLoggingProvider.CodeIntegrityHvciSysprepHvciAlreadyEnabled
+
+This event fires when HVCI is already enabled so no need to continue auto-enablement.
+
+
+
+### ShellWNSRegistration.SLSChannelRegistrationFailed
+
+This event is logged when the upload of a channel URI to the SLS service fails.
+
+The following fields are available:
+
+- **baseData** JSON blob.
+- **baseType** PartB schema type.
+- **RetryAttempt** The retry attempt number for attempting to open and register the channel.
+- **RetryTimeInMilliseconds** The amount of time taken to retry the channel request in milliseconds.
+
+
+### ShellWNSRegistration.SLSChannelRegistrationSuccess
+
+This event is logged when a channel URI is successfully uploaded to the SLS service.
+
+The following fields are available:
+
+- **RegistrationPayload** JSON payload containing Channel Uri and other data uploaded to SLS.
+- **RetryAttempts** The retry attempt number for attempting to open and register the channel.
+- **RetryTimeInMilliseconds** The amount of time taken to retry the channel request in milliseconds.
+- **TitleId** TitleId for which channel is uploaded.
+
+
+### ShellWNSRegistration.WNSChannelRequestFailed
+
+This event is logged when a Channel Request fails. Contains error code and AppUserModelId for which channel was requested.
+
+The following fields are available:
+
+- **baseData** JSON blob.
+- **baseType** PartB schema type.
+- **RetryAttempt** The retry attempt number for attempting to open and register the channel.
+- **RetryTimeInMilliseconds** The amount of time taken to retry the channel request in milliseconds.
+
+
+### ShellWNSRegistration.WNSChannelRequestSuccess
+
+This event is triggered immediately following the completion of a Channel Request API call. Contains channel URI and AppUserModelId for which channel was requested.
+
+The following fields are available:
+
+- **AppUserModelId** Unique identifier for app requesting a channel.
+- **ChannelUri** Channel URI returned by WNS.
+- **RetryAttempt** The retry attempt number for attempting to open and register the channel.
+- **RetryTimeInMilliseconds** The amount of time taken to retry the channel request in milliseconds.
+
+
+
## Privacy consent logging events
### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
@@ -2320,13 +2404,13 @@ The following fields are available:
### Microsoft.Windows.Setup.WinSetupMon.ProtectionViolation
-This event provides information about move or deletion of a file or a directory which is being monitored for data safety during feature updates. The data collected with this event is used to help keep Windows up to date.
+This event provides information about move or deletion of a file or a directory that is being monitored for data safety during feature updates. The data collected with this event is used to help keep Windows up to date.
The following fields are available:
-- **Path** Path to the file or the directory which is being moved or deleted.
-- **Process** Path to the process which is requesting the move or the deletion.
-- **SessionId** Identifier to correlate this component's telemetry with that of others.
+- **Path** Path to the file or the directory that is being moved or deleted.
+- **Process** Path to the process that is requesting the move or the deletion.
+- **SessionId** Identifier to correlate this component's telemetry with that of others.
- **TargetPath** (Optional) If the operation is a move, the target path to which the file or directory is being moved.
@@ -2337,7 +2421,7 @@ Provides details about error in the functioning of upgrade data safety monitorin
The following fields are available:
- **Message** Text string describing the error condition.
-- **SessionId** Identifier to correlate this component's telemetry with that of others.
+- **SessionId** Identifier to correlate this component's telemetry with that of others.
- **Status** NTSTATUS code related to the error.
@@ -2526,24 +2610,6 @@ The following fields are available:
- **UpdateAttempted** Indicates if installation of the current update has been attempted before.
-## Update Assistant events
-
-### Microsoft.Windows.UpdateAssistantApp.UpdateAssistantStartState
-
-This event marks the start of an Update Assistant State. The data collected with this event is used to help keep Windows up to date.
-
-The following fields are available:
-
-- **CV** The correlation vector.
-- **GlobalEventCounter** The global event counter for all telemetry on the device.
-- **UpdateAssistantStateDownloading** True at the start Downloading.
-- **UpdateAssistantStateInitializingApplication** True at the start of the state InitializingApplication.
-- **UpdateAssistantStateInitializingStates** True at the start of InitializingStates.
-- **UpdateAssistantStateInstalling** True at the start of Installing.
-- **UpdateAssistantStatePostInstall** True at the start of PostInstall.
-- **UpdateAssistantVersion** Current package version of UpdateAssistant.
-
-
## Update events
### Update360Telemetry.FellBackToDownloadingAllPackageFiles
@@ -2695,7 +2761,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentMitigationSummary
-This event sends a summary of all the update agent mitigations available for an this update. The data collected with this event is used to help keep Windows secure and up to date.
+This event sends a summary of all the update agent mitigations available for an update. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
@@ -2755,7 +2821,7 @@ The following fields are available:
- **FlightId** Unique ID for the flight (test instance version).
- **IsSuspendable** Indicates whether the update has the ability to be suspended and resumed at the time of reboot. When the machine is rebooted and the update is in middle of Predownload or Install and Setup.exe is running, this field is TRUE, if not its FALSE.
- **ObjectId** The unique value for each Update Agent mode.
-- **Reason** Indicates the HResult why the machine could not be suspended. If it is successfully suspended, the result is 0.
+- **Reason** Indicates the HResult why the machine couldn't be suspended. If it's successfully suspended, the result is 0.
- **RelatedCV** The correlation vector value generated from the latest USO (Update Service Orchestrator) scan.
- **ScenarioId** The ID of the update scenario.
- **SessionId** The ID of the update attempt.
@@ -2804,7 +2870,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -2826,7 +2892,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
@@ -2848,7 +2914,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** Windows Update client ID.
@@ -2930,7 +2996,7 @@ The following fields are available:
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
@@ -2977,8 +3043,8 @@ The following fields are available:
- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
- **usingBackupFeatureAssessment** Relying on backup feature assessment.
- **usingBackupQualityAssessment** Relying on backup quality assessment.
-- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run.
-- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run.
+- **usingCachedFeatureAssessment** WaaS Medic run didn't get OS build age from the network on the previous run.
+- **usingCachedQualityAssessment** WaaS Medic run didn't get OS revision age from the network on the previous run.
- **uusVersion** The version of the UUS package.
- **versionString** Version of the WaaSMedic engine.
- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter.
@@ -3120,7 +3186,7 @@ The following fields are available:
### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
-This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure.
+This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
The following fields are available:
@@ -3225,7 +3291,7 @@ The following fields are available:
### Microsoft.Windows.StoreAgent.Telemetry.StateTransition
-Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there is a change in a product's fulfillment status (pending, working, paused, cancelled, or complete), to help keep Windows up to date and secure.
+Products in the process of being fulfilled (installed or updated) are maintained in a list. This event is sent any time there's a change in a product's fulfillment status (pending, working, paused, canceled, or complete), to help keep Windows up to date and secure.
The following fields are available:
@@ -3348,12 +3414,12 @@ The following fields are available:
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
-This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
+This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario that is used to install a device manifest describing a set of driver packages. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available:
- **activated** Whether the entire device manifest update is considered activated and in use.
-- **analysisErrorCount** The number of driver packages that could not be analyzed because errors occurred during analysis.
+- **analysisErrorCount** The number of driver packages that couldn't be analyzed because errors occurred during analysis.
- **flightId** Unique ID for each flight.
- **missingDriverCount** The number of driver packages delivered by the device manifest that are missing from the system.
- **missingUpdateCount** The number of updates in the device manifest that are missing from the system.
@@ -3364,8 +3430,8 @@ The following fields are available:
- **sessionId** Unique value for each update session.
- **summary** A summary string that contains basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match.
- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string.
-- **truncatedDeviceCount** The number of devices missing from the summary string because there is not enough room in the string.
-- **truncatedDriverCount** The number of driver packages missing from the summary string because there is not enough room in the string.
+- **truncatedDeviceCount** The number of devices missing from the summary string because there isn't enough room in the string.
+- **truncatedDriverCount** The number of driver packages missing from the summary string because there isn't enough room in the string.
- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
- **updateId** The unique ID for each update.
@@ -3506,12 +3572,12 @@ This event is fired when the Download stage is paused.
The following fields are available:
-- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleId** Identifier associated with the specific content bundle; shouldn't be all zeros if the bundleID was found.
- **CallerName** Name of application making the Windows Update request. Used to identify context of request.
- **ClassificationId** Classification identifier of the update content.
- **DownloadPriority** Indicates the priority of the download activity.
- **EventType** Indicates the purpose of the event - whether because scan started, succeeded, failed, etc.
-- **FlightId** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **FlightId** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
- **HandlerInfo** Blob of Handler related information.
- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
- **Props** Commit Props {MergedUpdate}
@@ -3524,13 +3590,11 @@ The following fields are available:
### Microsoft.Windows.Update.WUClientExt.UpdateMetadataIntegrityGeneral
-Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack
-
-The following fields are available:
+Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
- **CallerName** Name of the application making the Windows Update Request. Used to identify context of the request.
- **EndpointUrl** Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
-- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough.
- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
- **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable.
- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
diff --git a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
index 5a65ea94c0..9b5cb9c9db 100644
--- a/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
+++ b/windows/privacy/required-windows-11-diagnostic-events-and-fields.md
@@ -28,7 +28,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 10: versions 22H2, 21H2, 21H1, 20H2, and 2004](required-windows-diagnostic-data-events-and-fields-2004.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
index 1d88770967..dd99685ad0 100644
--- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
+++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
@@ -32,7 +32,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Required diagnostic events and fields for Windows 11, version 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
+- [Required diagnostic events and fields for Windows 11, versions 23H2 and 22H2](required-diagnostic-events-fields-windows-11-22H2.md)
- [Required diagnostic events and fields for Windows 11, version 21H2](required-windows-11-diagnostic-events-and-fields.md)
- [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md)
- [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
diff --git a/windows/privacy/toc.yml b/windows/privacy/toc.yml
index 295d4bf26f..b6ad626c23 100644
--- a/windows/privacy/toc.yml
+++ b/windows/privacy/toc.yml
@@ -15,7 +15,7 @@
href: Microsoft-DiagnosticDataViewer.md
- name: Required Windows diagnostic data events and fields
items:
- - name: Windows 11, version 22H2
+ - name: Windows 11, versions 23H2 and 22H2
href: required-diagnostic-events-fields-windows-11-22H2.md
- name: Windows 11, version 21H2
href: required-windows-11-diagnostic-events-and-fields.md
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 07b2b5073b..8f05003e77 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -15,6 +15,7 @@ ms.topic: reference
# Windows 10, version 1709 and later and Windows 11 optional diagnostic data
Applies to:
+- Windows 11, version 23H2
- Windows 11, version 22H2
- Windows 11, version 21H2
- Windows 10, version 22H2
diff --git a/windows/security/application-security/application-control/user-account-control/how-it-works.md b/windows/security/application-security/application-control/user-account-control/how-it-works.md
index 2e4ec8b5e5..fa5d96ef91 100644
--- a/windows/security/application-security/application-control/user-account-control/how-it-works.md
+++ b/windows/security/application-security/application-control/user-account-control/how-it-works.md
@@ -1,9 +1,6 @@
---
title: How User Account Control works
description: Learn about User Account Control (UAC) components and how it interacts with the end users.
-ms.collection:
- - highpri
- - tier2
ms.topic: concept-article
ms.date: 05/24/2023
---
diff --git a/windows/security/application-security/application-control/user-account-control/index.md b/windows/security/application-security/application-control/user-account-control/index.md
index aad3fb9eab..3b5e6e8561 100644
--- a/windows/security/application-security/application-control/user-account-control/index.md
+++ b/windows/security/application-security/application-control/user-account-control/index.md
@@ -1,9 +1,6 @@
---
title: User Account Control
description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices.
-ms.collection:
- - highpri
- - tier2
ms.topic: overview
ms.date: 05/24/2023
---
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
index 7c130ac1f2..8bc7a51202 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
@@ -2,7 +2,6 @@
title: AppLocker
description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
ms.collection:
-- highpri
- tier3
- must-keep
ms.topic: conceptual
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
index 3eac346b20..615226657c 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
@@ -3,7 +3,6 @@ title: Microsoft recommended driver block rules
description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
ms.localizationpriority: medium
ms.collection:
-- highpri
- tier3
- must-keep
ms.date: 06/06/2023
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
index a5798f2f02..68d101d832 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/select-types-of-rules-to-create.md
@@ -47,6 +47,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903 and later, or Windows Server 2022 and later. | Yes |
| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803 and later, or Windows Server 2019 and later. | No |
| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with revoked certificates, or expired certificates with the Lifetime Signing EKU on the signature, as "Unsigned binaries" for user-mode process/components, under enterprise signing scenarios. | No |
+| **Enabled:Developer Mode Dynamic Code Trust** | Use this option to trust UWP apps that are [debugged in Visual Studio](/visualstudio/debugger/run-windows-store-apps-on-a-remote-machine) or deployed through device portal when Developer Mode is enabled on the system. | No |
## Windows Defender Application Control file rule levels
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
index 22e5196913..500f4c397b 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/wdac.md
@@ -3,7 +3,6 @@ title: Application Control for Windows
description: Application Control restricts which applications users are allowed to run and the code that runs in the system core.
ms.localizationpriority: medium
ms.collection:
-- highpri
- tier3
- must-keep
ms.date: 08/30/2023
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
index ac710efb7a..5deab8192a 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
@@ -3,9 +3,6 @@ title: Enable hardware-based isolation for Microsoft Edge
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
ms.date: 07/11/2023
ms.topic: how-to
-ms.collection:
- - highpri
- - tier2
---
# Prepare to install Microsoft Defender Application Guard
diff --git a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
index d1547ce21e..8b2235111a 100644
--- a/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -1,11 +1,7 @@
---
title: Microsoft Defender Application Guard
description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
-ms.localizationpriority: medium
ms.date: 07/11/2023
-ms.collection:
- - highpri
- - tier2
ms.topic: conceptual
---
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index 888bca39ce..b33a5b9f67 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -1,9 +1,6 @@
---
title: Windows Sandbox configuration
description: Windows Sandbox configuration
-ms.collection:
- - highpri
- - tier2
ms.topic: article
ms.date: 05/25/2023
---
diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
index 928d31e27b..676b2a8179 100644
--- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
@@ -1,9 +1,6 @@
---
title: Windows Sandbox
description: Windows Sandbox overview
-ms.collection:
- - highpri
- - tier2
ms.topic: article
ms.date: 05/25/2023
---
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 040348819b..4dffa28451 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -91,9 +91,7 @@
"operating-system-security/data-protection/**/*.md": "paolomatarazzo",
"operating-system-security/data-protection/**/*.yml": "paolomatarazzo",
"operating-system-security/network-security/**/*.md": "paolomatarazzo",
- "operating-system-security/network-security/**/*.yml": "paolomatarazzo",
- "operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms",
- "operating-system-security/network-security/windows-firewall/**/*.yml": "ngangulyms"
+ "operating-system-security/network-security/**/*.yml": "paolomatarazzo"
},
"ms.author":{
"application-security//**/*.md": "vinpa",
@@ -111,9 +109,7 @@
"operating-system-security/data-protection/**/*.md": "paoloma",
"operating-system-security/data-protection/**/*.yml": "paoloma",
"operating-system-security/network-security/**/*.md": "paoloma",
- "operating-system-security/network-security/**/*.yml": "paoloma",
- "operating-system-security/network-security/windows-firewall/*.md": "nganguly",
- "operating-system-security/network-security/windows-firewall/*.yml": "nganguly"
+ "operating-system-security/network-security/**/*.yml": "paoloma"
},
"appliesto": {
"application-security//**/*.md": [
@@ -218,20 +214,20 @@
"identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/credential-guard/*.md": "zwhittington",
"identity-protection/access-control/*.md": "sulahiri",
- "operating-system-security/network-security/windows-firewall/*.md": "paoloma",
+ "identity-protection/smart-cards/*.md": "ardenw",
+ "identity-protection/virtual-smart-cards/*.md": "ardenw",
+ "operating-system-security/network-security/windows-firewall/*.md": "nganguly",
"operating-system-security/network-security/vpn/*.md": "pesmith",
"operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda",
"operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
},
"ms.collection": {
- "application-security/application-control/windows-defender-application-control/**/*.md": [ "tier3", "must-keep" ],
"identity-protection/hello-for-business/*.md": "tier1",
"information-protection/pluton/*.md": "tier1",
"information-protection/tpm/*.md": "tier1",
"threat-protection/auditing/*.md": "tier3",
"operating-system-security/data-protection/bitlocker/*.md": "tier1",
- "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
- "operating-system-security/network-security/windows-firewall/*.md": [ "tier3", "must-keep" ]
+ "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1"
}
},
"template": [],
diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index 17cc685415..2748c9c816 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -1,10 +1,6 @@
---
title: Enable memory integrity
description: This article explains the steps to opt in to using memory integrity on Windows devices.
-ms.localizationpriority: medium
-ms.collection:
- - highpri
- - tier2
ms.topic: conceptual
ms.date: 03/16/2023
appliesto:
@@ -49,8 +45,6 @@ To enable memory integrity on Windows devices with supporting hardware throughou
Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within **Windows Security**.
-To proactively dismiss the memory integrity warning, you can set the **Hardware_HVCI_Off** (DWORD) registry value under `HKLM\SOFTWARE\Microsoft\Windows Security Health\State` to 0. After you change the registry value, you must restart the device for the change to take effect.
-
### Enable memory integrity using Intune
Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure these settings by using the [settings catalog](/mem/intune/configuration/settings-catalog).
diff --git a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
index 077e6473de..d5451404d1 100644
--- a/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -1,8 +1,8 @@
---
-title: How a Windows Defender System Guard helps protect Windows
-description: Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof. Learn how it works.
+title: How Windows Defender System Guard helps protect Windows
+description: Learn how Windows Defender System Guard reorganizes the existing Windows system integrity features under one roof.
ms.localizationpriority: medium
-ms.date: 03/01/2019
+ms.date: 10/25/2023
ms.topic: conceptual
---
@@ -19,15 +19,11 @@ Windows Defender System Guard reorganizes the existing Windows system integrity
### Static Root of Trust for Measurement (SRTM)
-With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system.
-This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
+With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
-With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader.
-This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI).
-This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
+With Windows 10 running on modern hardware, a hardware-based root of trust helps ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device's Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). This technique of measuring the static early boot UEFI components is called the Static Root of Trust for Measurement (SRTM).
-As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup.
-Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
+As there are thousands of PC vendors that produce many models with different UEFI BIOS versions, there becomes an incredibly large number of SRTM measurements upon bootup. Two techniques exist to establish trust here—either maintain a list of known 'bad' SRTM measurements (also known as a blocklist), or a list of known 'good' SRTM measurements (also known as an allowlist).
Each option has a drawback:
@@ -37,9 +33,7 @@ Also, a bug fix for UEFI code can take a long time to design, build, retest, val
### Secure Launch—the Dynamic Root of Trust for Measurement (DRTM)
-[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM).
-DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path.
-This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
+[Windows Defender System Guard Secure Launch](system-guard-secure-launch-and-smm-protection.md), first introduced in Windows 10 version 1809, aims to alleviate these issues by leveraging a technology known as the Dynamic Root of Trust for Measurement (DRTM). DRTM lets the system freely boot into untrusted code initially, but shortly after launches the system into a trusted state by taking control of all CPUs and forcing them down a well-known and measured code path. This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
@@ -47,9 +41,7 @@ Secure Launch simplifies management of SRTM measurements because the launch code
### System Management Mode (SMM) protection
-System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful.
-Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS.
-SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
+System Management Mode (SMM) is a special-purpose CPU mode in x86 microcontrollers that handles power management, hardware configuration, thermal monitoring, and anything else the manufacturer deems useful. Whenever one of these system operations is requested, a non-maskable interrupt (SMI) is invoked at runtime, which executes SMM code installed by the BIOS. SMM code executes in the highest privilege level and is invisible to the OS, which makes it an attractive target for malicious activity. Even if System Guard Secure Launch is used to late launch, SMM code can potentially access hypervisor memory and change the hypervisor.
To defend against this, two techniques are used:
@@ -60,14 +52,13 @@ Paging protection can be implemented to lock certain code tables to be read-only
A hardware-enforced processor feature known as a supervisor SMI handler can monitor the SMM and make sure it doesn't access any part of the address space that it isn't supposed to.
-SMM protection is built on top of the Secure Launch technology and requires it to function.
-In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with.
+SMM protection is built on top of the Secure Launch technology and requires it to function. In the future, Windows 10 will also measure this SMI Handler's behavior and attest that no OS-owned memory has been tampered with.
## Validating platform integrity after Windows is running (run time)
While Windows Defender System Guard provides advanced protection that will help protect and maintain the integrity of the platform during boot and at run time, the reality is that we must apply an "assume breach" mentality to even our most sophisticated security technologies. We can trust that the technologies are successfully doing their jobs, but we also need the ability to verify that they were successful in achieving their goals. For platform integrity, we can't just trust the platform, which potentially could be compromised, to self-attest to its security state. So Windows Defender System Guard includes a series of technologies that enable remote analysis of the device's integrity.
-As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch won't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, just to name a few.
+As Windows boots, a series of integrity measurements are taken by Windows Defender System Guard using the device's Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch doesn't support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data isn't subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device's firmware, hardware configuration state, and Windows boot-related components, to name a few.
diff --git a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
index f7fd8927c1..f4092a1bc3 100644
--- a/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
@@ -2,7 +2,6 @@
title: Kernel DMA Protection
description: Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices.
ms.collection:
- - highpri
- tier1
ms.topic: conceptual
ms.date: 07/31/2023
@@ -54,27 +53,27 @@ You can use the Windows Security settings to check if Kernel DMA Protection is e
1. Open **Windows Security**.
1. Select **Device security > Core isolation details > Memory access protection**
-:::image type="content" source="images/kernel-dma-protection-security-center.png" alt-text="Screenshot of Kernel DMA protection in Windows Security." lightbox="images/kernel-dma-protection-security-center.png" border="true":::
+ :::image type="content" source="images/kernel-dma-protection-security-center.png" alt-text="Screenshot of Kernel DMA protection in Windows Security." lightbox="images/kernel-dma-protection-security-center.png" border="true":::
-Alternatively, you can use the System Information desktop app (`msinfo32.exe`). If the system supports Kernel DMA Protection, the **Kernel DMA Protection** value will be set to **ON**.
+ Alternatively, you can use the System Information desktop app (`msinfo32.exe`). If the system supports Kernel DMA Protection, the **Kernel DMA Protection** value will be set to **ON**.
-:::image type="content" source="images/kernel-dma-protection.png" alt-text="Screenshot of Kernel DMA protection in System Information." lightbox="images/kernel-dma-protection.png" border="true":::
+ :::image type="content" source="images/kernel-dma-protection.png" alt-text="Screenshot of Kernel DMA protection in System Information." lightbox="images/kernel-dma-protection.png" border="true":::
-If the current state of **Kernel DMA Protection** is **OFF** and **Hyper-V - Virtualization Enabled in Firmware** is **NO**:
+ If the current state of **Kernel DMA Protection** is **OFF** and **Hyper-V - Virtualization Enabled in Firmware** is **NO**:
-- Reboot into UEFI settings
-- Turn on Intel Virtualization Technology
-- Turn on Intel Virtualization Technology for I/O (VT-d)
-- Reboot system into Windows
+ - Reboot into UEFI settings
+ - Turn on Intel Virtualization Technology
+ - Turn on Intel Virtualization Technology for I/O (VT-d)
+ - Reboot system into Windows
-> [!NOTE]
-> If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to **YES**.
->
-> Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of *ACPI Kernel DMA Protection Indicators* described in [Kernel DMA Protection (Memory Access Protection) for OEMs][LINK-3].
+ > [!NOTE]
+ > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to **YES**.
+ >
+ > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of *ACPI Kernel DMA Protection Indicators* described in [Kernel DMA Protection (Memory Access Protection) for OEMs][LINK-3].
-If the state of **Kernel DMA Protection** remains Off, then the system doesn't support Kernel DMA Protection.
+ If the state of **Kernel DMA Protection** remains Off, then the system doesn't support Kernel DMA Protection.
-For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](../operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
+For systems that don't support Kernel DMA Protection, refer to the [BitLocker countermeasures](../operating-system-security/data-protection/bitlocker/countermeasures.md) or [Thunderbolt 3 and Security on Microsoft Windows Operating system][EXT-1] for other means of DMA protection.
## Frequently asked questions
diff --git a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
index e9374612fe..6eab697f4d 100644
--- a/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -4,7 +4,6 @@ description: Learn how to view and troubleshoot the Trusted Platform Module (TPM
ms.topic: conceptual
ms.date: 02/02/2023
ms.collection:
-- highpri
- tier1
---
diff --git a/windows/security/hardware-security/tpm/tpm-recommendations.md b/windows/security/hardware-security/tpm/tpm-recommendations.md
index afea335006..d9a7ce1a95 100644
--- a/windows/security/hardware-security/tpm/tpm-recommendations.md
+++ b/windows/security/hardware-security/tpm/tpm-recommendations.md
@@ -4,7 +4,6 @@ description: This topic provides recommendations for Trusted Platform Module (TP
ms.topic: conceptual
ms.date: 02/02/2023
ms.collection:
-- highpri
- tier1
---
@@ -98,7 +97,7 @@ The following table defines which Windows features require TPM support.
Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
-|-|-|-|-
Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot. TPM 2.0 is recommended since it supports newer cryptographic algorithms. TPM 1.2 only supports the SHA-1 algorithm which is being deprecated.
- BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](../../operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) including TPM 2.0 support
+ BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Device Encryption requires Modern Standby](../../operating-system-security/data-protection/bitlocker/index.md#device-encryption) including TPM 2.0 support
Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
Windows Defender Application Control (Device Guard) | No | Yes | Yes
Windows Defender System Guard (DRTM) | Yes | No | Yes | TPM 2.0 and UEFI firmware is required.
diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
index 8d35f5065b..55f111a138 100644
--- a/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-overview.md
@@ -4,7 +4,6 @@ description: Learn about the Trusted Platform Module (TPM) and how Windows uses
ms.topic: conceptual
ms.date: 02/22/2023
ms.collection:
-- highpri
- tier1
---
diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
index d74612ae4a..586da21da4 100644
--- a/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -134,4 +134,4 @@ If you don't want users to see the recommendation to update TPM firmware, you ca
- [Trusted Platform Module](trusted-platform-module-top-node.md)
- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true)
-- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../../operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md)
+- [BitLocker planning guide](../../operating-system-security/data-protection/bitlocker/planning-guide.md)
diff --git a/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md b/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
index c19e762bdf..7befac5b61 100644
--- a/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
@@ -4,7 +4,6 @@ description: This topic for the IT professional provides links to information ab
ms.topic: conceptual
ms.date: 02/02/2023
ms.collection:
-- highpri
- tier1
---
diff --git a/windows/security/identity-protection/access-control/access-control.md b/windows/security/identity-protection/access-control/access-control.md
index 0cc106f7cb..3a7b6d25bd 100644
--- a/windows/security/identity-protection/access-control/access-control.md
+++ b/windows/security/identity-protection/access-control/access-control.md
@@ -1,7 +1,7 @@
---
-ms.date: 11/22/2022
-title: Access Control Overview
-description: Description of the access controls in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
+ms.date: 11/07/2023
+title: Access Control overview
+description: Learn about access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer.
ms.topic: overview
appliesto:
- ✅ Windows 11
@@ -11,33 +11,37 @@ appliesto:
- ✅ Windows Server 2016
---
-# Access Control Overview
+# Access control overview
-This topic for the IT professional describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing.
+This article describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are:
-## Feature description
+- permissions
+- ownership of objects
+- inheritance of permissions
+- user rights
+- object auditing
Computers that are running a supported version of Windows can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. After a user is authenticated, the Windows operating system uses built-in authorization and access control technologies to implement the second phase of protecting resources: determining if an authenticated user has the correct permissions to access a resource.
-Shared resources are available to users and groups other than the resource's owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They are assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it.
+Shared resources are available to users and groups other than the resource's owner, and they need to be protected from unauthorized use. In the access control model, users and groups (also referred to as security principals) are represented by unique security identifiers (SIDs). They're assigned rights and permissions that inform the operating system what each user and group can do. Each resource has an owner who grants permissions to security principals. During the access control check, these permissions are examined to determine which security principals can access the resource and how they can access it.
Security principals perform actions (which include Read, Write, Modify, or Full control) on objects. Objects include files, folders, printers, registry keys, and Active Directory Domain Services (AD DS) objects. Shared resources use access control lists (ACLs) to assign permissions. This enables resource managers to enforce access control in the following ways:
- Deny access to unauthorized users and groups
- Set well-defined limits on the access that is provided to authorized users and groups
-Object owners generally grant permissions to security groups rather than to individual users. Users and computers that are added to existing groups assume the permissions of that group. If an object (such as a folder) can hold other objects (such as subfolders and files), it is called a container. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent. An object in the container is referred to as the child, and the child inherits the access control settings of the parent. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management.
+Object owners generally grant permissions to security groups rather than to individual users. Users and computers that are added to existing groups assume the permissions of that group. If an object (such as a folder) can hold other objects (such as subfolders and files), it's called a container. In a hierarchy of objects, the relationship between a container and its content is expressed by referring to the container as the parent. An object in the container is referred to as the child, and the child inherits the access control settings of the parent. Object owners often define permissions for container objects, rather than individual child objects, to ease access control management.
This content set contains:
-- [Dynamic Access Control Overview](/windows-server/identity/solution-guides/dynamic-access-control-overview)
-- [Security identifiers](/windows-server/identity/ad-ds/manage/understand-security-identifiers)
-- [Security Principals](/windows-server/identity/ad-ds/manage/understand-security-principals)
+- [Dynamic Access Control Overview][SERV-1]
+- [Security identifiers][SERV-2]
+- [Security Principals][SERV-3]
- [Local Accounts](local-accounts.md)
- - [Active Directory Accounts](/windows-server/identity/ad-ds/manage/understand-default-user-accounts)
- - [Microsoft Accounts](/windows-server/identity/ad-ds/manage/understand-microsoft-accounts)
- - [Service Accounts](/windows-server/identity/ad-ds/manage/understand-service-accounts)
- - [Active Directory Security Groups](/windows-server/identity/ad-ds/manage/understand-security-groups)
+ - [Active Directory Accounts][SERV-4]
+ - [Microsoft Accounts][SERV-5]
+ - [Service Accounts][SERV-6]
+ - [Active Directory Security Groups][SERV-7]
[!INCLUDE [access-control-aclsacl](../../../../includes/licensing/access-control-aclsacl.md)]
@@ -45,18 +49,18 @@ This content set contains:
Administrators who use the supported version of Windows can refine the application and management of access control to objects and subjects to provide the following security:
-- Protect a greater number and variety of network resources from misuse.
-- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs.
-- Enable users to access resources from a variety of devices in numerous locations.
-- Update users' ability to access resources on a regular basis as an organization's policies change or as users' jobs change.
-- Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones).
-- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs.
+- Protect a greater number and variety of network resources from misuse
+- Provision users to access resources in a manner that is consistent with organizational policies and the requirements of their jobs
+- Enable users to access resources from various devices in numerous locations
+- Update users' ability to access resources regularly as an organization's policies change or as users' jobs change
+- Account for a growing number of use scenarios (such as access from remote locations or from a rapidly expanding variety of devices, such as tablet computers and mobile phones)
+- Identify and resolve access issues when legitimate users are unable to access resources that they need to perform their jobs
## Permissions
Permissions define the type of access that is granted to a user or group for an object or object property. For example, the Finance group can be granted Read and Write permissions for a file named Payroll.dat.
-By using the access control user interface, you can set NTFS permissions for objects such as files, Active Directory objects, registry objects, or system objects such as processes. Permissions can be granted to any user, group, or computer. It is a good practice to assign permissions to groups because it improves system performance when verifying access to an object.
+By using the access control user interface, you can set NTFS permissions for objects such as files, Active Directory objects, registry objects, or system objects such as processes. Permissions can be granted to any user, group, or computer. It's a good practice to assign permissions to groups because it improves system performance when verifying access to an object.
For any object, you can grant permissions to:
@@ -73,26 +77,25 @@ The permissions attached to an object depend on the type of object. For example,
When you set permissions, you specify the level of access for groups and users. For example, you can let one user read the contents of a file, let another user make changes to the file, and prevent all other users from accessing the file. You can set similar permissions on printers so that certain users can configure the printer and other users can only print.
-When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and click **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770962(v=ws.11)).
+When you need to change the permissions on a file, you can run Windows Explorer, right-click the file name, and select **Properties**. On the **Security** tab, you can change permissions on the file. For more information, see [Managing Permissions][PREV-1].
> [!NOTE]
-> Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information see [Share and NTFS Permissions on a File Server](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754178(v=ws.11)).
-
+> Another kind of permissions, called share permissions, is set on the Sharing tab of a folder's **Properties** page or by using the Shared Folder Wizard. For more information, see [Share and NTFS Permissions on a File Server][PREV-2].
### Ownership of objects
-An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner of the object can always change the permissions. For more information, see [Manage Object Ownership](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732983(v=ws.11)).
+An owner is assigned to an object when that object is created. By default, the owner is the creator of the object. No matter what permissions are set on an object, the owner of the object can always change the permissions. For more information, see [Manage Object Ownership][PREV-3].
### Inheritance of permissions
-Inheritance allows administrators to easily assign and manage permissions. This feature automatically causes objects within a container to inherit all the inheritable permissions of that container. For example, the files within a folder inherit the permissions of the folder. Only permissions marked to be inherited will be inherited.
+Inheritance allows administrators to easily assign and manage permissions. This feature automatically causes objects within a container to inherit all the inheritable permissions of that container. For example, the files within a folder inherit the permissions of the folder. Only permissions marked to be inherited are inherited.
## User rights
User rights grant specific privileges and sign-in rights to users and groups in your computing environment. Administrators can assign specific rights to group accounts or to individual user accounts. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories.
-User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There is no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
+User rights are different from permissions because user rights apply to user accounts, and permissions are associated with objects. Although user rights can apply to individual user accounts, user rights are best administered on a group account basis. There's no support in the access control user interface to grant user rights. However, user rights assignment can be administered through **Local Security Settings**.
-For more information about user rights, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment).
+For more information about user rights, see [User Rights Assignment](../../threat-protection/security-policy-settings/user-rights-assignment.md).
## Object auditing
@@ -102,4 +105,18 @@ For more information about auditing, see [Security Auditing Overview](../../thre
## See also
-- For more information about access control and authorization, see [Access Control and Authorization Overview](/previous-versions/windows/it-pro/windows-8.1-and-8/jj134043(v=ws.11)).
+For more information about access control and authorization, see [Access Control and Authorization Overview][PREV-4].
+
+
+
+[SERV-1]: /windows-server/identity/solution-guides/dynamic-access-control-overview
+[SERV-2]: /windows-server/identity/ad-ds/manage/understand-security-identifiers
+[SERV-3]: /windows-server/identity/ad-ds/manage/understand-security-principals
+[SERV-4]: /windows-server/identity/ad-ds/manage/understand-default-user-accounts
+[SERV-5]: /windows-server/identity/ad-ds/manage/understand-microsoft-accounts
+[SERV-6]: /windows-server/identity/ad-ds/manage/understand-service-accounts
+[SERV-7]: /windows-server/identity/ad-ds/manage/understand-security-groups
+[PREV-1]: /previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770962(v=ws.11)
+[PREV-2]: /previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754178(v=ws.11)
+[PREV-3]: /previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc732983(v=ws.11)
+[PREV-4]: /previous-versions/windows/it-pro/windows-8.1-and-8/jj134043(v=ws.11)
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 1b41b86816..ba0aa757cc 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -1,5 +1,5 @@
---
-ms.date: 08/03/2023
+ms.date: 11/07/2023
title: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.topic: concept-article
@@ -99,7 +99,7 @@ For details about the HelpAssistant account attributes, see the following table.
|Type|User|
|Default container|`CN=Users, DC=`|
|Default members|None|
-|Default member of|Domain Guests
Guests|
+|Default member of|Domain Guests
Guests|
|Protected by ADMINSDHOLDER?|No|
|Safe to move out of default container?|Can be moved out, but we don't recommend it.|
|Safe to delegate management of this group to non-Service admins?|No|
@@ -114,7 +114,7 @@ The DSMA has a well-known RID of `503`. The security identifier (SID) of the DSM
The DSMA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of `S-1-5-32-581`.
-The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
+The DSMA alias can be granted access to resources during offline staging even before the account itself is created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
#### How Windows uses the DefaultAccount
@@ -133,10 +133,10 @@ Similarly, Phone auto logs in as a *DefApps* account, which is akin to the stand
In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users.
For this purpose, the system creates DSMA.
-#### How the DefaultAccount gets created on domain controllers
+#### How the DefaultAccount is created on domain controllers
-If the domain was created with domain controllers running Windows Server 2016, the DefaultAccount will exist on all domain controllers in the domain.
-If the domain was created with domain controllers running an earlier version of Windows Server, the DefaultAccount will be created after the PDC Emulator role is transferred to a domain controller that runs Windows Server 2016. The DefaultAccount will then be replicated to all other domain controllers in the domain.
+If the domain was created with domain controllers running Windows Server 2016, the DefaultAccount exists on all domain controllers in the domain.
+If the domain was created with domain controllers running an earlier version of Windows Server, the DefaultAccount is created after the PDC Emulator role is transferred to a domain controller that runs Windows Server 2016. The DefaultAccount is then replicated to all other domain controllers in the domain.
#### Recommendations for managing the Default Account (DSMA)
@@ -195,7 +195,7 @@ Each of these approaches is described in the following sections.
User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you.
-UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the *Run as* command.
+UAC makes it possible for an account with administrative rights to be treated as a standard user nonadministrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a nonadministrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the *Run as* command.
In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session.
diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index 21c87bfeeb..e6e9d95ed6 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -2,9 +2,6 @@
title: Configure Credential Guard
description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry.
ms.date: 08/31/2023
-ms.collection:
- - highpri
- - tier2
ms.topic: how-to
---
diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index 710f148343..0fe80abdd8 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -3,9 +3,6 @@ title: Credential Guard overview
description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them.
ms.date: 08/31/2023
ms.topic: overview
-ms.collection:
- - highpri
- - tier1
---
# Credential Guard overview
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index 8a414df385..830d49e11a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -1,9 +1,6 @@
---
title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
-ms.collection:
-- highpri
-- tier1
ms.date: 09/07/2023
ms.topic: tutorial
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 315ce4361f..420aee5ed1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -1,8 +1,6 @@
---
title: Deploy certificates for remote desktop sign-in
description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
-ms.collection:
- - tier1
ms.topic: how-to
ms.date: 07/25/2023
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index e289afe305..4f52648ad3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -4,9 +4,6 @@ metadata:
description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
author: paolomatarazzo
ms.author: paoloma
- ms.collection:
- - highpri
- - tier1
ms.topic: faq
ms.date: 08/03/2023
@@ -190,7 +187,7 @@ sections:
Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
> [!NOTE]
- > The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
+ > The Windows Hello for Business key meets Microsoft Entra multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
- question: Which is a better or more secure for of authentication, key or certificate?
answer: |
Both types of authentication provide the same security; one is not more secure than the other.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index bf642eef73..5dda9f66b2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -1,9 +1,6 @@
---
title: PIN reset
description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN.
-ms.collection:
- - highpri
- - tier1
ms.date: 08/15/2023
ms.topic: how-to
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 8e7e89b38e..d7d52bf8c8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -3,8 +3,6 @@ title: Remote Desktop
description: Learn how Windows Hello for Business supports using biometrics with remote desktop
ms.date: 09/01/2023
ms.topic: conceptual
-ms.collection:
-- tier1
---
# Remote Desktop
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 36755630f0..af0ff0de5a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -31,7 +31,7 @@ Microsoft Entra joined devices authenticate to Microsoft Entra ID during sign-in
## Microsoft Entra join authentication to Active Directory using cloud Kerberos trust
-
+
| Phase | Description |
| :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index d9716ad230..a0a36f2cc0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -42,7 +42,7 @@ Hybrid Windows Hello for Business needs two directories:
- An on-premises Active Directory
- A Microsoft Entra tenant
-The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Azure AD.\
+The two directories must be synchronized with [Microsoft Entra Connect Sync][AZ-1], which synchronizes user accounts from the on-premises Active Directory to Microsoft Entra ID.\
During the Window Hello for Business provisioning process, users register the public portion of their Windows Hello for Business credential with Microsoft Entra ID. *Microsoft Entra Connect Sync* synchronizes the Windows Hello for Business public key to Active Directory.
> [!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index ea4c5a3119..61dffe9d37 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -3,8 +3,6 @@ ms.date: 10/09/2023
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.topic: overview
-ms.collection:
-- tier1
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 999b35f45b..896453d0bf 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -1,9 +1,6 @@
---
title: Manage Windows Hello in your organization
description: Learn how to create a Group Policy or mobile device management (MDM) policy to configure and deploy Windows Hello for Business.
-ms.collection:
- - highpri
- - tier1
ms.date: 9/25/2023
ms.topic: reference
---
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index f137de379f..6be7e8008f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -1,9 +1,6 @@
---
title: Why a PIN is better than an online password
description: Windows Hello enables users to sign in to their devices using a PIN. Learn how is a PIN different from (and better than) an online password.
-ms.collection:
- - highpri
- - tier1
ms.date: 03/15/2023
ms.topic: conceptual
---
diff --git a/windows/security/identity-protection/hello-for-business/index.md b/windows/security/identity-protection/hello-for-business/index.md
index 953074993d..e0be2b5b93 100644
--- a/windows/security/identity-protection/hello-for-business/index.md
+++ b/windows/security/identity-protection/hello-for-business/index.md
@@ -1,9 +1,6 @@
---
title: Windows Hello for Business Overview
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
-ms.collection:
- - highpri
- - tier1
ms.topic: overview
ms.date: 04/24/2023
---
diff --git a/windows/security/identity-protection/passkeys/includes/create-passkey.md b/windows/security/identity-protection/passkeys/includes/create-passkey.md
new file mode 100644
index 0000000000..f5ec391065
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/includes/create-passkey.md
@@ -0,0 +1,29 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/07/2023
+ms.topic: include
+---
+
+:::row:::
+ :::column span="4":::
+
+ 1. Open a website or app that supports passkeys
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+
+ 2. Create a passkey from your account settings
+
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ 3. Select the option **Use another device** > **Next**
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="../images/save-passkey.png" alt-text="Screenshot showing a dialog box prompting the user to pick a location to store the passkey." lightbox="../images/save-passkey.png" border="false":::
+ :::column-end:::
+:::row-end:::
diff --git a/windows/security/identity-protection/passkeys/includes/use-passkey.md b/windows/security/identity-protection/passkeys/includes/use-passkey.md
new file mode 100644
index 0000000000..39aa37f431
--- /dev/null
+++ b/windows/security/identity-protection/passkeys/includes/use-passkey.md
@@ -0,0 +1,30 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 11/07/2023
+ms.topic: include
+---
+
+:::row:::
+ :::column span="3":::
+ 1. Open a website or app that supports passkeys
+ :::column-end:::
+ :::column span="1":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ 2. Select **Sign in with a passkey**, or a similar option
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="../images/website.png" alt-text="Screenshot of a website offering the passkey sign in option." lightbox="../images/website.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="3":::
+ 3. Select the option **Use another device** > **Next**
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="../images/use-passkey.png" alt-text="Screenshot of the passkey dialog prompting the user to pick where the passkey is stored." lightbox="../images/use-passkey.png" border="false":::
+ :::column-end:::
+:::row-end:::
\ No newline at end of file
diff --git a/windows/security/identity-protection/passkeys/index.md b/windows/security/identity-protection/passkeys/index.md
index 40d33d3ed3..44f695a852 100644
--- a/windows/security/identity-protection/passkeys/index.md
+++ b/windows/security/identity-protection/passkeys/index.md
@@ -2,10 +2,9 @@
title: Support for passkeys in Windows
description: Learn about passkeys and how to use them on Windows devices.
ms.collection:
-- highpri
- tier1
-ms.topic: article
-ms.date: 09/27/2023
+ms.topic: overview
+ms.date: 11/07/2023
appliesto:
- ✅ Windows 11
- ✅ Windows 10
@@ -40,50 +39,23 @@ Passkeys have several advantages over passwords, including their ease of use and
### Create a passkey
-Follow these steps to create a passkey from a Windows device:
+By default, Windows offers to save the passkey locally on the **Windows device**, in which case the passkey is protected by Windows Hello (biometrics and PIN). You can also choose to save the passkey in one of the following locations:
-:::row:::
- :::column span="4":::
-
- 1. Open a website or app that supports passkeys
-
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="4":::
-
- 2. Create a passkey from your account settings
-
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="4":::
- 3. Choose where to save the passkey. By default, Windows offers to save the passkey locally if you're using Windows Hello or Windows Hello for Business. If you select the option **Use another device**, you can choose to save the passkey in one of the following locations:
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="3":::
-
-- **This Windows device**: the passkey is saved locally on your Windows device, and protected by Windows Hello (biometrics and PIN)
- **iPhone, iPad or Android device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device
- **Linked device**: the passkey is saved on a phone or tablet, protected by the device's biometrics, if offered by the device. This option requires the linked device to be in proximity of the Windows device, and it's only supported for Android devices
- **Security key**: the passkey is saved to a FIDO2 security key, protected by the key's unlock mechanism (for example, biometrics or PIN)
- :::column-end:::
- :::column span="1":::
- :::image type="content" source="images/save-passkey.png" alt-text="Screenshot showing a dialog box prompting the user to pick a location to store the passkey." lightbox="images/save-passkey.png" border="false":::
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="4":::
- 4. Select **Next**
- :::column-end:::
-:::row-end:::
-
Pick one of the following options to learn how to save a passkey, based on where you want to store it.
#### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows)
+[!INCLUDE [use-passkey](includes/create-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select **This Windows device** > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
@@ -107,6 +79,13 @@ Pick one of the following options to learn how to save a passkey, based on where
#### [:::image type="icon" source="images/qr-code.svg" border="false"::: **New phone or tablet**](#tab/mobile)
+[!INCLUDE [use-passkey](includes/create-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select **iPhone, iPad or Android device** > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
@@ -130,6 +109,13 @@ Pick one of the following options to learn how to save a passkey, based on where
#### [:::image type="icon" source="images/phone.svg" border="false"::: **Linked phone or tablet**](#tab/linked)
+[!INCLUDE [use-passkey](includes/create-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select your linked device name (e.g. **Pixel**) > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
@@ -153,6 +139,13 @@ Pick one of the following options to learn how to save a passkey, based on where
#### [:::image type="icon" source="images/usb.svg" border="false"::: **Security key**](#tab/key)
+[!INCLUDE [use-passkey](includes/create-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select **Security key** > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
@@ -178,48 +171,27 @@ Pick one of the following options to learn how to save a passkey, based on where
### Use a passkey
-Follow these steps to use a passkey:
+When you open a website or app that supports passkeys, if a passkey is stored locally, you're automatically prompted to use Windows Hello to sign in. You can also choose to use a passkey from one of the following locations:
-:::row:::
- :::column span="3":::
- 1. Open a website or app that supports passkeys
- :::column-end:::
- :::column span="1":::
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="3":::
- 2. Select **Sign in with a passkey**, or a similar option
- :::column-end:::
- :::column span="1":::
- :::image type="content" source="images/website.png" alt-text="Screenshot of a website offering the passkey sign in option." lightbox="images/website.png" border="false":::
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="3":::
- 3. If a passkey is stored locally and protected by Windows Hello, you're prompted to use Windows Hello to sign in. If you select the option **Use another device**, you can choose one of the following options:
- :::column-end:::
-:::row-end:::
-:::row:::
- :::column span="3":::
-- **This Windows device**: use this option to use a passkey that is stored locally on your Windows device, and protected by Windows Hello
- **iPhone, iPad or Android device**: use this option if you want to sign in with a passkey stored on a phone or tablet. This option requires you to scan a QR code with your phone or tablet, which must be in proximity of the Windows device
- **Linked device**: use this option if you want to sign in with a passkey stored on a device that is in proximity of the Windows device. This option is only supported for Android devices
- **Security key**: use this option if you want to sign in with a passkey stored on a FIDO2 security key
- :::column-end:::
- :::column span="1":::
- :::image type="content" source="images/use-passkey.png" alt-text="Screenshot of the passkey dialog prompting the user to pick where the passkey is stored." lightbox="images/use-passkey.png" border="false":::
- :::column-end:::
-:::row-end:::
Pick one of the following options to learn how to use a passkey, based on where you saved it.
#### [:::image type="icon" source="images/laptop.svg" border="false"::: **Windows device**](#tab/windows)
+[!INCLUDE [use-passkey](includes/use-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select **This Windows device** > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
- 4. Select a Windows Hello unlock option
+ 5. Select a Windows Hello unlock option
:::column-end:::
:::column span="1":::
@@ -229,7 +201,7 @@ Pick one of the following options to learn how to use a passkey, based on where
:::row:::
:::column span="3":::
- 5. Select **OK** to continue signing in
+ 6. Select **OK** to continue signing in
:::column-end:::
:::column span="1":::
@@ -238,10 +210,17 @@ Pick one of the following options to learn how to use a passkey, based on where
#### [:::image type="icon" source="images/qr-code.svg" border="false"::: **Phone or tablet**](#tab/mobile)
+[!INCLUDE [use-passkey](includes/use-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select **iPhone, iPad or Android device** > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
- 4. Scan the QR code with your phone or tablet where you saved the passkey. Once the connection to the device is established, follow the instructions to use the passkey
+ 5. Scan the QR code with your phone or tablet where you saved the passkey. Once the connection to the device is established, follow the instructions to use the passkey
:::column-end:::
:::column span="1":::
@@ -251,17 +230,24 @@ Pick one of the following options to learn how to use a passkey, based on where
:::row:::
:::column span="4":::
- 5. You're signed in to the website or app
+ 6. You're signed in to the website or app
:::column-end:::
:::row-end:::
#### [:::image type="icon" source="images/phone.svg" border="false"::: **Linked phone or tablet**](#tab/linked)
+[!INCLUDE [use-passkey](includes/use-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select your linked device name (e.g. **Pixel**) > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
- 4. Once the connection to the linked device is established, follow the instructions on the device to use the passkey
+ 5. Once the connection to the linked device is established, follow the instructions on the device to use the passkey
:::column-end:::
:::column span="1":::
@@ -271,7 +257,7 @@ Pick one of the following options to learn how to use a passkey, based on where
:::row:::
:::column span="3":::
- 5. You're signed in to the website or app
+ 6. You're signed in to the website or app
:::column-end:::
:::column span="1":::
@@ -280,10 +266,17 @@ Pick one of the following options to learn how to use a passkey, based on where
#### [:::image type="icon" source="images/usb.svg" border="false"::: **Security key**](#tab/key)
+[!INCLUDE [use-passkey](includes/use-passkey.md)]
+
+:::row:::
+ :::column span="4":::
+ 4. Select **Security key** > **Next**
+ :::column-end:::
+:::row-end:::
:::row:::
:::column span="3":::
- 4. Unlock the security key using the key's unlock mechanism
+ 5. Unlock the security key using the key's unlock mechanism
:::column-end:::
:::column span="1":::
@@ -293,7 +286,7 @@ Pick one of the following options to learn how to use a passkey, based on where
:::row:::
:::column span="3":::
- 5. You're signed in to the website or app
+ 6. You're signed in to the website or app
:::column-end:::
:::column span="1":::
diff --git a/windows/security/identity-protection/passwordless-experience/index.md b/windows/security/identity-protection/passwordless-experience/index.md
index 7ea73c4603..37dc49c775 100644
--- a/windows/security/identity-protection/passwordless-experience/index.md
+++ b/windows/security/identity-protection/passwordless-experience/index.md
@@ -2,7 +2,6 @@
title: Windows passwordless experience
description: Learn how Windows passwordless experience enables your organization to move away from passwords.
ms.collection:
- - highpri
- tier1
ms.date: 09/27/2023
ms.topic: how-to
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 5c99653fe4..7fee850283 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -1,9 +1,6 @@
---
title: Remote Credential Guard
description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
-ms.collection:
-- highpri
-- tier1
ms.topic: how-to
ms.date: 09/06/2023
appliesto:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 35ace33d60..61e9d781c0 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -1,21 +1,19 @@
---
-ms.date: 09/24/2021
-title: Smart Card and Remote Desktop Services
+ms.date: 11/07/2023
+title: Smart Card and Remote Desktop Services
description: This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
ms.topic: conceptual
-ms.reviewer: ardenw
---
# Smart Card and Remote Desktop Services
This topic for the IT professional describes the behavior of Remote Desktop Services when you implement smart card sign-in.
-Smart card redirection logic and **WinSCard** API are combined to support multiple redirected sessions into a single process.
+Smart card redirection logic and *WinSCard API* are combined to support multiple redirected sessions into a single process.
Smart card support is required to enable many Remote Desktop Services scenarios. These include:
-- Using Fast User Switching or Remote Desktop Services. A user is not able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt is not successful in Fast User Switching or from a Remote Desktop Services session.
-
-- Enabling Encrypting File System (EFS) to locate the user's smart card reader from the Local Security Authority (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS is not able to locate the smart card reader or certificate, EFS cannot decrypt user files.
+- Using Fast User Switching or Remote Desktop Services. A user isn't able to establish a redirected smart card-based remote desktop connection. That is, the connect attempt isn't successful in Fast User Switching or from a Remote Desktop Services session
+- Enabling *Encrypting File System* (EFS) to locate the user's smart card reader from the *Local Security Authority* (LSA) process in Fast User Switching or in a Remote Desktop Services session. If EFS isn't able to locate the smart card reader or certificate, EFS can't decrypt user files
## Remote Desktop Services redirection
@@ -23,31 +21,24 @@ In a Remote Desktop scenario, a user is using a remote server for running servic
-**Remote Desktop redirection**
+### Remote Desktop redirection
Notes about the redirection model:
-1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs **net use /smartcard**.
-
-2. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer.
-
-3. The authentication is performed by the LSA in session 0.
-
-4. The CryptoAPI processing is performed in the LSA (Lsass.exe). This is possible because RDP redirector (rdpdr.sys) allows per-session, rather than per-process, context.
-
-5. The WinScard and SCRedir components, which were separate modules in operating systems earlier than Windows Vista, are now included in one module. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol.
-
-6. The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the SCardEstablishContext call.
-
-7. Changes to WinSCard.dll implementation were made in Windows Vista to improve smart card redirection.
+1. This scenario is a remote sign-in session on a computer with Remote Desktop Services. In the remote session (labeled as "Client session"), the user runs `net use /smartcard`
+1. Arrows represent the flow of the PIN after the user types the PIN at the command prompt until it reaches the user's smart card in a smart card reader that is connected to the Remote Desktop Connection (RDC) client computer
+1. The authentication is performed by the LSA in session 0
+1. The CryptoAPI processing is performed in the LSA (`lsass.exe`). This is possible because RDP redirector (`rdpdr.sys`) allows per-session, rather than per-process, context
+1. The ScHelper library is a CryptoAPI wrapper that is specific to the Kerberos protocol
+1. The redirection decision is made on a per smart card context basis, based on the session of the thread that performs the `SCardEstablishContext` call
## RD Session Host server single sign-in experience
As a part of the Common Criteria compliance, the RDC client must be configurable to use Credential Manager to acquire and save the user's password or smart card PIN. Common Criteria compliance requires that applications not have direct access to the user's password or PIN.
-Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it cannot be unencrypted during transit.
+Common Criteria compliance requires specifically that the password or PIN never leave the LSA unencrypted. A distributed scenario should allow the password or PIN to travel between one trusted LSA and another, and it can't be unencrypted during transit.
-When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user is not prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user does not receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.
+When smart card-enabled single sign-in (SSO) is used for Remote Desktop Services sessions, users still need to sign in for every new Remote Desktop Services session. However, the user isn't prompted for a PIN more than once to establish a Remote Desktop Services session. For example, after the user double-clicks a Microsoft Word document icon that resides on a remote computer, the user is prompted to enter a PIN. This PIN is sent by using a secure channel that the credential SSP has established. The PIN is routed back to the RDC client over the secure channel and sent to Winlogon. The user doesn't receive any additional prompts for the PIN, unless the PIN is incorrect or there are smart card-related failures.
### Remote Desktop Services and smart card sign-in
@@ -55,15 +46,19 @@ Remote Desktop Services enables users to sign in with a smart card by entering a
In addition, Group Policy settings that are specific to Remote Desktop Services need to be enabled for smart card-based sign-in.
-To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer is not in the same domain or workgroup, the following command can be used to deploy the certificate:
+To enable smart card sign-in to a Remote Desktop Session Host (RD Session Host) server, the Key Distribution Center (KDC) certificate must be present on the RDC client computer. If the computer isn't in the same domain or workgroup, the following command can be used to deploy the certificate:
-**certutil -dspublish NTAuthCA** "*DSCDPContainer*"
+```cmd
+certutil.exe -dspublish NTAuthCA "DSCDPContainer"
+```
-The *DSCDPContainer* Common Name (CN) is usually the name of the certification authority.
+The `DSCDPContainer` Common Name (CN) is usually the name of the certification authority.
Example:
-**certutil -dspublish NTAuthCA** <*CertFile*> **"CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com"**
+```cmd
+certutil -dspublish NTAuthCA "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,DC=engineering,DC=contoso,DC=com"
+```
For information about this option for the command-line tool, see [-dsPublish](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_dsPublish).
@@ -71,25 +66,25 @@ For information about this option for the command-line tool, see [-dsPublish](/p
To enable remote access to resources in an enterprise, the root certificate for the domain must be provisioned on the smart card. From a computer that is joined to a domain, run the following command at the command line:
-**certutil -scroots update**
+```cmd
+certutil.exe -scroots update
+```
For information about this option for the command-line tool, see [-SCRoots](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_SCRoots).
For Remote Desktop Services across domains, the KDC certificate of the RD Session Host server must also be present in the client computer's NTAUTH store. To add the store, run the following command at the command line:
-**certutil -addstore -enterprise NTAUTH** <*CertFile*>
+```cmd
+certutil -addstore -enterprise NTAUTH
+```
-Where <*CertFile*> is the root certificate of the KDC certificate issuer.
+Where *CertFile* is the root certificate of the KDC certificate issuer.
For information about this option for the command-line tool, see [-addstore](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_addstore).
> [!NOTE]
> To sign in with a smart card from a computer that is not joined to a domain, the smart card must contain the root certification of the domain controller. A public key infrastructure (PKI) secure channel cannot be established without the root certification of the domain controller.
-Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: <*ClientName*>@<*DomainDNSName*>
+Sign-in to Remote Desktop Services across a domain works only if the UPN in the certificate uses the following form: `@`.
-The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol cannot determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-
-## See also
-
-[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
\ No newline at end of file
+The UPN in the certificate must include a domain that can be resolved. Otherwise, the Kerberos protocol can't determine which domain to contact. You can resolve this issue by enabling GPO X509 domain hints. For more information about this setting, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index f66eedf547..933f9bc3d3 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -1,40 +1,34 @@
---
title: Smart Card Architecture
description: This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system.
-ms.reviewer: ardenw
ms.topic: reference-architecture
-ms.date: 09/24/2021
+ms.date: 11/06/2023
---
# Smart Card Architecture
This topic for the IT professional describes the system architecture that supports smart cards in the Windows operating system, including credential provider architecture and the smart card subsystem architecture.
-Authentication is a process for verifying the identity of an object or person. When you authenticate an object, such as a smart card, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that you are not dealing with an imposter.
+Authentication is a process for verifying the identity of an object or person. When you authenticate an object, such as a smart card, the goal is to verify that the object is genuine. When you authenticate a person, the goal is to verify that you aren't dealing with an imposter.
In a networking context, authentication is the act of proving identity to a network application or resource. Typically, identity is proven by a cryptographic operation that uses a key only the user knows (such as with public key cryptography), or a shared key. The server side of the authentication exchange compares the signed data with a known cryptographic key to validate the authentication attempt. Storing the cryptographic keys in a secure central location makes the authentication process scalable and maintainable.
For smart cards, Windows supports a provider architecture that meets the secure authentication requirements and is extensible so that you can include custom credential providers. This topic includes information about:
-- [Credential provider architecture](#credential-provider-architecture)
-
-- [Smart card subsystem architecture](#smart-card-subsystem-architecture)
-
-
+- [Credential provider architecture](#credential-provider-architecture)
+- [Smart card subsystem architecture](#smart-card-subsystem-architecture)
## Credential provider architecture
-The following table lists the components that are included in the interactive sign-in architecture of the Windows Server and Windows operating systems.
+The following table lists the components that are included in the interactive sign-in architecture:
-| **Component** | **Description** |
-|------------------------------------------------|-----|
-| Winlogon | Provides an interactive sign-in infrastructure. |
-| Logon UI | Provides interactive UI rendering. |
-| Credential providers (password and smart card) | Describes credential information and serializing credentials. |
-| Local Security Authority (LSA) | Processes sign-in credentials. |
-| Authentication packages | Includes NTLM and the Kerberos protocol. Communicates with server authentication packages to authenticate users. |
+| Component | Description |
+|--|--|
+| Winlogon | Provides an interactive sign-in infrastructure. |
+| Logon UI | Provides interactive UI rendering. |
+| Credential providers (password and smart card) | Describes credential information and serializing credentials. |
+| Local Security Authority (LSA) | Processes sign-in credentials. |
+| Authentication packages | Includes NTLM and the Kerberos protocol. Communicates with server authentication packages to authenticate users. |
Interactive sign-in in Windows begins when the user presses CTRL+ALT+DEL. The CTRL+ALT+DEL key combination is called a secure attention sequence (SAS). To keep other programs and processes from using it, Winlogon registers this sequence during the boot process.
@@ -42,8 +36,6 @@ After receiving the SAS, the UI then generates the sign-in tile from the informa
-**Figure 1** **Credential provider architecture**
-
Typically, a user who signs in to a computer by using a local account or a domain account must enter a user name and password. These credentials are used to verify the user's identity. For smart card sign-in, a user's credentials are contained on the smart card's security chip. A smart card reader lets the computer interact with the security chip on the smart card. When users sign in with a smart card, they enter a personal identification number (PIN) instead of a user name and password.
Credential providers are in-process COM objects that run on the local system and are used to collect credentials. The Logon UI provides interactive UI rendering, Winlogon provides interactive sign-in infrastructure, and credential providers work with both of these components to help gather and process credentials.
@@ -52,21 +44,23 @@ Winlogon instructs the Logon UI to display credential provider tiles after it re
Combined with supporting hardware, credential providers can extend the Windows operating system to enable users to sign in by using biometrics (for example, fingerprint, retinal, or voice recognition), password, PIN, smart card certificate, or any custom authentication package. Enterprises and IT professionals can develop and deploy custom authentication mechanisms for all domain users, and they may explicitly require users to use this custom sign-in mechanism.
-> **Note** Credential providers are not enforcement mechanisms. They are used to gather and serialize credentials. The LSA and authentication packages enforce security.
+> [!NOTE]
+> Credential providers are not enforcement mechanisms. They are used to gather and serialize credentials. The LSA and authentication packages enforce security.
Credential providers can be designed to support single sign-in (SSO). In this process, they authenticate users to a secure network access point (by using RADIUS and other technologies) for signing in to the computer. Credential providers are also designed to support application-specific credential gathering, and they can be used for authentication to network resources, joining computers to a domain, or to provide administrator consent for User Account Control (UAC).
Multiple credential providers can coexist on a computer.
-Credential providers must be registered on a computer running Windows, and they are responsible for:
+Credential providers must be registered on a computer running Windows, and they're responsible for:
-- Describing the credential information that is required for authentication.
+- Describing the credential information that is required for authentication
+- Handling communication and logic with external authentication authorities
+- Packaging credentials for interactive and network sign-in
-- Handling communication and logic with external authentication authorities.
-
-- Packaging credentials for interactive and network sign-in.
-
-> **Note** The Credential Provider API does not render the UI. It describes what needs to be rendered. Only the password credential provider is available in safe mode. The smart card credential provider is available in safe mode during networking.
+> [!NOTE]
+> The Credential Provider API does not render the UI. It describes what needs to be rendered.\
+> Only the password credential provider is available in safe mode.\
+> The smart card credential provider is available in safe mode during networking.
## Smart card subsystem architecture
@@ -74,19 +68,16 @@ Vendors provide smart cards and smart card readers, and in many cases the vendor
### Base CSP and smart card minidriver architecture
-Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
+The following graphic shows the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
-**Figure 2** **Base CSP and smart card minidriver architecture**
-
### Caching with Base CSP and smart card KSP
-Smart card architecture uses caching mechanisms to assist in streamlining operations and to improve a user's access to a PIN.
+Smart card architecture uses caching mechanisms to help streamlining operations and to improve a user's access to a PIN.
-- [Data caching](#data-caching): The data cache provides for a single process to minimize smart card I/O operations.
-
-- [PIN caching](#pin-caching): The PIN cache helps the user from having to reenter a PIN each time the smart card is unauthenticated.
+- [Data caching](#data-caching): The data cache provides for a single process to minimize smart card I/O operations
+- [PIN caching](#pin-caching): The PIN cache helps the user from having to reenter a PIN each time the smart card is unauthenticated
#### Data caching
@@ -94,13 +85,10 @@ Each CSP implements the current smart card data cache separately. The Base CSP i
The existing global cache works as follows:
-1. The application requests a cryptographic operation. For example, a user certificate is to be read from the smart card.
-
-2. The CSP checks its cache for the item.
-
-3. If the item is not found in the cache, or if the item is cached but is not up-to-date, the item is read from the smart card.
-
-4. After any item has been read from the smart card, it is added to the cache. Any existing out-of-date copy of that item is replaced.
+1. The application requests a cryptographic operation. For example, a user certificate is to be read from the smart card
+1. The CSP checks its cache for the item
+1. If the item isn't found in the cache, or if the item is cached but isn't up-to-date, the item is read from the smart card
+1. After any item has been read from the smart card, it's added to the cache. Any existing out-of-date copy of that item is replaced
Three types of objects or data are cached by the CSP: pins (for more information, see [PIN caching](#pin-caching)), certificates, and files. If any of the cached data changes, the corresponding object is read from the smart card in successive operations. For example, if a file is written to the smart card, the CSP cache becomes out-of-date for the files, and other processes read the smart card at least once to refresh their CSP cache.
@@ -110,51 +98,35 @@ The global data cache is hosted in the Smart Cards for Windows service. Windows
The PIN cache protects the user from entering a PIN every time the smart card is unauthenticated. After a smart card is authenticated, it will not differentiate among host-side applications—any application can access private data on the smart card.
-To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications cannot communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it requires multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.
+To mitigate this, the smart card enters an exclusive state when an application authenticates to the smart card. However, this means that other applications can't communicate with the smart card and will be blocked. Therefore, such exclusive connections are minimized. The issue is that a protocol (such as the Kerberos protocol) requires multiple signing operations. Therefore, the protocol requires exclusive access to the smart card over an extended period, or it requires multiple authentication operations. This is where the PIN cache is used to minimize exclusive use of the smart card without forcing the user to enter a PIN multiple times.
The following example illustrates how this works. In this scenario, there are two applications: Outlook and Internet Explorer. The applications use smart cards for different purposes.
-1. The user starts Outlook and tries to send a signed e-mail. The private key is on the smart card.
-
-2. Outlook prompts the user for the smart card PIN. The user enters the correct PIN.
-
-3. E-mail data is sent to the smart card for the signature operation. The Outlook client formats the response and sends the e-mail.
-
-4. The user opens Internet Explorer and tries to access a protected site that requires Transport Layer Security (TLS) authentication for the client.
-
-5. Internet Explorer prompts the user for the smart card PIN. The user enters the correct PIN.
-
-6. The TLS-related private key operation occurs on the smart card, and the user is authenticated and signed in.
-
-7. The user returns to Outlook to send another signed e-mail. This time, the user is not prompted for a PIN because the PIN is cached from the previous operation. Similarly, if the user uses Internet Explorer again for another operation, Internet Explorer will not prompt the user for a PIN.
+1. The user starts Outlook and tries to send a signed e-mail. The private key is on the smart card
+1. Outlook prompts the user for the smart card PIN. The user enters the correct PIN
+1. E-mail data is sent to the smart card for the signature operation. The Outlook client formats the response and sends the e-mail
+1. The user opens Internet Explorer and tries to access a protected site that requires Transport Layer Security (TLS) authentication for the client
+1. Internet Explorer prompts the user for the smart card PIN. The user enters the correct PIN
+1. The TLS-related private key operation occurs on the smart card, and the user is authenticated and signed in
+1. The user returns to Outlook to send another signed e-mail. This time, the user isn't prompted for a PIN because the PIN is cached from the previous operation. Similarly, if the user uses Internet Explorer again for another operation, Internet Explorer won't prompt the user for a PIN
The Base CSP internally maintains a per-process cache of the PIN. The PIN is encrypted and stored in memory. The functions that are used to secure the PIN are RtlEncryptMemory, RtlDecryptMemory, and RtlSecureZeroMemory, which will empty buffers that contained the PIN.
### Smart card selection
-The following sections in this topic describe how Windows leverages the smart card architecture to select the correct smart card reader software, provider, and credentials for a successful smart card sign-in:
+The following sections in this article describe how Windows uses the smart card architecture to select the correct smart card reader software, provider, and credentials for a successful smart card sign-in:
-- [Container specification levels](#container-specification-levels)
-
-- [Container operations](#container-operations)
-
-- [Context flags](#context-flags)
-
-- [Create a new container in silent context](#create-a-new-container-in-silent-context)
-
-- [Smart card selection behavior](#smart-card-selection-behavior)
-
-- [Make a smart card reader match](#make-a-smart-card-reader-match)
-
-- [Make a smart card match](#make-a-smart-card-match)
-
-- [Open an existing default container (no reader specified)](#open-an-existing-default-container-no-reader-specified)
-
-- [Open an existing GUID-named container (no reader specified)](#open-an-existing-guid-named-container-no-reader-specified)
-
-- [Create a new container (no reader specified)](#create-a-new-container-no-reader-specified)
-
-- [Delete a container](#delete-a-container)
+- [Container specification levels](#container-specification-levels)
+- [Container operations](#container-operations)
+- [Context flags](#context-flags)
+- [Create a new container in silent context](#create-a-new-container-in-silent-context)
+- [Smart card selection behavior](#smart-card-selection-behavior)
+- [Make a smart card reader match](#make-a-smart-card-reader-match)
+- [Make a smart card match](#make-a-smart-card-match)
+- [Open an existing default container (no reader specified)](#open-an-existing-default-container-no-reader-specified)
+- [Open an existing GUID-named container (no reader specified)](#open-an-existing-guid-named-container-no-reader-specified)
+- [Create a new container (no reader specified)](#create-a-new-container-no-reader-specified)
+- [Delete a container](#delete-a-container)
#### Container specification levels
@@ -162,13 +134,14 @@ In response to a CryptAcquireContext call in CryptoAPI, the Base CSP tries to ma
Similarly, in response to a NCryptOpenKey call in CNG, the smart card KSP tries to match the container the same way, and it takes the same container format, as shown in the following table.
-> **Note** Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider (MS\_SMART\_CARD\_KEY\_STORAGE\_PROVIDER) must be made.
+> [!NOTE]
+> Before opening a key by using the smart card KSP, a call to NCryptOpenStorageProvider (`MS_SMART_CARD_KEY_STORAGE_PROVIDER`) must be made.
| **Type** | **Name** | **Format** |
|----------|----------|------------|
-| I | Reader Name and Container Name | \\\\.\\<Reader Name>\\<Container Name> |
-| II | Reader Name and Container Name (NULL) | \\\\.\\<Reader Name> |
-| III | Container Name Only | <Container Name> |
+| I | Reader Name and Container Name | `\.` |
+| II | Reader Name and Container Name (NULL) | `\.` |
+| III | Container Name Only | `` |
| IV | Default Container (NULL) Only | NULL |
The Base CSP and smart card KSP cache smart card handle information about the calling process and about the smart cards the process has accessed. When searching for a smart card container, the Base CSP or smart card KSP first checks its cache for the process. If the cached handle is invalid or no match is found, the SCardUIDlg API is called to get the card handle.
@@ -177,74 +150,63 @@ The Base CSP and smart card KSP cache smart card handle information about the ca
The following three container operations can be requested by using CryptAcquireContext:
-1. Create a new container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_NEWKEYSET is NCryptCreatePersistedKey.)
-
-2. Open an existing container. (The CNG equivalent of CryptAcquireContext to open the container is NCryptOpenKey.)
-
-3. Delete a container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT\_DELETEKEYSET is NCryptDeleteKey.)
+1. Create a new container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT_NEWKEYSET is NCryptCreatePersistedKey.)
+1. Open an existing container. (The CNG equivalent of CryptAcquireContext to open the container is NCryptOpenKey.)
+1. Delete a container. (The CNG equivalent of CryptAcquireContext with dwFlags set to CRYPT_DELETEKEYSET is NCryptDeleteKey.)
The heuristics that are used to associate a cryptographic handle with a particular smart card and reader are based on the container operation requested and the level of container specification used.
The following table shows the restrictions for the container creation operation.
-| **Specification** | **Restriction** |
-|------------------------------------|-----------|
-| No silent context | Key container creation must always be able to show UI, such as the PIN prompt. |
+| Specification | Restriction |
+|--|--|
+| No silent context | Key container creation must always be able to show UI, such as the PIN prompt. |
| No overwriting existing containers | If the specified container already exists on the chosen smart card, choose another smart card or cancel the operation. |
#### Context flags
The following table shows the context flags used as restrictions for the container creation operation.
-| **Flag** | **Description** |
-|------------------------|------------------------------------------------------|
-| CRYPT\_SILENT | No UI can be displayed during this operation. |
-| CRYPT\_MACHINE\_KEYSET | No cached data should be used during this operation. |
-| CRYPT\_VERIFYCONTEXT | Only public data can be accessed on the smart card. |
+| Flag | Description |
+|--|--|
+| `CRYPT_SILENT` | No UI can be displayed during this operation. |
+| `CRYPT_MACHINE_KEYSET` | No cached data should be used during this operation. |
+| `CRYPT_VERIFYCONTEXT` | Only public data can be accessed on the smart card. |
In addition to container operations and container specifications, you must consider other user options, such as the CryptAcquireContext flags, during smart card selection.
-> **Important** The CRYPT\_SILENT flag cannot be used to create a new container.
+> [!IMPORTANT]
+> The CRYPT_SILENT flag cannot be used to create a new container.
#### Create a new container in silent context
-Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set the PIN in silent context, and then create a new container in silent context. This operation occurs as follows:
+Applications can call the Base CSP with `CRYPT_DEFAULT_CONTAINER_OPTIONAL`, set the PIN in silent context, and then create a new container in silent context. This operation occurs as follows:
-1. Call CryptAcquireContext by passing the smart card reader name in as a type II container specification level, and specifying the CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL flag.
-
-2. Call CryptSetProvParam by specifying PP\_KEYEXCHANGE\_PIN or PP\_SIGNATURE\_PIN and a null-terminated ASCII PIN.
-
-3. Release the context acquired in Step 1.
-
-4. Call CryptAcquireContext with CRYPT\_NEWKEYSET, and specify the type I container specification level.
-
-5. Call CryptGenKey to create the key.
+1. Call CryptAcquireContext by passing the smart card reader name in as a type II container specification level, and specifying the `CRYPT_DEFAULT_CONTAINER_OPTIONAL` flag
+1. Call CryptSetProvParam by specifying `PP_KEYEXCHANGE_PIN` or `PP_SIGNATURE_PIN` and a null-terminated ASCII PIN.
+1. Release the context acquired in Step 1
+1. Call CryptAcquireContext with `CRYPT_NEWKEYSET`, and specify the type I container specification level
+1. Call CryptGenKey to create the key
#### Smart card selection behavior
-In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart in Figure 3 shows the selection steps performed by the Windows operating system.
+In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or select **Cancel**. If the user cancels the operation, the operation fails. The flow chart shows the selection steps performed by the Windows operating system.
-**Figure 3** **Smart card selection behavior**
-
In general, smart card selection behavior is handled by the SCardUIDlgSelectCard API. The Base CSP interacts with this API by calling it directly. The Base CSP also sends callback functions that have the purpose of filtering and matching candidate smart cards. Callers of CryptAcquireContext provide smart card matching information. Internally, the Base CSP uses a combination of smart card serial numbers, reader names, and container names to find specific smart cards.
-Each call to SCardUI \* may result in additional information read from a candidate smart card. The Base CSP smart card selection callbacks cache this information.
+Each call to `SCardUI *` may result in additional information read from a candidate smart card. The Base CSP smart card selection callbacks cache this information.
#### Make a smart card reader match
For type I and type II container specification levels, the smart card selection process is less complex because only the smart card in the named reader can be considered a match. The process for matching a smart card with a smart card reader is:
-1. Find the requested smart card reader. If it cannot be found, the process fails. (This requires a cache search by reader name.)
-
-2. If no smart card is in the reader, the user is prompted to insert a smart card. (This is only in non-silent mode; if the call is made in silent mode, it will fail.)
-
-3. For container specification level II only, the name of the default container on the chosen smart card is determined.
-
-4. To open an existing container or delete an existing container, find the specified container. If the specified container cannot be found on this smart card, the user is prompted to insert a smart card.
-
-5. If the system attempts to create a new container, if the specified container already exists on this smart card, the process fails.
+1. Find the requested smart card reader. If it can't be found, the process fails (this requires a cache search by reader name)
+1. If no smart card is in the reader, the user is prompted to insert a smart card. (this is only in nonsilent mode; if the call is made in silent mode, it fails)
+1. For container specification level II only, the name of the default container on the chosen smart card is determined
+1. To open an existing container or delete an existing container, find the specified container. If the specified container can't be found on this smart card, the user is prompted to insert a smart card
+1. If the system attempts to create a new container, if the specified container already exists on this smart card, the process fails
#### Make a smart card match
@@ -252,80 +214,71 @@ For container specification levels III and IV, a broader method is used to match
#### Open an existing default container (no reader specified)
-> **Note** This operation requires that you use the smart card with the Base CSP.
+> [!NOTE]
+> This operation requires that you use the smart card with the Base CSP.
-1. For each smart card that has been accessed by the Base CSP and the handle and container information are cached, the Base CSP looks for a valid default container. An operation is attempted on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the Base CSP continues to search for a new smart card.
-
-2. If a matching smart card is not found in the Base CSP cache, the Base CSP calls to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with a valid default container.
+1. For each smart card that has been accessed by the Base CSP and the handle and container information are cached, the Base CSP looks for a valid default container. An operation is attempted on the cached SCARDHANDLE to verify its validity. If the smart card handle isn't valid, the Base CSP continues to search for a new smart card
+1. If a matching smart card isn't found in the Base CSP cache, the Base CSP calls to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with a valid default container
#### Open an existing GUID-named container (no reader specified)
-> **Note** This operation requires that you use the smart card with the Base CSP.
+> [!NOTE]
+> This operation requires that you use the smart card with the Base CSP.
-1. For each smart card that is already registered with the Base CSP, search for the requested container. Attempt an operation on the cached SCARDHANDLE to verify its validity. If the smart card handle is not valid, the smart card's serial number is passed to the SCardUI \* API to continue searching for this specific smart card (rather than only a general match for the container name).
-
-2. If a matching smart card is not found in the Base CSP cache, a call is made to the smart card subsystem. SCardUIDlgSelectCard() is used with an appropriate callback filter to find a matching smart card with the requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter attempts to match the serial number, not the container name.
+1. For each smart card that is already registered with the Base CSP, search for the requested container. Attempt an operation on the cached SCARDHANDLE to verify its validity. If the smart card handle isn't valid, the smart card's serial number is passed to the `SCardUI *` API to continue searching for this specific smart card (rather than only a general match for the container name)
+1. If a matching smart card isn't found in the Base CSP cache, a call is made to the smart card subsystem. `SCardUIDlgSelectCard()` is used with an appropriate callback filter to find a matching smart card with the requested container. Or, if a smart card serial number resulted from the search in Step 1, the callback filter attempts to match the serial number, not the container name
#### Create a new container (no reader specified)
-> **Note** This operation requires that you use the smart card with the Base CSP.
+> [!NOTE]
+> This operation requires that you use the smart card with the Base CSP.
-If the PIN is not cached, no CRYPT\_SILENT is allowed for the container creation because the user must be prompted for a PIN, at a minimum.
+If the PIN isn't cached, no CRYPT_SILENT is allowed for the container creation because the user must be prompted for a PIN, at a minimum.
-For other operations, the caller may be able to acquire a "verify" context against the default container (CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL) and then make a call with CryptSetProvParam to cache the user PIN for subsequent operations.
+For other operations, the caller may be able to acquire a *verify* context against the default container `CRYPT_DEFAULT_CONTAINER_OPTIONAL` and then make a call with CryptSetProvParam to cache the user PIN for subsequent operations.
-1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
-
- 1. If the smart card has been removed, continue the search.
-
- 2. If the smart card is present, but it already has the named container, continue the search.
-
- 3. If the smart card is available, but a call to CardQueryFreeSpace indicates that the smart card has insufficient storage for an additional key container, continue the search.
-
- 4. Otherwise, use the first available smart card that meets the above criteria for the container creation.
-
-2. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards verifies that a candidate smart card does not already have the named container, and that CardQueryFreeSpace indicates the smart card has sufficient space for an additional container. If no suitable smart card is found, the user is prompted to insert a smart card.
+1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
+ 1. If the smart card has been removed, continue the search
+ 1. If the smart card is present, but it already has the named container, continue the search
+ 1. If the smart card is available, but a call to CardQueryFreeSpace indicates that the smart card has insufficient storage for an additional key container, continue the search
+ 1. Otherwise, use the first available smart card that meets the above criteria for the container creation
+1. If a matching smart card isn't found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards verifies that a candidate smart card doesn't already have the named container, and that CardQueryFreeSpace indicates the smart card has sufficient space for an additional container. If no suitable smart card is found, the user is prompted to insert a smart card
#### Delete a container
-1. If the specified container name is NULL, the default container is deleted. Deleting the default container causes a new default container to be selected arbitrarily. For this reason, this operation is not recommended.
-
-2. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
-
- 1. If the smart card does not have the named container, continue the search.
-
- 2. If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI \*.
-
-3. If a matching smart card is not found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was provided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card.
+1. If the specified container name is NULL, the default container is deleted. Deleting the default container causes a new default container to be selected arbitrarily. For this reason, this operation isn't recommended
+1. For each smart card already known by the CSP, refresh the stored SCARDHANDLE and make the following checks:
+ 1. If the smart card doesn't have the named container, continue the search
+ 1. If the smart card has the named container, but the smart card handle is no longer valid, store the serial number of the matching smart card and pass it to SCardUI
+1. If a matching smart card isn't found in the CSP cache, make a call to the smart card subsystem. The callback that is used to filter enumerated smart cards should verify that a candidate smart card has the named container. If a serial number was provided as a result of the previous cache search, the callback should filter enumerated smart cards on serial number rather than on container matches. If the context is non-silent and no suitable smart card is found, display UI that prompts the user to insert a smart card
### Base CSP and KSP-based architecture in Windows
-Figure 4 shows the Cryptography architecture that is used by the Windows operating system.
+The following diagram shows the Cryptography architecture that is used by the Windows operating system.
-**Figure 4** **Cryptography architecture**
-
### Base CSP and smart card KSP properties in Windows
-> **Note** The API definitions are located in WinCrypt.h and WinSCard.h.
+> [!NOTE]
+> The API definitions are located in WinCrypt.h and WinSCard.h.
-| **Property** | **Description** |
-|-----------------------|------------------|
-| PP\_USER\_CERTSTORE | - Used to return an HCERTSTORE that contains all user certificates on the smart card - Read-only (used only by CryptGetProvParam) - Caller responsible for closing the certificate store - Certificate encoded using PKCS\_7\_ASN\_ENCODING or X509\_ASN\_ENCODING - CSP should set KEY\_PROV\_INFO on certificates - Certificate store should be assumed to be an in-memory store - Certificates should have a valid CRYPT\_KEY\_PROV\_INFO as a property |
-| PP\_ROOT\_CERTSTORE | - Read and Write (used by CryptGetProvParam and CryptSetProvParam) - Used to write a collection of root certificates to the smart card or return HCERTSTORE, which contains root certificates from the smart card - Used primarily for joining a domain by using a smart card - Caller responsible for closing the certificate store |
-| PP\_SMARTCARD\_READER | - Read-only (used only by CryptGetProvParam) - Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
-| PP\_SMARTCARD\_GUID | - Return smart card GUID (also known as a serial number), which should be unique for each smart card - Used by the certificate propagation service to track the source of a root certificate|
-| PP\_UI\_PROMPT | - Used to set the search string for the SCardUIDlgSelectCard card insertion dialog box - Persistent for the entire process when it is set - Write-only (used only by CryptSetProvParam) |
+| Property | Description |
+|--|--|
+| `PP_USER_CERTSTORE` | - Used to return an `HCERTSTORE` that contains all user certificates on the smart card - Read-only (used only by `CryptGetProvParam`) - Caller responsible for closing the certificate store - Certificate encoded using `PKCS_7_ASN_ENCODING` or `X509_ASN_ENCODING` - CSP should set `KEY_PROV_INFO` on certificates - Certificate store should be assumed to be an in-memory store - Certificates should have a valid `CRYPT_KEY_PROV_INFO` as a property |
+| `PP_ROOT_CERTSTORE` | - Read and Write (used by `CryptGetProvParam` and `CryptSetProvParam`) - Used to write a collection of root certificates to the smart card or return `HCERTSTORE`, which contains root certificates from the smart card - Used primarily for joining a domain by using a smart card - Caller responsible for closing the certificate store |
+| `PP_SMARTCARD_READER` | - Read-only (used only by `CryptGetProvParam`) - Returns the smart card reader name as an ANSI string that is used to construct a fully qualified container name (that is, a smart card reader plus a container) |
+| `PP_SMARTCARD_GUID` | - Return smart card GUID (also known as a serial number), which should be unique for each smart card - Used by the certificate propagation service to track the source of a root certificate |
+| `PP_UI_PROMPT` | - Used to set the search string for the `SCardUIDlgSelectCard` card insertion dialog box - Persistent for the entire process when it's set - Write-only (used only by `CryptSetProvParam`) |
### Implications for CSPs in Windows
-Cryptographic Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach is not recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
+Cryptographic Service Providers (CSPs), including custom smart card CSPs, continue to be supported but this approach isn't recommended. Using the existing Base CSP and smart card KSP with the smart card minidriver model for smart cards provides significant benefits in terms of performance, and PIN and data caching. One minidriver can be configured to work under CryptoAPI and CNG layers. This provides benefits from enhanced cryptographic support, including elliptic curve cryptography and AES.
If a smart card is registered by a CSP and a smart card minidriver, the one that was installed most recently will be used to communicate with the smart card.
### Write a smart card minidriver, CSP, or KSP
-CSPs and KSPs are meant to be written only if specific functionality is not available in the current smart card minidriver architecture. For example, the smart card minidriver architecture supports hardware security modules, so a minidriver could be written for a hardware security module, and a CSP or KSP may not be required unless it is needed to support algorithms that are not implemented in the Base CSP or smart card KSP.
+CSPs and KSPs are meant to be written only if specific functionality isn't available in the current smart card minidriver architecture. For example, the smart card minidriver architecture supports hardware security modules, so a minidriver could be written for a hardware security module, and a CSP or KSP may not be required unless it's needed to support algorithms that aren't implemented in the Base CSP or smart card KSP.
-For more information about how to write a smart card minidriver, CSP, or KSP, see [Smart Card Minidrivers](/windows-hardware/drivers/smartcard/smart-card-minidrivers).
\ No newline at end of file
+For more information about how to write a smart card minidriver, CSP, or KSP, see [Smart Card Minidrivers](/windows-hardware/drivers/smartcard/smart-card-minidrivers).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index 62737034ae..851e89b13a 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -1,7 +1,6 @@
---
title: Certificate Propagation Service
description: This topic for the IT professional describes the certificate propagation service (CertPropSvc), which is used in smart card implementation.
-ms.reviewer: ardenw
ms.topic: concept-article
ms.date: 08/24/2021
---
@@ -12,57 +11,45 @@ This topic for the IT professional describes the certificate propagation service
The certificate propagation service activates when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store. Certificate propagation service actions are controlled by using Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-> **Note** The certificate propagation service must be running for smart card Plug and Play to work.
+> [!NOTE]
+> The certificate propagation service must be running for smart card Plug and Play to work.
The following figure shows the flow of the certificate propagation service. The action begins when a signed-in user inserts a smart card.
-1. The arrow labeled **1** indicates that the Service Control Manager (SCM) notifies the certificate propagation service (CertPropSvc) when a user signs in, and CertPropSvc begins to monitor the smart cards in the user session.
-
-2. The arrow labeled **R** represents the possibility of a remote session and the use of smart card redirection.
-
-3. The arrow labeled **2** indicates the certification to the reader.
-
-4. The arrow labeled **3** indicates the access to the certificate store during the client session.
-
-**Certificate propagation service**
+1. The arrow labeled **1** indicates that the Service Control Manager (SCM) notifies the certificate propagation service (CertPropSvc) when a user signs in, and CertPropSvc begins to monitor the smart cards in the user session
+1. The arrow labeled **R** represents the possibility of a remote session and the use of smart card redirection
+1. The arrow labeled **2** indicates the certification to the reader
+1. The arrow labeled **3** indicates the access to the certificate store during the client session
-1. A signed-in user inserts a smart card.
+1. A signed-in user inserts a smart card
+1. CertPropSvc is notified that a smart card was inserted
+1. CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store
-2. CertPropSvc is notified that a smart card was inserted.
-
-3. CertPropSvc reads all certificates from all inserted smart cards. The certificates are written to the user's personal certificate store.
-
-> **Note** The certificate propagation service is started as a Remote Desktop Services dependency.
+> [!NOTE]
+> The certificate propagation service is started as a Remote Desktop Services dependency.
Properties of the certificate propagation service include:
-- CERT\_STORE\_ADD\_REPLACE\_EXISTING\_INHERIT\_PROPERTIES adds certificates to a user's Personal store.
-
-- If the certificate has the CERT\_ENROLLMENT\_PROP\_ID property (as defined by wincrypt.h), it filters empty requests and places them in the current user's request store, but it does not propagate them to the user's Personal store.
-
-- The service does not propagate any computer certificates to a user's Personal store or propagate user certificates to a computer store.
-
-- The service propagates certificates according to Group Policy options that are set, which may include:
-
- - **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated.
-
- - **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated.
-
- - **Configure root certificate cleanup** specifies how root certificates are removed.
+- `CERT_STORE_ADD_REPLACE_EXISTING_INHERIT_PROPERTIES` adds certificates to a user's Personal store
+- If the certificate has the `CERT_ENROLLMENT_PROP_ID` property (as defined by `wincrypt.h`), it filters empty requests and places them in the current user's request store, but it doesn't propagate them to the user's Personal store
+- The service doesn't propagate any computer certificates to a user's Personal store or propagate user certificates to a computer store
+- The service propagates certificates according to Group Policy options that are set, which might include:
+ - **Turn on certificate propagation from the smart card** specifies whether a user's certificate should be propagated
+ - **Turn on root certificate propagation from smart card** specifies whether root certificates should be propagated
+ - **Configure root certificate cleanup** specifies how root certificates are removed
## Root certificate propagation service
-Root certificate propagation is responsible for the following smart card deployment scenarios when public key infrastructure (PKI) trust has not yet been established:
+Root certificate propagation is responsible for the following smart card deployment scenarios when public key infrastructure (PKI) trust hasn't yet been established:
-- Joining the domain
+- Joining the domain
+- Accessing a network remotely
-- Accessing a network remotely
+In both cases, the computer isn't joined to a domain, and therefore, trust isn't being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
-In both cases, the computer is not joined to a domain, and therefore, trust is not being managed by Group Policy. However, the objective is to authenticate to a remote server, such as the domain controller. Root certificate propagation provides the ability to use the smart card to include the missing trust chain.
-
-When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You may also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
+When the smart card is inserted, the certificate propagation service propagates any root certificates on the card to the trusted smart card root computer certificate stores. This process establishes a trust relationship with the enterprise resources. You might also use a subsequent cleanup action when the user's smart card is removed from the reader, or when the user signs out. This is configurable with Group Policy. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
For more information about root certificate requirements, see [Smart card root certificate requirements for use with domain sign-in](smart-card-certificate-requirements-and-enumeration.md#smart-card-root-certificate-requirements-for-use-with-domain-sign-in).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index 9931e52d1f..4e345d6a7b 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -1,9 +1,8 @@
---
title: Certificate Requirements and Enumeration
description: This topic for the IT professional and smart card developers describes how certificates are managed and used for smart card sign-in.
-ms.reviewer: ardenw
ms.topic: concept-article
-ms.date: 09/24/2021
+ms.date: 11/06/2023
---
# Certificate Requirements and Enumeration
@@ -12,157 +11,110 @@ This topic for the IT professional and smart card developers describes how certi
When a smart card is inserted, the following steps are performed.
-> **Note** Unless otherwise mentioned, all operations are performed silently (CRYPT\_SILENT is passed to CryptAcquireContext).
+> [!NOTE]
+> Unless otherwise mentioned, all operations are performed silently (CRYPT_SILENT is passed to CryptAcquireContext).
-1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
+1. The smart card resource manager database searches for the smart card's cryptographic service provider (CSP).
+1. A qualified container name is constructed by using the smart card reader name, and it's passed to the CSP. The format is `\\.\`
+1. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card is unusable for smart card sign-in.
+1. The name of the container is retrieved by using the PP_CONTAINER parameter with CryptGetProvParam.
+1. Using the context acquired in Step 3, the CSP is queried for the PP_USER_CERTSTORE parameter. For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
+1. If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT_KEYEXCHANGE key.
+1. The certificate is then queried from the key context by using KP_CERTIFICATE. The certificate is added to an in-memory certificate store.
+1. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
-2. A qualified container name is constructed by using the smart card reader name, and it is passed to the CSP. The format is *\\\\.\\<Reader name>*\\
-
-3. CryptAcquireContext is called to retrieve a context to the default container. If a failure occurs, the smart card will be unusable for smart card sign-in.
-
-4. The name of the container is retrieved by using the PP\_CONTAINER parameter with CryptGetProvParam.
-
-5. Using the context acquired in Step 3, the CSP is queried for the PP\_USER\_CERTSTORE parameter (added in Windows Vista). For more information, see [Smart Card Architecture](smart-card-architecture.md). If the operation is successful, the name of a certificate store is returned, and the program flow skips to Step 8.
-
-6. If the operation in Step 5 fails, the default container context from Step 3 is queried for the AT\_KEYEXCHANGE key.
-
-7. The certificate is then queried from the key context by using KP\_CERTIFICATE. The certificate is added to an in-memory certificate store.
-
-8. For each certificate in the certificate store from Step 5 or Step 7, the following checks are performed:
-
- 1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date).
-
- 2. The certificate must not be in the AT\_SIGNATURE part of a container.
-
- 3. The certificate must have a valid user principal name (UPN).
-
- 4. The certificate must have the digital signature key usage.
-
- 5. The certificate must have the smart card logon EKU.
+ 1. The certificate must be valid, based on the computer system clock (not expired or valid with a future date).
+ 1. The certificate must not be in the AT_SIGNATURE part of a container.
+ 1. The certificate must have a valid user principal name (UPN).
+ 1. The certificate must have the digital signature key usage.
+ 1. The certificate must have the smart card logon EKU.
Any certificate that meets these requirements is displayed to the user with the certificate's UPN (or e-mail address or subject, depending on the presence of the certificate extensions).
- > **Note** These requirements are the same as those in Windows Server 2003, but they are performed before the user enters the PIN. You can override many of them by using Group Policy settings.
-
-9. The process then chooses a certificate, and the PIN is entered.
-
-10. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt.
-
-11. If successful, LogonUI.exe closes. This causes the context acquired in Step 3 to be released.
-
-## About Certificate support for compatibility
-
-Although versions of Windows earlier than Windows Vista include support for smart cards, the types of certificates that smart cards can contain are limited. The limitations are:
-
-- Each certificate must have a user principal name (UPN) and the smart card sign-in object identifier (also known as OID) in the extended key usage (EKU) attribute field. There is a Group Policy setting, Allow ECC certificates to be used for logon and authentication, to make the EKU optional.
-
-- Each certificate must be stored in the AT\_KEYEXCHANGE portion of the default CryptoAPI container, and non-default CryptoAPI containers are not supported.
-
-The following table lists the certificate support in older Windows operating system versions.
-
-| **Operating system** | **Certificate support** |
-|---------------------------------------|----------------------------------------------------------------------------------------------------------|
-| Windows Server 2008 R2 and Windows 7 | Support for smart card sign-in with ECC-based certificates. ECC smart card sign-in is enabled through Group Policy.
ECDH\_P256 ECDH Curve P-256 from FIPS 186-2
ECDSA\_P256 ECDSA Curve P-256 from FIPS 186-2
ECDH\_P384 ECDH Curve P-384 from FIPS 186-2
ECDH\_P521 ECDH Curve P-521 from FIPS 186-2
ECDSA\_P256 ECDH Curve P-256 from FIPS 186-2
ECDSA\_P384 ECDSA Curve P-384 from FIPS 186-2
ECDSA\_P521 ECDSA Curve P-384 from FIPS 186-2 |
-| Windows Server 2008 and Windows Vista | Valid certificates are enumerated and displayed from all smart cards and presented to the user. Keys are no longer restricted to the default container, and certificates in different containers can be chosen. Elliptic curve cryptography (ECC)-based certificates are not supported for smart card sign-in |
+1. The process then chooses a certificate, and the PIN is entered.
+1. LogonUI.exe packages the information and sends it to Lsass.exe to process the sign-in attempt.
+1. If successful, LogonUI.exe closes. This causes the context acquired in Step 3 to be released.
## Smart card sign-in flow in Windows
-Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) does not reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
+Most issues during authentication occur because of session behavior changes. When changes occur, the Local Security Authority (LSA) doesn't reacquire the session context; it relies instead on the Cryptographic Service Provider to handle the session change.
-Client certificates that do not contain a UPN in the **subjectAltName** (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
+Client certificates that don't contain a UPN in the `subjectAltName`` (SAN) field of the certificate can be enabled for sign-in, which supports a wider variety of certificates and supports multiple sign-in certificates on the same card.
Support for multiple certificates on the same card is enabled by default. New certificate types must be enabled through Group Policy.
-If you enable the **Allow signature keys valid for Logon** credential provider policy, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. This allows users to select their sign-in experience. If the policy is disabled or not configured, smart card signature-key-based certificates are not listed on the sign-in screen.
+If you enable the **Allow signature keys valid for Logon** credential provider policy, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen. This allows users to select their sign-in experience. If the policy is disabled or not configured, smart card signature-key-based certificates aren't listed on the sign-in screen.
The following diagram illustrates how smart card sign-in works in the supported versions of Windows.
-**Smart card sign-in flow**
+### Smart card sign-in flow
Following are the steps that are performed during a smart card sign-in:
1. Winlogon requests the sign-in UI credential information.
+1. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
+ 1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
+ 1. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
+ 1. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
-2. Asynchronously, smart card resource manager starts, and the smart card credential provider does the following:
+ > [!NOTE]
+ > Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
- 1. Gets credential information (a list of known credentials, or if no credentials exist, the smart card reader information that Windows detected).
+ 1. Notifies the sign-in UI that it has new credentials.
- 2. Gets a list of smart card readers (by using the WinSCard API) and the list of smart cards inserted in each of them.
+1. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
+1. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
+1. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB_CERTIFICATE_LOGON structure. The main contents of the KERB_CERTIFICATE_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain isn't in the same forest because it enables a certificate to be mapped to multiple user accounts.
+1. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
+1. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
+1. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB_AS_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
- 3. Enumerates each card to verify that a sign-in certificate that is controlled by Group Policy is present. If the certificate is present, the smart card credential provider copies it into a temporary, secure cache on the computer or terminal.
+ If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key.\
+ If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
- > **Note** Smartcard cache entries are created for certificates with a subject name or with a subject key identifier. If the certificate has a subject name, it is stored with an index that is based on the subject name and certificate issuer. If another certificate with the same subject name and certificate issuer is used, it will replace the existing cached entry. A change in this behavior after Windows Vista, allows for the condition when the certificate does not have a subject name, the cache is created with an index that is based on the subject key identifier and certificate issuer. If another certificate has the same the subject key identifier and certificate issuer, the cache entry is replaced. When certificates have neither a subject name nor subject key identifier, a cached entry is not created.
+1. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
+1. The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
+1. The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
+1. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
+1. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT's authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
+1. The domain controller returns the TGT to the client as part of the KRB_AS_REP response.
- 4. Notifies the sign-in UI that it has new credentials.
-
-3. The sign-in UI requests the new credentials from the smart card credential provider. As a response, the smart card credential provider provides each sign-in certificate to the sign-in UI, and corresponding sign-in tiles are displayed. The user selects a smart card-based sign-in certificate tile, and Windows displays a PIN dialog box.
-
-4. The user enters the PIN, and then presses ENTER. The smart card credential provider encrypts the PIN.
-
-5. The credential provider that resides in the LogonUI system collects the PIN. As part of packaging credentials in the smart card credential provider, the data is packaged in a KERB\_CERTIFICATE\_LOGON structure. The main contents of the KERB\_CERTIFICATE\_LOGON structure are the smart card PIN, CSP data (such as reader name and container name), user name, and domain name. User name is required if the sign-in domain is not in the same forest because it enables a certificate to be mapped to multiple user accounts.
-
-6. The credential provider wraps the data (such as the encrypted PIN, container name, reader name, and card key specification) and sends it back to LogonUI.
-
-7. Winlogon presents the data from LogonUI to the LSA with the user information in LSALogonUser.
-
-8. LSA calls the Kerberos authentication package (Kerberos SSP) to create a Kerberos authentication service request (KRB\_AS\_REQ), which containing a preauthenticator (as specified in RFC 4556: [Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)](http://www.ietf.org/rfc/rfc4556.txt)).
-
- If the authentication is performed by using a certificate that uses a digital signature, the preauthentication data consists of the user's public certificate and the certificate that is digitally signed with the corresponding private key. If the authentication is performed by using a certificate that uses key encipherment, the preauthentication data consists of the user's public certificate and the certificate that is encrypted with the corresponding private key.
-
-9. To sign the request digitally (as per RFC 4556), a call is made to the corresponding CSP for a private key operation. Because the private key in this case is stored in a smart card, the smart card subsystem is called, and the necessary operation is completed. The result is sent back to the Kerberos security support provider (SSP).
-
-10. The Kerberos SSP sends an authentication request for a ticket-granting-ticket (TGT) (per RFC 4556) to the Key Distribution Center (KDC) service that runs on a domain controller.
-
-11. The KDC finds the user's account object in Active Directory Domain Services (AD DS), as detailed in [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings), and uses the user's certificate to verify the signature.
-
-12. The KDC validates the user's certificate (time, path, and revocation status) to ensure that the certificate is from a trusted source. The KDC uses CryptoAPI to build a certification path from the user's certificate to a root certification authority (CA) certificate that resides in the root store on the domain controller. The KDC then uses CryptoAPI to verify the digital signature on the signed authenticator that was included in the preauthentication data fields. The domain controller verifies the signature and uses the public key from the user's certificate to prove that the request originated from the owner of the private key that corresponds to the public key. The KDC also verifies that the issuer is trusted and appears in the NTAUTH certificate store.
-
-13. The KDC service retrieves user account information from AD DS. The KDC constructs a TGT, which is based on the user account information that it retrieves from AD DS. The TGT's authorization data fields include the user's security identifier (SID), the SIDs for universal and global domain groups to which the user belongs, and (in a multidomain environment) the SIDs for any universal groups of which the user is a member.
-
-14. The domain controller returns the TGT to the client as part of the KRB\_AS\_REP response.
-
- > **Note** The KRB\_AS\_REP packet consists of:
- >- Privilege attribute certificate (PAC)
- >- User's SID
- >- SIDs of any groups of which the user is a member
- >- A request for ticket-granting service (TGS)
- >- Preauthentication data
+ > [!NOTE]
+ > The KRB_AS_REP packet consists of:
+ > - Privilege attribute certificate (PAC)
+ > - User's SID
+ > - SIDs of any groups of which the user is a member
+ > - A request for ticket-granting service (TGS)
+ > - Preauthentication data
TGT is encrypted with the master key of the KDC, and the session key is encrypted with a temporary key. This temporary key is derived based on RFC 4556. Using CryptoAPI, the temporary key is decrypted. As part of the decryption process, if the private key is on a smart card, a call is made to the smart card subsystem by using the specified CSP to extract the certificate corresponding to the user's public key. (Programmatic calls for the certificate include CryptAcquireContext, CryptSetProvParam with the PIN, CryptgetUserKey, and CryptGetKeyParam.) After the temporary key is obtained, the Kerberos SSP decrypts the session key.
-15. The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and then it uses the KDC's public key to verify the reply signature.
+1. The client validates the reply from the KDC (time, path, and revocation status). It first verifies the KDC's signature by the construction of a certification path from the KDC's certificate to a trusted root CA, and then it uses the KDC's public key to verify the reply signature.
+1. Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local computer.
+1. With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and other actions are performed.
+1. After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event, reads the certificates from the smart card (including the root certificates), and then populates them into the user's certificate store (MYSTORE)
+1. CSP to smart card resource manager communication happens on the LRPC Channel.
+1. On successful authentication, certificates are propagated to the user's store asynchronously by the Certificate Propagation Service (CertPropSvc).
+1. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for sign-in, but they remain in the user's certificate store.
-16. Now that a TGT has been obtained, the client obtains a service ticket, which is used to sign in to the local computer.
-
-17. With success, LSA stores the tickets and returns a success message to LSALogonUser. After this success message is issued, user profile for the device is selected and set, Group Policy refresh is instantiated, and other actions are performed.
-
-18. After the user profile is loaded, the Certification Propagation Service (CertPropSvc) detects this event, reads the certificates from the smart card (including the root certificates), and then populates them into the user's certificate store (MYSTORE).
-
-19. CSP to smart card resource manager communication happens on the LRPC Channel.
-
-20. On successful authentication, certificates are propagated to the user's store asynchronously by the Certificate Propagation Service (CertPropSvc).
-
-21. When the card is removed, certificates in the temporary secure cache store are removed. The Certificates are no longer available for sign-in, but they remain in the user's certificate store.
-
-> **Note** A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
+> [!NOTE]
+> A SID is created for each user or group at the time a user account or a group account is created within the local security accounts database or within AD DS. The SID never changes, even if the user or group account is renamed.
For more information about the Kerberos protocol, see [Microsoft Kerberos](/windows/win32/secauthn/microsoft-kerberos).
-By default, the KDC verifies that the client's certificate contains the smart card client authentication EKU szOID\_KP\_SMARTCARD\_LOGON. However, if enabled, the **Allow certificates with no extended key usage certificate attribute** Group Policy setting allows the KDC to not require the SC-LOGON EKU. SC-LOGON EKU is not required for account mappings that are based on the public key.
+By default, the KDC verifies that the client's certificate contains the smart card client authentication EKU szOID_KP_SMARTCARD_LOGON. However, if enabled, the **Allow certificates with no extended key usage certificate attribute** Group Policy setting allows the KDC to not require the SC-LOGON EKU. SC-LOGON EKU isn't required for account mappings that are based on the public key.
## KDC certificate
Active Directory Certificate Services provides three kinds of certificate templates:
-- Domain controller
+- Domain controller
+- Domain controller authentication
+- Kerberos authentication
-- Domain controller authentication
-
-- Kerberos authentication
-
-Depending on the configuration of the domain controller, one of these types of certificates is sent as a part of the AS\_REP packet.
+Depending on the configuration of the domain controller, one of these types of certificates is sent as a part of the AS_REP packet.
## Client certificate requirements and mappings
@@ -170,144 +122,125 @@ Certificate requirements are listed by versions of the Windows operating system.
### Certificate requirements
-The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider.
-
-
-| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows 10, and Windows 11** | **Requirements for Windows XP** |
-|--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| CRL distribution point location | Not required | The location must be specified, online, and available, for example: \[1\]CRL Distribution Point Distribution Point Name: Full Name: URL=`` |
-| Key usage | Digital signature | Digital signature |
-| Basic constraints | Not required | \[Subject Type=End Entity, Path Length Constraint=None\] (Optional) |
-| extended key usage (EKU) | The smart card sign-in object identifier is not required.
**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. | - Client Authentication (1.3.6.1.5.5.7.3.2) The client authentication object identifier is required only if a certificate is used for SSL authentication.
- Smart Card Sign-in (1.3.6.1.4.1.311.20.2.2) |
-| Subject alternative name | E-mail ID is not required for smart card sign-in. | Other Name: Principal Name=(UPN), for example: UPN=user1@contoso.com The UPN OtherName object identifier is 1.3.6.1.4.1.311.20.2.3. The UPN OtherName value must be an ASN1-encoded UTF8 string. |
-| Subject | Not required | Distinguished name of user. This field is a mandatory extension, but the population of this field is optional. |
-| Key exchange (AT\_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings are not enabled.) | Not required |
-| CRL | Not required | Not required |
-| UPN | Not required | Not required |
-| Notes | You can enable any certificate to be visible for the smart card credential provider. | There are two predefined types of private keys. These keys are Signature Only (AT\_SIGNATURE) and Key Exchange (AT\_KEYEXCHANGE). Smart card sign-in certificates must have a Key Exchange (AT\_KEYEXCHANGE) private key type. |
+| Component | Requirements |
+|--|--|
+| CRL distribution point location | Not required |
+| Key usage | Digital signature |
+| Basic constraints | Not required |
+| extended key usage (EKU) | The smart card sign-in object identifier isn't required.
**Note** If an EKU is present, it must contain the smart card sign-in EKU. Certificates with no EKU can be used for sign-in. |
+| Subject alternative name | E-mail ID isn't required for smart card sign-in. |
+| Subject | Not required |
+| Key exchange (AT_KEYEXCHANGE field) | Not required for smart card sign-in certificates if a Group Policy setting is enabled. (By default, Group Policy settings aren't enabled.) |
+| CRL | Not required |
+| UPN | Not required |
+| Notes | You can enable any certificate to be visible for the smart card credential provider. |
### Client certificate mappings
-Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that do not contain information in the SAN field are also supported.
+Certificate mapping is based on the UPN that is contained in the subjectAltName (SAN) field of the certificate. Client certificates that don't contain information in the SAN field are also supported.
-SSL/TLS can map certificates that do not have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: <I>"*<Issuer Name>*"<S>"*<Subject Name>*. The *<Issuer Name>* and *<Subject Name>* are taken from the client certificate, with '\\r' and '\\n' replaced with ','.
+SSL/TLS can map certificates that don't have SAN, and the mapping is done by using the AltSecID attributes on client accounts. The X509 AltSecID, which is used by SSL/TLS client authentication is of the form "X509: `` `` and `` are taken from the client certificate, with '\r' and '\n' replaced with ','.
-**Certificate revocation list distribution points**
+#### Certificate revocation list distribution points
-**UPN in Subject Alternative Name field**
+#### UPN in Subject Alternative Name field
-**Subject and Issuer fields**
+#### Subject and Issuer fields
This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC.
-**High-level flow of certificate processing for sign-in**
+#### High-level flow of certificate processing for sign-in
The certificate object is parsed to look for content to perform user account mapping.
-- When a user name is provided with the certificate, the user name is used to locate the account object. This operation is the fastest, because string matching occurs.
+- When a user name is provided with the certificate, the user name is used to locate the account object. This operation is the fastest, because string matching occurs
+- When only the certificate object is provided, multiple operations are performed to locate the user name to map the user name to an account object
+- When no domain information is available for authentication, the local domain is used by default. If any other domain is to be used for lookup, a domain name hint should be provided to perform the mapping and binding
-- When only the certificate object is provided, a series of operations are performed to locate the user name to map the user name to an account object.
-
-- When no domain information is available for authentication, the local domain is used by default. If any other domain is to be used for lookup, a domain name hint should be provided to perform the mapping and binding.
-
-Mapping based on generic attributes is not possible because there is no generic API to retrieve attributes from a certificate. Currently, the first method that locates an account successfully stops the search. But a configuration error occurs if two methods map the same certificate to different user accounts when the client does not supply the client name through the mapping hints.
+Mapping based on generic attributes isn't possible because there's no generic API to retrieve attributes from a certificate. Currently, the first method that locates an account successfully stops the search. But a configuration error occurs if two methods map the same certificate to different user accounts when the client doesn't supply the client name through the mapping hints.
The following figure illustrates the process of mapping user accounts for sign-in in the directory by viewing various entries in the certificate.
-**Certificate processing logic**
+#### Certificate processing logic
-NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy).
+NT_AUTH policy is best described in the CERT_CHAIN_POLICY_NT_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy).
## Smart card sign-in for a single user with one certificate into multiple accounts
A single user certificate can be mapped to multiple accounts. For example, a user might be able to sign in to a user account and also to sign in as a domain administrator. The mapping is done by using the constructed AltSecID based on attributes from client accounts. For information about how this mapping is evaluated, see [Client certificate requirements and mappings](#client-certificate-requirements-and-mappings).
-> **Note** Because each account has a different user name, we recommend that you enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) to provide the optional fields that allow users to enter their user names and domain information to sign in.
+> [!NOTE]
+> Because each account has a different user name, we recommend that you enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) to provide the optional fields that allow users to enter their user names and domain information to sign in.
Based on the information that is available in the certificate, the sign-in conditions are:
-1. If no UPN is present in the certificate:
-
- 1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts.
-
- 2. A hint must be supplied if mapping is not unique (for example, if multiple users are mapped to the same certificate).
-
-2. If a UPN is present in the certificate:
-
- 1. The certificate cannot be mapped to multiple users in the same forest.
-
- 2. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user.
+1. If no UPN is present in the certificate:
+ 1. Sign-in can occur in the local forest or in another forest if a single user with one certificate needs to sign in to different accounts
+ 1. A hint must be supplied if mapping isn't unique (for example, if multiple users are mapped to the same certificate)
+1. If a UPN is present in the certificate:
+ 1. The certificate can't be mapped to multiple users in the same forest
+ 1. The certificate can be mapped to multiple users in different forests. For a user to sign in to other forests, an X509 hint must be supplied to the user
## Smart card sign-in for multiple users into a single account
-A group of users might sign in to a single account (for example, an administrator account). For that account, user certificates are mapped so that they are enabled for sign-in.
+A group of users might sign in to a single account (for example, an administrator account). For that account, user certificates are mapped so that they're enabled for sign-in.
-Several distinct certificates can be mapped to a single account. For this to work properly, the certificate cannot have UPNs.
+Several distinct certificates can be mapped to a single account. For this to work properly, the certificate can't have UPNs.
For example, if Certificate1 has CN=CNName1, Certificate2 has CN=User1, and Certificate3 has CN=User2, the AltSecID of these certificates can be mapped to a single account by using the Active Directory Users and Computers name mapping.
## Smart card sign-in across forests
-For account mapping to work across forests, particularly in cases where there is not enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\\user*, or a fully qualified UPN such as user@contoso.com.
+For account mapping to work across forests, particularly in cases where there isn't enough information available on the certificate, the user might enter a hint in the form of a user name, such as *domain\user*, or a fully qualified UPN such as `user@contoso.com`.
-> **Note** For the hint field to appear during smart card sign-in, the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) must be enabled on the client.
+> [!NOTE]
+> For the hint field to appear during smart card sign-in, the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key) must be enabled on the client.
## OCSP support for PKINIT
Online Certificate Status Protocol (OCSP), which is defined in RFC 2560, enables applications to obtain timely information about the revocation status of a certificate. Because OCSP responses are small and well bound, constrained clients might want to use OCSP to check the validity of the certificates for Kerberos on the KDC, to avoid transmission of large CRLs, and to save bandwidth on constrained networks. For information about CRL registry keys, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-The KDCs in Windows attempt to get OCSP responses and use them when available. This behavior cannot be disabled. CryptoAPI for OCSP caches OCSP responses and the status of the responses. The KDC supports only OCSP responses for the signer certificate.
+The KDCs in Windows attempt to get OCSP responses and use them when available. This behavior can't be disabled. CryptoAPI for OCSP caches OCSP responses and the status of the responses. The KDC supports only OCSP responses for the signer certificate.
-Windows client computers attempt to request the OCSP responses and use them in the reply when they are available. This behavior cannot be disabled.
+Windows client computers attempt to request the OCSP responses and use them in the reply when they're available. This behavior can't be disabled.
## Smart card root certificate requirements for use with domain sign-in
For sign-in to work in a smart card-based domain, the smart card certificate must meet the following conditions:
-- The KDC root certificate on the smart card must have an HTTP CRL distribution point listed in its certificate.
-
-- The smart card sign-in certificate must have the HTTP CRL distribution point listed in its certificate.
-
-- The CRL distribution point must have a valid CRL published and a delta CRL, if applicable, even if the CRL distribution point is empty.
-
+- The KDC root certificate on the smart card must have an HTTP CRL distribution point listed in its certificate
+- The smart card sign-in certificate must have the HTTP CRL distribution point listed in its certificate
+- The CRL distribution point must have a valid CRL published and a delta CRL, if applicable, even if the CRL distribution point is empty
- The smart card certificate must contain one of the following:
+ - A subject field that contains the DNS domain name in the distinguished name. If it doesn't, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail
+ - A UPN where the domain name resolves to the actual domain. For example, if the domain name is `Engineering.Corp.Contoso`, the UPN is `username@engineering.corp.contoso.com`. If any part of the domain name is omitted, the Kerberos client can't find the appropriate domain
- - A subject field that contains the DNS domain name in the distinguished name. If it does not, resolution to an appropriate domain fails, so Remote Desktop Services and the domain sign-in with the smart card fail.
+To allow smart card sign-in to a domain in these versions, do the following:
- - A UPN where the domain name resolves to the actual domain. For example, if the domain name is Engineering.Corp.Contoso, the UPN is username@engineering.corp.contoso.com. If any part of the domain name is omitted, the Kerberos client cannot find the appropriate domain.
-
-Although the HTTP CRL distribution points are on by default in Windows Server 2008, subsequent versions of the Windows Server operating system do not include HTTP CRL distribution points. To allow smart card sign-in to a domain in these versions, do the following:
-
-1. Enable HTTP CRL distribution points on the CA.
-
-2. Restart the CA.
-
-3. Reissue the KDC certificate.
-
-4. Issue or reissue the smart card sign-in certificate.
-
-5. Propagate the updated root certificate to the smart card that you want to use for the domain sign-in.
+1. Enable HTTP CRL distribution points on the CA
+1. Restart the CA
+1. Reissue the KDC certificate
+1. Issue or reissue the smart card sign-in certificate
+1. Propagate the updated root certificate to the smart card that you want to use for the domain sign-in
The workaround is to enable the **Allow user name hint** Group Policy setting (**X509HintsNeeded** registry key), which allows the user to supply a hint in the credentials user interface for domain sign-in.
-If the client computer is not joined to the domain or if it is joined to a different domain, the client computer can resolve the server domain only by looking at the distinguished name on the certificate, not the UPN. For this scenario to work, the certificate requires a full subject, including DC=*<DomainControllerName>*, for domain name resolution.
+If the client computer isn't joined to the domain or if it's joined to a different domain, the client computer can resolve the server domain only by looking at the distinguished name on the certificate, not the UPN. For this scenario to work, the certificate requires a full subject, including `DC=`, for domain name resolution.
To deploy root certificates on a smart card for the currently joined domain, you can use the following command:
-**certutil -scroots update**
+```cmd
+certutil.exe -scroots update
+```
For more information about this option for the command-line tool, see [-SCRoots](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc732443(v=ws.11)#BKMK_SCRoots).
-
-## See also
-
-[How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
diff --git a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
index 8193759010..0ba2519568 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-debugging-information.md
@@ -1,12 +1,8 @@
---
title: Smart Card Troubleshooting
description: Describes the tools and services that smart card developers can use to help identify certificate issues with the smart card deployment.
-ms.reviewer: ardenw
-ms.collection:
- - highpri
- - tier2
ms.topic: troubleshooting
-ms.date: 09/24/2021
+ms.date: 11/06/2023
---
# Smart Card Troubleshooting
@@ -15,17 +11,12 @@ This article explains tools and services that smart card developers can use to h
Debugging and tracing smart card issues requires a variety of tools and approaches. The following sections provide guidance about tools and approaches you can use.
-- [Certutil](#certutil)
-
-- [Debugging and tracing using Windows software trace preprocessor (WPP)](#debugging-and-tracing-using-wpp)
-
-- [Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
-
-- [Smart Card service](#smart-card-service)
-
-- [Smart card readers](#smart-card-readers)
-
-- [CryptoAPI 2.0 Diagnostics](#cryptoapi-20-diagnostics)
+- [Certutil](#certutil)
+- [Debugging and tracing using Windows software trace preprocessor (WPP)](#debugging-and-tracing-using-wpp)
+- [Kerberos protocol, Key Distribution Center (KDC), and NTLM debugging and tracing](#kerberos-protocol-kdc-and-ntlm-debugging-and-tracing)
+- [Smart Card service](#smart-card-service)
+- [Smart card readers](#smart-card-readers)
+- [CryptoAPI 2.0 Diagnostics](#cryptoapi-20-diagnostics)
## Certutil
@@ -33,7 +24,7 @@ For a complete description of Certutil including examples that show how to use i
### List certificates available on the smart card
-To list certificates that are available on the smart card, type `certutil -scinfo`.
+To list certificates that are available on the smart card, type `certutil.exe -scinfo`.
> [!NOTE]
> Entering a PIN is not required for this operation. You can press ESC if you are prompted for a PIN.
@@ -42,9 +33,9 @@ To list certificates that are available on the smart card, type `certutil -scinf
Each certificate is enclosed in a container. When you delete a certificate on the smart card, you're deleting the container for the certificate.
-To find the container value, type `certutil -scinfo`.
+To find the container value, type `certutil.exe -scinfo`.
-To delete a container, type **certutil -delkey -csp "Microsoft Base Smart Card Crypto Provider"** "<*ContainerValue*>".
+To delete a container, type `certutil.exe -delkey -csp "Microsoft Base Smart Card Crypto Provider" ""`.
## Debugging and tracing using WPP
@@ -54,144 +45,153 @@ WPP simplifies tracing the operation of the trace provider. It provides a mechan
Using WPP, use one of the following commands to enable tracing:
-- **tracelog.exe -kd -rt -start** <*FriendlyName*> **-guid \#**<*GUID*> **-f .\\**<*LogFileName*>**.etl -flags** <*flags*> **-ft 1**
-
-- **logman start** <*FriendlyName*> **-ets -p {**<*GUID*>**} -**<*Flags*> **-ft 1 -rt -o .\\**<*LogFileName*>**.etl -mode 0x00080000**
+```cmd
+tracelog.exe -kd -rt -start -guid -f ..etl -flags -ft 1
+logman.exe start -ets -p {} - -ft 1 -rt -o ..etl -mode 0x00080000
+```
You can use the parameters in the following table.
-| Friendly name | GUID | Flags |
-|-------------------|--------------------------------------|-----------|
-| `scardsvr` | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
-| `winscard` | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
-| `basecsp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
-| `scksp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
-| `msclmd` | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
-| `credprov` | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
-| `certprop` | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
-| `scfilter` | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
-| `wudfusbccid` | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
+| Friendly name | GUID | Flags |
+|--|--|--|
+| `scardsvr` | 13038e47-ffec-425d-bc69-5707708075fe | 0xffff |
+| `winscard` | 3fce7c5f-fb3b-4bce-a9d8-55cc0ce1cf01 | 0xffff |
+| `basecsp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| `scksp` | 133a980d-035d-4e2d-b250-94577ad8fced | 0x7 |
+| `msclmd` | fb36caf4-582b-4604-8841-9263574c4f2c | 0x7 |
+| `credprov` | dba0e0e0-505a-4ab6-aa3f-22f6f743b480 | 0xffff |
+| `certprop` | 30eae751-411f-414c-988b-a8bfa8913f49 | 0xffff |
+| `scfilter` | eed7f3c9-62ba-400e-a001-658869df9a91 | 0xffff |
+| `wudfusbccid` | a3c09ba3-2f62-4be5-a50f-8278a646ac9d | 0xffff |
-Examples
+### Examples
To enable tracing for the SCardSvr service:
-- **tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\\scardsvr.etl -flags 0xffff -ft 1**
+```cmd
+tracelog.exe -kd -rt -start scardsvr -guid \#13038e47-ffec-425d-bc69-5707708075fe -f .\scardsvr.etl -flags 0xffff -ft 1
+logman.exe start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\scardsvr.etl -mode 0x00080000
+```
-- **logman start scardsvr -ets -p {13038e47-ffec-425d-bc69-5707708075fe} 0xffff -ft 1 -rt -o .\\scardsvr.etl -mode 0x00080000**
+To enable tracing for `scfilter.sys`:
-To enable tracing for scfilter.sys:
-
- - **tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\\scfilter.etl -flags 0xffff -ft 1**
+```cmd
+tracelog.exe -kd -rt -start scfilter -guid \#eed7f3c9-62ba-400e-a001-658869df9a91 -f .\scfilter.etl -flags 0xffff -ft 1
+```
### Stop the trace
Using WPP, use one of the following commands to stop the tracing:
-- **tracelog.exe -stop** <*FriendlyName*>
+```cmd
+tracelog.exe -stop <*FriendlyName*>
+logman.exe -stop <*FriendlyName*> -ets
+```
-- **logman -stop** <*FriendlyName*> **-ets**
+For example, to stop a trace:
-#### Examples
-
-To stop a trace:
-
-- **tracelog.exe -stop scardsvr**
-
-- **logman -stop scardsvr -ets**
+```cmd
+tracelog.exe -stop scardsvr
+logman.exe -stop scardsvr -ets
+```
## Kerberos protocol, KDC, and NTLM debugging and tracing
-
-
You can use these resources to troubleshoot these protocols and the KDC:
-- [Kerberos and LDAP Troubleshooting Tips](/previous-versions/tn-archive/bb463167(v=technet.10)).
+- [Kerberos and LDAP Troubleshooting Tips](/previous-versions/tn-archive/bb463167(v=technet.10))
+- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
-- [Windows Driver Kit (WDK) and Debugging Tools for Windows (WinDbg)](https://developer.microsoft.com/en-us/windows/hardware/windows-driver-kit). You can use the trace log tool in this SDK to debug Kerberos authentication failures.
-
-To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](/windows-hardware/drivers/devtest/tracelog).
+To begin tracing, you can use `Tracelog`. Different components use different control GUIDs as explained in these examples. For more information, see [`Tracelog`](/windows-hardware/drivers/devtest/tracelog)
### NTLM
To enable tracing for NTLM authentication, run the following command on the command line:
- - **tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\\ntlm.etl -flags 0x15003 -ft 1**
+```cmd
+tracelog.exe -kd -rt -start ntlm -guid \#5BBB6C18-AA45-49b1-A15F-085F7ED0AA90 -f .\ntlm.etl -flags 0x15003 -ft 1
+```
To stop tracing for NTLM authentication, run this command:
- - **tracelog -stop ntlm**
+```cmd
+tracelog -stop ntlm
+```
### Kerberos authentication
To enable tracing for Kerberos authentication, run this command:
- - **tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\\kerb.etl -flags 0x43 -ft 1**
+```cmd
+tracelog.exe -kd -rt -start kerb -guid \#6B510852-3583-4e2d-AFFE-A67F9F223438 -f .\kerb.etl -flags 0x43 -ft 1
+```
To stop tracing for Kerberos authentication, run this command:
- - **tracelog.exe -stop kerb**
+```cmd
+tracelog.exe -stop kerb
+```
### KDC
To enable tracing for the KDC, run the following command on the command line:
- - **tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\\kdc.etl -flags 0x803 -ft 1**
+```cmd
+tracelog.exe -kd -rt -start kdc -guid \#1BBA8B19-7F31-43c0-9643-6E911F79A06B -f .\kdc.etl -flags 0x803 -ft 1
+```
To stop tracing for the KDC, run the following command on the command line:
- - **tracelog.exe -stop kdc**
+```cmd
+tracelog.exe -stop kdc
+```
-To stop tracing from a remote computer, run this command: logman.exe -s *<ComputerName>*.
+To stop tracing from a remote computer, run this command:
+
+```cmd
+logman.exe -s
+```
> [!NOTE]
-> The default location for logman.exe is %systemroot%system32\\. Use the **-s** option to supply a computer name.
+> The default location for logman.exe is %systemroot%system32\. Use the **-s** option to supply a computer name.
### Configure tracing with the registry
You can also configure tracing by editing the Kerberos registry values shown in the following table.
-| Element | Registry Key Setting |
-|-------------|----------------------------------------------------|
-| NTLM | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1\_0 Value name: NtLmInfoLevel Value type: DWORD Value data: c0015003 |
-| Kerberos | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos Value name: LogToFile Value type: DWORD Value data: 00000001
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters Value name: KerbDebugLevel Value type: DWORD Value data: c0000043
HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Parameters Value name: LogToFile Value type: DWORD Value data: 00000001 |
-| KDC | HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\Kdc Value name: KdcDebugLevel Value type: DWORD Value data: c0000803 |
+| Element | Registry Key Setting |
+|--|--|
+| NTLM | HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 Value name: NtLmInfoLevel Value type: DWORD Value data: c0015003 |
+| Kerberos | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos Value name: LogToFile Value type: DWORD Value data: 00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Value name: KerbDebugLevel Value type: DWORD Value data: c0000043
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Value name: LogToFile Value type: DWORD Value data: 00000001 |
+| KDC | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Kdc Value name: KdcDebugLevel Value type: DWORD Value data: c0000803 |
-If you used `Tracelog`, look for the following log file in your current directory: kerb.etl/kdc.etl/ntlm.etl.
+If you used `Tracelog`, look for the following log file in your current directory: `kerb.etl/kdc.etl/ntlm.etl`.
If you used the registry key settings shown in the previous table, look for the trace log files in the following locations:
-- NTLM: %systemroot%\\tracing\\msv1\_0
+- NTLM: `%systemroot%\tracing\msv1_0`
+- Kerberos: `%systemroot%\tracing\kerberos`
+- KDC: `%systemroot%\tracing\kdcsvc`
-- Kerberos: %systemroot%\\tracing\\kerberos
-
-- KDC: %systemroot%\\tracing\\kdcsvc
-
-To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \\tools\\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](/windows-hardware/drivers/devtest/tracefmt).
+To decode event trace files, you can use `Tracefmt` (tracefmt.exe). `Tracefmt` is a command-line tool that formats and displays trace messages from an event trace log file (.etl) or a real-time trace session. `Tracefmt` can display the messages in the Command Prompt window or save them in a text file. It is located in the \tools\tracing subdirectory of the Windows Driver Kit (WDK). For more information, see [`Tracefmt`](/windows-hardware/drivers/devtest/tracefmt).
## Smart Card service
The smart card resource manager service runs in the context of a local service. It's implemented as a shared service of the services host (svchost) process.
-**To check if Smart Card service is running**
+To check if Smart Card service is running:
-1. Press CTRL+ALT+DEL, and then select **Start Task Manager**.
+1. Press CTRL+ALT+DEL, and then select **Start Task Manager**
+1. In the **Windows Task Manager** dialog box, select the **Services** tab
+1. Select the **Name** column to sort the list alphabetically, and then type **s**
+1. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped
-2. In the **Windows Task Manager** dialog box, select the **Services** tab.
+To restart Smart Card service:
-3. Select the **Name** column to sort the list alphabetically, and then type **s**.
-
-4. In the **Name** column, look for **SCardSvr**, and then look under the **Status** column to see if the service is running or stopped.
-
-**To restart Smart Card service**
-
-1. Run as administrator at the command prompt.
-
-2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
-
-3. At the command prompt, type `net stop SCardSvr`.
-
-4. At the command prompt, type `net start SCardSvr`.
+1. Run as administrator at the command prompt
+1. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then select **Yes**
+1. At the command prompt, type `net stop SCardSvr`
+1. At the command prompt, type `net start SCardSvr`
You can use the following command at the command prompt to check whether the service is running: `sc queryex scardsvr`.
@@ -215,15 +215,12 @@ C:\>
As with any device connected to a computer, Device Manager can be used to view properties and begin the debug process.
-**To check if smart card reader is working**
+To check if smart card reader is working:
-1. Navigate to **Computer**.
-
-2. Right-click **Computer**, and then select **Properties**.
-
-3. Under **Tasks**, select **Device Manager**.
-
-4. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**.
+1. Navigate to **Computer**
+1. Right-click **Computer**, and then select **Properties**
+1. Under **Tasks**, select **Device Manager**
+1. In Device Manager, expand **Smart card readers**, select the name of the smart card reader you want to check, and then select **Properties**
> [!NOTE]
> If the smart card reader is not listed in Device Manager, in the **Action** menu, select **Scan for hardware changes**.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
index f3f0e7de99..270eda4a77 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
@@ -1,9 +1,8 @@
---
title: Smart Card Group Policy and Registry Settings
description: Discover the Group Policy, registry key, local security policy, and credential delegation policy settings that are available for configuring smart cards.
-ms.reviewer: ardenw
ms.topic: reference
-ms.date: 11/02/2021
+ms.date: 11/06/2023
---
# Smart Card Group Policy and Registry Settings
@@ -12,72 +11,51 @@ This article for IT professionals and smart card developers describes the Group
The following sections and tables list the smart card-related Group Policy settings and registry keys that can be set on a per-computer basis. If you use domain Group Policy Objects (GPOs), you can edit and apply Group Policy settings to local or domain computers.
-- [Primary Group Policy settings for smart cards](#primary-group-policy-settings-for-smart-cards)
-
- - [Allow certificates with no extended key usage certificate attribute](#allow-certificates-with-no-extended-key-usage-certificate-attribute)
-
- - [Allow ECC certificates to be used for logon and authentication](#allow-ecc-certificates-to-be-used-for-logon-and-authentication)
-
- - [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon)
-
- - [Allow signature keys valid for Logon](#allow-signature-keys-valid-for-logon)
-
- - [Allow time invalid certificates](#allow-time-invalid-certificates)
-
- - [Allow user name hint](#allow-user-name-hint)
-
- - [Configure root certificate clean up](#configure-root-certificate-clean-up)
-
- - [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked)
-
- - [Filter duplicate logon certificates](#filter-duplicate-logon-certificates)
-
- - [Force the reading of all certificates from the smart card](#force-the-reading-of-all-certificates-from-the-smart-card)
-
- - [Notify user of successful smart card driver installation](#notify-user-of-successful-smart-card-driver-installation)
-
- - [Prevent plaintext PINs from being returned by Credential Manager](#prevent-plaintext-pins-from-being-returned-by-credential-manager)
-
- - [Reverse the subject name stored in a certificate when displaying](#reverse-the-subject-name-stored-in-a-certificate-when-displaying)
-
- - [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card)
-
- - [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card)
-
- - [Turn on Smart Card Plug and Play service](#turn-on-smart-card-plug-and-play-service)
-
-- [Base CSP and Smart Card KSP registry keys](#base-csp-and-smart-card-ksp-registry-keys)
-
-- [CRL checking registry keys](#crl-checking-registry-keys)
-
-- [Additional smart card Group Policy settings and registry keys](#additional-smart-card-group-policy-settings-and-registry-keys)
+- [Primary Group Policy settings for smart cards](#primary-group-policy-settings-for-smart-cards)
+ - [Allow certificates with no extended key usage certificate attribute](#allow-certificates-with-no-extended-key-usage-certificate-attribute)
+ - [Allow ECC certificates to be used for logon and authentication](#allow-ecc-certificates-to-be-used-for-logon-and-authentication)
+ - [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon)
+ - [Allow signature keys valid for Logon](#allow-signature-keys-valid-for-logon)
+ - [Allow time invalid certificates](#allow-time-invalid-certificates)
+ - [Allow user name hint](#allow-user-name-hint)
+ - [Configure root certificate clean up](#configure-root-certificate-clean-up)
+ - [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked)
+ - [Filter duplicate logon certificates](#filter-duplicate-logon-certificates)
+ - [Force the reading of all certificates from the smart card](#force-the-reading-of-all-certificates-from-the-smart-card)
+ - [Notify user of successful smart card driver installation](#notify-user-of-successful-smart-card-driver-installation)
+ - [Prevent plaintext PINs from being returned by Credential Manager](#prevent-plaintext-pins-from-being-returned-by-credential-manager)
+ - [Reverse the subject name stored in a certificate when displaying](#reverse-the-subject-name-stored-in-a-certificate-when-displaying)
+ - [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card)
+ - [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card)
+ - [Turn on Smart Card Plug and Play service](#turn-on-smart-card-plug-and-play-service)
+- [Base CSP and Smart Card KSP registry keys](#base-csp-and-smart-card-ksp-registry-keys)
+- [CRL checking registry keys](#crl-checking-registry-keys)
+- [Additional smart card Group Policy settings and registry keys](#additional-smart-card-group-policy-settings-and-registry-keys)
## Primary Group Policy settings for smart cards
-The following smart card Group Policy settings are in Computer Configuration\\Administrative Templates\\Windows Components\\Smart Card.
+The following smart card Group Policy settings are in Computer Configuration\Administrative Templates\Windows Components\Smart Card.
The registry keys are in the following locations:
-- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\Policies\\Microsoft\\Windows\\ScPnP\\EnableScPnP**
-
-- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SmartCardCredentialProvider**
-
-- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CertProp**
+- **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\ScPnP\EnableScPnP**
+- **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider**
+- **HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CertProp**
> [!NOTE]
-> Smart card reader registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\Readers**.
-Smart card registry information is in **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\Cryptography\\Calais\\SmartCards**.
+> Smart card reader registry information is in **HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\Readers**.\
+> Smart card registry information is in **HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Calais\SmartCards**.
The following table lists the default values for these GPO settings. Variations are documented under the policy descriptions in this article.
-| **Server type or GPO** | **Default value** |
-|----------------------------------------------|-------------------|
-| Default Domain Policy | Not configured |
-| Default Domain Controller Policy | Not configured |
-| Stand-Alone Server Default Settings | Not configured |
-| Domain Controller Effective Default Settings | Disabled |
-| Member Server Effective Default Settings | Disabled |
-| Client Computer Effective Default Settings | Disabled |
+| Server type or GPO | Default value |
+|--|--|
+| Default Domain Policy | Not configured |
+| Default Domain Controller Policy | Not configured |
+| Stand-Alone Server Default Settings | Not configured |
+| Domain Controller Effective Default Settings | Disabled |
+| Member Server Effective Default Settings | Disabled |
+| Client Computer Effective Default Settings | Disabled |
### Allow certificates with no extended key usage certificate attribute
@@ -85,70 +63,66 @@ You can use this policy setting to allow certificates without an extended key us
> [!NOTE]
> extended key usage certificate attribute is also known as extended key usage.
->
+>
> In versions of Windows before Windows Vista, smart card certificates that are used to sign in require an EKU extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.
When this policy setting is turned on, certificates with the following attributes can also be used to sign in with a smart card:
-- Certificates with no EKU
-
-- Certificates with an All Purpose EKU
-
-- Certificates with a Client Authentication EKU
+- Certificates with no EKU
+- Certificates with an All Purpose EKU
+- Certificates with a Client Authentication EKU
When this policy setting isn't turned on, only certificates that contain the smart card logon object identifier can be used to sign in with a smart card.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | AllowCertificatesWithNoEKU |
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | AllowCertificatesWithNoEKU |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
### Allow ECC certificates to be used for logon and authentication
-You can use this policy setting to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain.
+You can use this policy setting to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to sign in to a domain.
-When this setting is turned on, ECC certificates on a smart card can be used to sign in to a domain.
+When this setting is turned on, ECC certificates on a smart card can be used to sign in to a domain.
When this setting isn't turned on, ECC certificates on a smart card can't be used to sign in to a domain.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------|
-| Registry key | **EnumerateECCCerts** |
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
-| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, aren't affected by this policy setting. If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign in when you're not connected to the network. |
+| Item | Description |
+|--|--|
+| Registry key | `EnumerateECCCerts` |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | This policy setting only affects a user's ability to sign in to a domain. ECC certificates on a smart card that are used for other applications, such as document signing, aren't affected by this policy setting. If you use an ECDSA key to sign in, you must also have an associated ECDH key to permit sign in when you're not connected to the network. |
### Allow Integrated Unblock screen to be displayed at the time of logon
You can use this policy setting to determine whether the integrated unblock feature is available in the sign-in user interface (UI). The feature was introduced as a standard feature in the Credential Security Support Provider in Windows Vista.
-When this setting is turned on, the integrated unblock feature is available.
+When this setting is turned on, the integrated unblock feature is available.
When this setting isn't turned on, the feature is not available.
-| **Item** | **Description** |
-|--------------------------------------|---------------------------------------------------------------------------------------------------------------|
-| Registry key | **AllowIntegratedUnblock** |
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
-| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature. You can create a custom message that the user sees when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
+| Item | Description |
+|--|--|
+| Registry key | `AllowIntegratedUnblock` |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | To use the integrated unblock feature, the smart card must support it. Check with the hardware manufacturer to verify that the smart card supports this feature. You can create a custom message that the user sees when the smart card is blocked by configuring the policy setting [Display string when smart card is blocked](#display-string-when-smart-card-is-blocked). |
### Allow signature keys valid for Logon
-You can use this policy setting to allow signature key–based certificates to be enumerated and available for sign-in.
+You can use this policy setting to allow signature key-based certificates to be enumerated and available for sign-in.
When this setting is turned on, any certificates that are available on the smart card with a signature-only key are listed on the sign-in screen.
When this setting isn't turned on, certificates available on the smart card with a signature-only key aren't listed on the sign-in screen.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **AllowSignatureOnlyKeys**|
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | **AllowSignatureOnlyKeys** |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
### Allow time invalid certificates
@@ -161,85 +135,79 @@ When this setting is turned on, certificates are listed on the sign-in screen wh
When this policy setting isn't turned on, certificates that are expired or not yet valid aren't listed on the sign-in screen.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **AllowTimeInvalidCertificates** |
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | `AllowTimeInvalidCertificates` |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
### Allow user name hint
-You can use this policy setting to determine whether an optional field appears during sign-in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
+You can use this policy setting to determine whether an optional field appears during sign-in and provides a subsequent elevation process where users can enter their username or username and domain, which associates a certificate with the user.
-When this policy setting is turned on, users see an optional field where they can enter their username or username and domain.
+When this policy setting is turned on, users see an optional field where they can enter their username or username and domain.
When this policy setting isn't turned on, users don't see this optional field.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **X509HintsNeeded**|
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | `X509HintsNeeded` |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
### Configure root certificate clean-up
-You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate.
+You can use this policy setting to manage the cleanup behavior of root certificates. Certificates are verified by using a trust chain, and the trust anchor for the digital certificate is the Root Certification Authority (CA). A CA can issue multiple certificates with the root certificate as the top certificate of the tree structure. A private key is used to sign other certificates. This creates an inherited trustworthiness for all certificates immediately under the root certificate.
When this policy setting is turned on, you can set the following cleanup options:
-- **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer.
-
-- **Clean up certificates on smart card removal**. When the smart card is removed, the root certificates are removed.
-
-- **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed.
+- **No cleanup**. When the user signs out or removes the smart card, the root certificates used during their session persist on the computer.
+- **Clean up certificates on smart card removal**. When the smart card is removed, the root certificates are removed.
+- **Clean up certificates on log off**. When the user signs out of Windows, the root certificates are removed.
When this policy setting isn't turned on, root certificates are automatically removed when the user signs out of Windows.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **RootCertificateCleanupOption**|
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | `RootCertificateCleanupOption` |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
### Display string when smart card is blocked
You can use this policy setting to change the default message that a user sees if their smart card is blocked.
-When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked.
+When this policy setting is turned on, you can create and manage the displayed message that the user sees when a smart card is blocked.
When this policy setting isn't turned on (and the integrated unblock feature is also enabled), the user sees the system's default message when the smart card is blocked.
-| **Item** | **Description** |
-|--------------------------------------|-------------------------|
-| Registry key | **IntegratedUnblockPromptString** |
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Item | Description |
+|--|--|
+| Registry key | `IntegratedUnblockPromptString` |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: This policy setting is only effective when the [Allow Integrated Unblock screen to be displayed at the time of logon](#allow-integrated-unblock-screen-to-be-displayed-at-the-time-of-logon) policy is enabled. |
-| Notes and resources | |
### Filter duplicate logon certificates
-You can use this policy setting to configure which valid sign-in certificates are displayed.
+You can use this policy setting to configure which valid sign-in certificates are displayed.
> [!NOTE]
> During the certificate renewal period, a user's smart card can have multiple valid sign-in certificates issued from the same certificate template, which can cause confusion about which certificate to select. This behavior can occur when a certificate is renewed and the old certificate has not expired yet.
->
+>
> If two certificates are issued from the same template with the same major version and they are for the same user (this is determined by their UPN), they are determined to be the same.
-When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates.
+When this policy setting is turned on, filtering occurs so that the user can select from only the most current valid certificates.
If this policy setting isn't turned on, all the certificates are displayed to the user.
This policy setting is applied to the computer after the [Allow time invalid certificates](#allow-time-invalid-certificates) policy setting is applied.
-| **Item** | **Description** |
-|--------------------------------------|--------------------------------------------------------------------------------------------------|
-| Registry key | **FilterDuplicateCerts**|
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
-| Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate that is used to sign in to computers running Windows 2000, Windows XP, or Windows Server 2003 will be displayed. Otherwise, the certificate with the most distant expiration time will be displayed. |
+| Item | Description |
+|--|--|
+| Registry key | `FilterDuplicateCerts` |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | If there are two or more of the same certificates on a smart card and this policy setting is enabled, the certificate with the most distant expiration time is displayed. |
### Force the reading of all certificates from the smart card
@@ -249,45 +217,45 @@ When this policy setting is turned on, Windows attempts to read all certificates
When this policy isn't turned on, Windows attempts to read only the default certificate from smart cards that don't support retrieval of all certificates in a single call. Certificates other than the default aren't available for sign-in.
-| **Item** | **Description** |
-|--------------------------------------|----------------------------------------------------------------------------|
-| Registry key | **ForceReadingAllCertificates** |
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None
**Important**: Enabling this policy setting can adversely impact performance during the sign-in process in certain situations. |
-| Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
+| Item | Description |
+|--|--|
+| Registry key | `ForceReadingAllCertificates` |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None
**Important**: Enabling this policy setting can adversely impact performance during the sign-in process in certain situations. |
+| Notes and resources | Contact the smart card vendor to determine if your smart card and associated CSP support the required behavior. |
### Notify user of successful smart card driver installation
-You can use this policy setting to control whether the user sees a confirmation message when a smart card device driver is installed.
+You can use this policy setting to control whether the user sees a confirmation message when a smart card device driver is installed.
-When this policy setting is turned on, the user sees a confirmation message when a smart card device driver is installed.
+When this policy setting is turned on, the user sees a confirmation message when a smart card device driver is installed.
When this setting isn't turned on, the user doesn't see a smart card device driver installation message.
-| **Item** | **Description** |
-|--------------------------------------|------------------------------------------------|
-| Registry key | **ScPnPNotification** |
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
-| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
+|--|--|
+| -------------------------------------- | ------------------------------------------------ |
+| Registry key | `ScPnPNotification` |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
### Prevent plaintext PINs from being returned by Credential Manager
-You can use this policy setting to prevent Credential Manager from returning plaintext PINs.
+You can use this policy setting to prevent Credential Manager from returning plaintext PINs.
> [!NOTE]
-> Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user's profile.
+> Credential Manager is controlled by the user on the local computer, and it stores credentials from supported browsers and Windows applications. Credentials are saved in special encrypted folders on the computer under the user's profile.
-When this policy setting is turned on, Credential Manager doesn't return a plaintext PIN.
+When this policy setting is turned on, Credential Manager doesn't return a plaintext PIN.
When this setting isn't turned on, Credential Manager can return plaintext PINs.
-| **Item** | **Description** |
-|--------------------------------------|-----------------------------------------------------------------------------------|
-| Registry key | **DisallowPlaintextPin**|
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
-| Notes and resources | If this policy setting is enabled, some smart cards might not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
+| Item | Description |
+|--|--|
+| Registry key | `DisallowPlaintextPin` |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | If this policy setting is enabled, some smart cards might not work in computers running Windows. Consult the smart card manufacturer to determine whether this policy setting should be enabled. |
### Reverse the subject name stored in a certificate when displaying
@@ -300,13 +268,11 @@ When this policy setting is turned on, the subject name during sign-in appears r
When this policy setting isn't turned on, the subject name appears the same as it's stored in the certificate.
-
-| **Item** | **Description** |
-|--------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| Registry key | **ReverseSubject** |
-| Default values | No changes per operating system versions Disabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
-| Notes and resources | |
+| Item | Description |
+|--|--|
+| Registry key | `ReverseSubject` |
+| Default values | No changes per operating system versions Disabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
### Turn on certificate propagation from smart card
@@ -318,128 +284,123 @@ When this policy setting is turned on, certificate propagation occurs when the u
When this policy setting is turned off, certificate propagation doesn't occur, and the certificates aren't available to applications, like Outlook.
-| **Item** | **Description** |
-|--------------------------------------|----------------|
-| Registry key | **CertPropEnabled**|
-| Default values | No changes per operating system versions Enabled and not configured are equivalent |
+| Item | Description |
+|--|--|
+| Registry key | `CertPropEnabled` |
+| Default values | No changes per operating system versions Enabled and not configured are equivalent |
| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: This policy setting must be enabled to allow the [Turn on root certificate propagation from smart card](#turn-on-root-certificate-propagation-from-smart-card) setting to work when it is enabled. |
-| Notes and resources | |
### Turn on root certificate propagation from smart card
-You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted.
+You can use this policy setting to manage the root certificate propagation that occurs when a smart card is inserted.
> [!NOTE]
-> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
+> The certificate propagation service applies when a signed-in user inserts a smart card in a reader that is attached to the computer. This action causes the certificate to be read from the smart card. The certificates are then added to the user's Personal store.
When this policy setting is turned on, root certificate propagation occurs when the user inserts the smart card.
When this policy setting isn't turned on, root certificate propagation doesn't occur when the user inserts the smart card.
-| **Item** | **Description** |
-|--------------------------------------|---------------------------------------------------------------------------------------------------------|
-| Registry key | **EnableRootCertificate Propagation** |
-| Default values | No changes per operating system versions Enabled and not configured are equivalent |
+| Item | Description |
+|--|--|
+| Registry key | `EnableRootCertificate Propagation` |
+| Default values | No changes per operating system versions Enabled and not configured are equivalent |
| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: For this policy setting to work, the [Turn on certificate propagation from smart card](#turn-on-certificate-propagation-from-smart-card) policy setting must also be enabled. |
-| Notes and resources | |
+| Notes and resources | |
### Turn on Smart Card Plug and Play service
-You can use this policy setting to control whether Smart Card Plug and Play is enabled.
+You can use this policy setting to control whether Smart Card Plug and Play is enabled.
> [!NOTE]
> Your users can use smart cards from vendors who have published their drivers through Windows Update without needing special middleware. These drivers will be downloaded in the same way as drivers for other devices in Windows. If an appropriate driver isn't available from Windows Update, a PIV-compliant mini driver that's included with any of the supported versions of Windows is used for these cards.
-When this policy setting is turned on, the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader.
+When this policy setting is turned on, the system attempts to install a smart card device driver the first time a smart card is inserted in a smart card reader.
When this policy setting isn't turned on, a device driver isn't installed when a smart card is inserted in a smart card reader.
-| **Item** | **Description** |
-|--------------------------------------|------------------------------------------------|
-| Registry key | **EnableScPnP** |
-| Default values | No changes per operating system versions Enabled and not configured are equivalent |
-| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
-| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
+| Item | Description |
+|--|--|
+| Registry key | `EnableScPnP` |
+| Default values | No changes per operating system versions Enabled and not configured are equivalent |
+| Policy management | Restart requirement: None Sign off requirement: None Policy conflicts: None |
+| Notes and resources | This policy setting applies only to smart card drivers that have passed the Windows Hardware Quality Labs (WHQL) testing process. |
## Base CSP and Smart Card KSP registry keys
The following registry keys can be configured for the base cryptography service provider (CSP) and the smart card key storage provider (KSP). The following tables list the keys. All keys use the DWORD type.
-The registry keys for the Base CSP are in the registry in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\Defaults\\Provider\\Microsoft Base Smart Card Crypto Provider**.
+The registry keys for the Base CSP are in the registry in `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Defaults\Provider\Microsoft Base Smart Card Crypto Provider`.
-The registry keys for the smart card KSP are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Cryptography\\Providers\\Microsoft Smart Card Key Storage Provider**.
+The registry keys for the smart card KSP are in `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cryptography\Providers\Microsoft Smart Card Key Storage Provider`.
-**Registry keys for the base CSP and smart card KSP**
+### Registry keys for the base CSP and smart card KSP
-| **Registry Key** | **Description** |
-|------------------------------------|---------------------------------------------------------------------------------|
-| **AllowPrivateExchangeKeyImport** | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios. Default value: 00000000 |
-| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios. Default value: 00000000 |
-| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired. Default value: 00000400 Default key generation parameter: 1024-bit keys |
-| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required. Default value: 00000000 |
-| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail. Default value: 000005dc The default timeout for holding transactions to the smart card is 1.5 seconds. |
+| Registry Key | Description |
+|--|--|
+| **AllowPrivateExchangeKeyImport** | A non-zero value allows RSA exchange (for example, encryption) private keys to be imported for use in key archival scenarios. Default value: 00000000 |
+| **AllowPrivateSignatureKeyImport** | A non-zero value allows RSA signature private keys to be imported for use in key archival scenarios. Default value: 00000000 |
+| **DefaultPrivateKeyLenBits** | Defines the default length for private keys, if desired. Default value: 00000400 Default key generation parameter: 1024-bit keys |
+| **RequireOnCardPrivateKeyGen** | This key sets the flag that requires on-card private key generation (default). If this value is set, a key generated on a host can be imported into the smart card. This is used for smart cards that don't support on-card key generation or where key escrow is required. Default value: 00000000 |
+| **TransactionTimeoutMilliseconds** | Default timeout values allow you to specify whether transactions that take an excessive amount of time will fail. Default value: 000005dc The default timeout for holding transactions to the smart card is 1.5 seconds. |
-**Additional registry keys for the smart card KSP**
+Additional registry keys for the smart card KSP:
-| **Registry Key** | **Description** |
-|--------------------------------|-----------------------------------------------------|
-| **AllowPrivateECDHEKeyImport** | This value allows Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) private keys to be imported for use in key archival scenarios. Default value: 00000000 |
+| Registry Key | Description |
+|--|--|
+| **AllowPrivateECDHEKeyImport** | This value allows Ephemeral Elliptic Curve Diffie-Hellman (ECDHE) private keys to be imported for use in key archival scenarios. Default value: 00000000 |
| **AllowPrivateECDSAKeyImport** | This value allows Elliptic Curve Digital Signature Algorithm (ECDSA) private keys to be imported for use in key archival scenarios. Default value: 00000000 |
## CRL checking registry keys
The following table lists the keys and the corresponding values to turn off certificate revocation list (CRL) checking at the Key Distribution Center (KDC) or client. To manage CRL checking, you must configure settings for both the KDC and the client.
-**CRL checking registry keys**
-
-| **Registry Key** | **Details** |
-|------------|-----------------------------|
-| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Services\\Kdc\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD Value = 1 |
-| **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CCS\\Control\\LSA\\Kerberos\\Parameters\\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors**| Type = DWORD Value = 1 |
+| Registry Key | Details |
+|--|--|
+| `HKEY_LOCAL_MACHINE\SYSTEM\CCS\Services\Kdc\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors` | Type = DWORD Value = 1 |
+| `HKEY_LOCAL_MACHINE\SYSTEM\CCS\Control\LSA\Kerberos\Parameters\UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors` | Type = DWORD Value = 1 |
## Additional smart card Group Policy settings and registry keys
In a smart card deployment, additional Group Policy settings can be used to enhance ease-of-use or security. Two of these policy settings that can complement a smart card deployment are:
-- Turning off delegation for computers
+- Turning off delegation for computers
+- Interactive logon: Do not require CTRL+ALT+DEL (not recommended)
-- Interactive logon: Do not require CTRL+ALT+DEL (not recommended)
+The following smart card-related Group Policy settings are in **Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options**.
-The following smart card-related Group Policy settings are in Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options.
+### Local security policy settings
-**Local security policy settings**
-
-| Group Policy setting and registry key | Default | Description |
-|------------------------------------------|------------|---------------|
-| Interactive logon: Require smart card
**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.
**Enabled** Users can sign in to the computer only by using a smart card. **Disabled** Users can sign in to the computer by using any method. |
-| Interactive logon: Smart card removal behavior
**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are: **No Action** **Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session. **Force Logoff**: The user is automatically signed out when the smart card is removed. **Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option.
**Note**: In earlier versions of Windows Server, Remote Desktop Services was called Terminal Services. |
+| Group Policy setting and registry key | Default | Description |
+|--|--|--|
+| Interactive logon: Require smart card
**scforceoption** | Disabled | This security policy setting requires users to sign in to a computer by using a smart card.
**Enabled** Users can sign in to the computer only by using a smart card. **Disabled** Users can sign in to the computer by using any method.
NOTE: the Windows LAPS-managed local account is exempted from this policy when Enabled. For more information see [Windows LAPS integration with smart card policy](/windows-server/identity/laps/laps-concepts#windows-laps-integration-with-smart-card-policy). |
+| Interactive logon: Smart card removal behavior
**scremoveoption** | This policy setting isn't defined, which means that the system treats it as **No Action**. | This setting determines what happens when the smart card for a signed-in user is removed from the smart card reader. The options are: **No Action** **Lock Workstation**: The workstation is locked when the smart card is removed, so users can leave the area, take their smart card with them, and still maintain a protected session. **Force Logoff**: The user is automatically signed out when the smart card is removed. **Disconnect if a Remote Desktop Services session**: Removal of the smart card disconnects the session without signing out the user. The user can reinsert the smart card and resume the session later, or at another computer that's equipped with a smart card reader, without having to sign in again. If the session is local, this policy setting functions identically to the **Lock Workstation** option. |
From the Local Security Policy Editor (secpol.msc), you can edit and apply system policies to manage credential delegation for local or domain computers.
-The following smart card-related Group Policy settings are in Computer Configuration\\Administrative Templates\\System\\Credentials Delegation.
+The following smart card-related Group Policy settings are in **Computer Configuration\Administrative Templates\System\Credentials Delegation**.
-Registry keys are in **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**.
+Registry keys are in `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Credssp\PolicyDefaults`.
> [!NOTE]
> In the following table, fresh credentials are those that you are prompted for when running an application.
-**Credential delegation policy settings**
+### Credential delegation policy settings
+| Group Policy setting and registry key | Default | Description |
+|--|--|--|
+| Allow Delegating Fresh Credentials
**AllowFreshCredentials** | Not configured | This policy setting applies: When server authentication was achieved through a trusted X509 certificate or Kerberos protocol. To applications that use the CredSSP component (for example, Remote Desktop Services).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. **Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer. **Disabled**: Delegation of fresh credentials to any computer isn't permitted.
**Note**: This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example: Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer. Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer. Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
+| Allow Delegating Fresh Credentials with NTLM-only Server Authentication
**AllowFreshCredentialsWhenNTLMOnly** | Not configured | This policy setting applies: When server authentication was achieved by using NTLM. To applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. **Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*). **Disabled**: Delegation of fresh credentials isn't permitted to any computer.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN. See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
+| Deny Delegating Fresh Credentials
**DenyFreshCredentials** | Not configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can't be delegated. **Disabled** or **Not configured**: A server is not specified.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can't be delegated. A single wildcard character (\*) is permitted when specifying the SPN. For examples, see the "Allow delegating fresh credentials" policy setting. |
-| Group Policy setting and registry key | Default | Description |
-|----------------------------------------------------------------------------------------------------------------------|----------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Allow Delegating Fresh Credentials
**AllowFreshCredentials** | Not configured | This policy setting applies: When server authentication was achieved through a trusted X509 certificate or Kerberos protocol. To applications that use the CredSSP component (for example, Remote Desktop Services).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. **Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Services running on any computer. **Disabled**: Delegation of fresh credentials to any computer isn't permitted.
**Note**: This policy setting can be set to one or more service principal names (SPNs). The SPN represents the target server where the user credentials can be delegated. A single wildcard character is permitted when specifying the SPN, for example: Use \*TERMSRV/\*\* for Remote Desktop Session Host (RD Session Host) running on any computer. Use *TERMSRV/host.humanresources.fabrikam.com* for RD Session Host running on the host.humanresources.fabrikam.com computer. Use *TERMSRV/\*.humanresources.fabrikam.com* for RD Session Host running on all computers in .humanresources.fabrikam.com |
-| Allow Delegating Fresh Credentials with NTLM-only Server Authentication
**AllowFreshCredentialsWhenNTLMOnly** | Not configured | This policy setting applies: When server authentication was achieved by using NTLM. To applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can be delegated. **Not configured**: After proper mutual authentication, delegation of fresh credentials is permitted to RD Session Host running on any computer (TERMSRV/\*). **Disabled**: Delegation of fresh credentials isn't permitted to any computer.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can be delegated. A single wildcard character (\*) is permitted when specifying the SPN. See the **Allow Delegating Fresh Credentials** policy setting description for examples. |
-| Deny Delegating Fresh Credentials
**DenyFreshCredentials** | Not configured | This policy setting applies to applications that use the CredSSP component (for example, Remote Desktop).
**Enabled**: You can specify the servers where the user's fresh credentials can't be delegated. **Disabled** or **Not configured**: A server is not specified.
**Note**: This policy setting can be set to one or more SPNs. The SPN represents the target server where the user credentials can't be delegated. A single wildcard character (\*) is permitted when specifying the SPN. For examples, see the "Allow delegating fresh credentials" policy setting. |
+If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials. The registry keys in the following table, which are at `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Credssp\PolicyDefaults`, and the corresponding Group Policy settings are ignored.
-If you're using Remote Desktop Services with smart card logon, you can't delegate default and saved credentials. The registry keys in the following table, which are at **HKEY\_LOCAL\_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\Credssp\\PolicyDefaults**, and the corresponding Group Policy settings are ignored.
-
-| **Registry key** | **Corresponding Group Policy setting** |
-|-------------------------------------|---------------------------------------------------------------------------|
-| **AllowDefaultCredentials** | Allow Delegating Default Credentials |
+| Registry Key| **Corresponding Group Policy setting** |
+|--|--|
+| **AllowDefaultCredentials** | Allow Delegating Default Credentials |
| **AllowDefaultCredentialsWhenNTLMOnly** | Allow Delegating Default Credentials with NTLM-only Server Authentication |
-| **AllowSavedCredentials** | Allow Delegating Saved Credentials |
-| **AllowSavedCredentialsWhenNTLMOnly** | Allow Delegating Saved Credentials with NTLM-only Server Authentication |
+| **AllowSavedCredentials** | Allow Delegating Saved Credentials |
+| **AllowSavedCredentialsWhenNTLMOnly** | Allow Delegating Saved Credentials with NTLM-only Server Authentication |
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
index 5ad7eb1205..2641967e6d 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
@@ -1,25 +1,19 @@
---
title: How Smart Card Sign-in Works in Windows
description: This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system.
-ms.reviewer: ardenw
ms.topic: overview
-ms.date: 09/24/2021
+ms.date: 1/06/2023
---
# How Smart Card Sign-in Works in Windows
This topic for IT professional provides links to resources about the implementation of smart card technologies in the Windows operating system. It includes the following resources about the architecture, certificate management, and services that are related to smart card use:
-- [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them.
+- [Smart Card Architecture](smart-card-architecture.md): Learn about enabling communications with smart cards and smart card readers, which can be different according to the vendor that supplies them
+- [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md): Learn about requirements for smart card certificates based on the operating system, and about the operations that are performed by the operating system when a smart card is inserted into the computer
+- [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md): Learn about using smart cards for remote desktop connections
+- [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md): Learn about how the Smart Cards for Windows service is implemented
+- [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer
+- [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card
-- [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md): Learn about requirements for smart card certificates based on the operating system, and about the operations that are performed by the operating system when a smart card is inserted into the computer.
-
-- [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md): Learn about using smart cards for remote desktop connections.
-
-- [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md): Learn about how the Smart Cards for Windows service is implemented.
-
-- [Certificate Propagation Service](smart-card-certificate-propagation-service.md): Learn about how the certificate propagation service works when a smart card is inserted into a computer.
-
-- [Smart Card Removal Policy Service](smart-card-removal-policy-service.md): Learn about using Group Policy to control what happens when a user removes a smart card.
-
-[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
\ No newline at end of file
+[!INCLUDE [smart-cards-for-windows-service](../../../../includes/licensing/smart-cards-for-windows-service.md)]
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 4b9fd9a3fd..616ea96b49 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -1,7 +1,6 @@
---
title: Smart Card Removal Policy Service
description: This topic for the IT professional describes the role of the removal policy service (ScPolicySvc) in smart card implementation.
-ms.reviewer: ardenw
ms.topic: concept-article
ms.date: 09/24/2021
---
@@ -12,19 +11,14 @@ This topic for the IT professional describes the role of the removal policy serv
The smart card removal policy service is applicable when a user has signed in with a smart card and then removes that smart card from the reader. The action that is performed when the smart card is removed is controlled by Group Policy settings. For more information, see [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md).
-**Smart card removal policy service**
-
The numbers in the previous figure represent the following actions:
-1. Winlogon is not directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
-
-2. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
-
-3. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
-
-4. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
+1. Winlogon isn't directly involved in monitoring for smart card removal events. The sequence of steps that are involved when a smart card is removed begins with the smart card credential provider in the sign-in UI process. When a user successfully signs in with a smart card, the smart card credential provider captures the reader name. This information is then stored in the registry with the session identifier where the sign-in was initiated.
+1. The smart card resource manager service notifies the smart card removal policy service that a sign-in has occurred.
+1. ScPolicySvc retrieves the smart card information that the smart card credential provider stored in the registry. This call is redirected if the user is in a remote session. If the smart card is removed, ScPolicySvc is notified.
+1. ScPolicySvc calls Remote Desktop Services to take the appropriate action if the request is to sign out the user or to disconnect the user's session, which might result in data loss. If the setting is configured to lock the computer when the smart card is removed, ScPolicySvc sends a message to Winlogon to lock the computer.
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
index 2604d84270..6d468b9bda 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
@@ -1,9 +1,8 @@
---
title: Smart Cards for Windows Service
description: This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service manages readers and application interactions.
-ms.reviewer: ardenw
ms.topic: concept-article
-ms.date: 09/24/2021
+ms.date: 11/06/2023
---
# Smart Cards for Windows Service
@@ -69,34 +68,31 @@ The Smart Cards for Windows service runs in the context of a local service, and
```
-> **Note** For winscard.dll to be invoked as the proper class installer, the INF file for a smart card reader must specify the following for **Class** and **ClassGUID**:
-`Class=SmartCardReader` `ClassGuid={50DD5230-BA8A-11D1-BF5D-0000F805F530}`
+> [!NOTE]
+> For winscard.dll to be invoked as the proper class installer, the INF file for a smart card reader must specify the following for **Class** and **ClassGUID**:
+>
+> `Class=SmartCardReader`
+> `ClassGuid={50DD5230-BA8A-11D1-BF5D-0000F805F530}`
By default, the service is configured for manual mode. Creators of smart card reader drivers must configure their INFs so that they start the service automatically and winscard.dll files call a predefined entry point to start the service during installation. The entry point is defined as part of the **SmartCardReader** class, and it is not called directly. If a device advertises itself as part of this class, the entry point is automatically invoked to start the service when the device is inserted. Using this method ensures that the service is enabled when it is needed, but it is also disabled for users who do not use smart cards.
When the service is started, it performs several functions:
-1. It registers itself for service notifications.
+1. It registers itself for service notifications
+1. It registers itself for Plug and Play (PnP) notifications related to device removal and additions
+1. It initializes its data cache and a global event that signals that the service has started
-2. It registers itself for Plug and Play (PnP) notifications related to device removal and additions.
-
-3. It initializes its data cache and a global event that signals that the service has started.
-
-> **Note** For smart card implementations, consider sending all communications in Windows operating systems with smart card readers through the Smart Cards for Windows service. This provides an interface to track, select, and communicate with all drivers that declare themselves members of the smart card reader device group.
+> [!NOTE]
+> For smart card implementations, consider sending all communications in Windows operating systems with smart card readers through the Smart Cards for Windows service. This provides an interface to track, select, and communicate with all drivers that declare themselves members of the smart card reader device group.
The Smart Cards for Windows service categorizes each smart card reader slot as a unique reader, and each slot is also managed separately, regardless of the device's physical characteristics. The Smart Cards for Windows service handles the following high-level actions:
-- Device introduction
-
-- Reader initialization
-
-- Notifying clients of new readers
-
-- Serializing access to readers
-
-- Smart card access
-
-- Tunneling of reader-specific commands
+- Device introduction
+- Reader initialization
+- Notifying clients of new readers
+- Serializing access to readers
+- Smart card access
+- Tunneling of reader-specific commands
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
index f18465fff3..737d2d83fc 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-tools-and-settings.md
@@ -1,9 +1,8 @@
---
title: Smart Card Tools and Settings
description: This topic for the IT professional and smart card developer links to information about smart card debugging, settings, and events.
-ms.reviewer: ardenw
ms.topic: conceptual
-ms.date: 09/24/2021
+ms.date: 11/06/2023
---
# Smart Card Tools and Settings
@@ -12,11 +11,9 @@ This topic for the IT professional and smart card developer links to information
This section of the Smart Card Technical Reference contains information about the following:
-- [Smart Cards Debugging Information](smart-card-debugging-information.md): Learn about tools and services in supported versions of Windows to help identify certificate issues.
-
-- [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md): Learn about smart card-related Group Policy settings and registry keys that can be set on a per-computer basis, including how to edit and apply Group Policy settings to local or domain computers.
-
-- [Smart Card Events](smart-card-events.md): Learn about events that can be used to manage smart cards in an organization, including how to monitor installation, use, and errors.
+- [Smart Cards Debugging Information](smart-card-debugging-information.md): Learn about tools and services in supported versions of Windows to help identify certificate issues
+- [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md): Learn about smart card-related Group Policy settings and registry keys that can be set on a per-computer basis, including how to edit and apply Group Policy settings to local or domain computers
+- [Smart Card Events](smart-card-events.md): Learn about events that can be used to manage smart cards in an organization, including how to monitor installation, use, and errors
## See also
diff --git a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
index a7e5247fcc..b832cf3024 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
@@ -1,9 +1,8 @@
---
title: Smart Card Technical Reference
description: Learn about the Windows smart card infrastructure for physical smart cards, and how smart card-related components work in Windows.
-ms.reviewer: ardenw
-ms.topic: reference
-ms.date: 09/24/2021
+ms.topic: overview
+ms.date: 11/06/2023
---
# Smart Card Technical Reference
@@ -14,9 +13,8 @@ The Smart Card Technical Reference describes the Windows smart card infrastructu
This document explains how the Windows smart card infrastructure works. To understand this information, you should have basic knowledge of public key infrastructure (PKI) and smart card concepts. This document is intended for:
-- Enterprise IT developers, managers, and staff who are planning to deploy or are using smart cards in their organization.
-
-- Smart card vendors who write smart card minidrivers or credential providers.
+- Enterprise IT developers, managers, and staff who are planning to deploy or are using smart cards in their organization.
+- Smart card vendors who write smart card minidrivers or credential providers.
## What are smart cards?
@@ -24,40 +22,28 @@ Smart cards are tamper-resistant portable storage devices that can enhance the s
Smart cards provide:
-- Tamper-resistant storage for protecting private keys and other forms of personal information.
-
-- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card.
-
-- Portability of credentials and other private information between computers at work, home, or on the road.
+- Tamper-resistant storage for protecting private keys and other forms of personal information
+- Isolation of security-critical computations that involve authentication, digital signatures, and key exchange from other parts of the computer. These computations are performed on the smart card
+- Portability of credentials and other private information between computers at work, home, or on the road
Smart cards can be used to sign in to domain accounts only, not local accounts. When you use a password to sign in interactively to a domain account, Windows uses the Kerberos version 5 (v5) protocol for authentication. If you use a smart card, the operating system uses Kerberos v5 authentication with X.509 v3 certificates.
-**Virtual smart cards** were introduced in Windows Server 2012 and Windows 8 to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware.
+Virtual smart cards were introduced to alleviate the need for a physical smart card, the smart card reader, and the associated administration of that hardware.
[!INCLUDE [virtual-smart-card-deprecation-notice](../../includes/virtual-smart-card-deprecation-notice.md)]
## In this technical reference
-This reference contains the following topics.
+This reference contains the following topics:
-- [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
-
- - [Smart Card Architecture](smart-card-architecture.md)
-
- - [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
-
- - [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
-
- - [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
-
- - [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
-
- - [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
-
-- [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
-
- - [Smart Cards Debugging Information](smart-card-debugging-information.md)
-
- - [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
-
- - [Smart Card Events](smart-card-events.md)
+- [How Smart Card Sign-in Works in Windows](smart-card-how-smart-card-sign-in-works-in-windows.md)
+ - [Smart Card Architecture](smart-card-architecture.md)
+ - [Certificate Requirements and Enumeration](smart-card-certificate-requirements-and-enumeration.md)
+ - [Smart Card and Remote Desktop Services](smart-card-and-remote-desktop-services.md)
+ - [Smart Cards for Windows Service](smart-card-smart-cards-for-windows-service.md)
+ - [Certificate Propagation Service](smart-card-certificate-propagation-service.md)
+ - [Smart Card Removal Policy Service](smart-card-removal-policy-service.md)
+- [Smart Card Tools and Settings](smart-card-tools-and-settings.md)
+ - [Smart Cards Debugging Information](smart-card-debugging-information.md)
+ - [Smart Card Group Policy and Registry Settings](smart-card-group-policy-and-registry-settings.md)
+ - [Smart Card Events](smart-card-events.md)
diff --git a/windows/security/identity-protection/smart-cards/toc.yml b/windows/security/identity-protection/smart-cards/toc.yml
index 0d82f8c3a7..bca4cb0bbd 100644
--- a/windows/security/identity-protection/smart-cards/toc.yml
+++ b/windows/security/identity-protection/smart-cards/toc.yml
@@ -1,28 +1,27 @@
items:
-- name: Smart Card Technical Reference
+- name: Smart card technical reference
href: smart-card-windows-smart-card-technical-reference.md
+- name: How smart card sign-in works
+ href: smart-card-how-smart-card-sign-in-works-in-windows.md
items:
- - name: How Smart Card Sign-in Works in Windows
- href: smart-card-how-smart-card-sign-in-works-in-windows.md
- items:
- - name: Smart Card Architecture
- href: smart-card-architecture.md
- - name: Certificate Requirements and Enumeration
- href: smart-card-certificate-requirements-and-enumeration.md
- - name: Smart Card and Remote Desktop Services
- href: smart-card-and-remote-desktop-services.md
- - name: Smart Cards for Windows Service
- href: smart-card-smart-cards-for-windows-service.md
- - name: Certificate Propagation Service
- href: smart-card-certificate-propagation-service.md
- - name: Smart Card Removal Policy Service
- href: smart-card-removal-policy-service.md
- - name: Smart Card Tools and Settings
- href: smart-card-tools-and-settings.md
- items:
- - name: Smart Cards Debugging Information
- href: smart-card-debugging-information.md
- - name: Smart Card Group Policy and Registry Settings
- href: smart-card-group-policy-and-registry-settings.md
- - name: Smart Card Events
- href: smart-card-events.md
\ No newline at end of file
+ - name: Smart card architecture
+ href: smart-card-architecture.md
+ - name: Certificate requirements and enumeration
+ href: smart-card-certificate-requirements-and-enumeration.md
+ - name: Smart card and Remote Desktop Services
+ href: smart-card-and-remote-desktop-services.md
+ - name: Smart cards for Windows Service
+ href: smart-card-smart-cards-for-windows-service.md
+ - name: Certificate Propagation Service
+ href: smart-card-certificate-propagation-service.md
+ - name: Smart card Removal Policy Service
+ href: smart-card-removal-policy-service.md
+- name: Smart Card tools and settings
+ href: smart-card-tools-and-settings.md
+ items:
+ - name: Smart cards debugging information
+ href: smart-card-debugging-information.md
+ - name: Smart card group policy and registry settings
+ href: smart-card-group-policy-and-registry-settings.md
+ - name: Smart card events
+ href: smart-card-events.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/virtual-smart-card-icon.svg b/windows/security/identity-protection/virtual-smart-cards/images/virtual-smart-card-icon.svg
new file mode 100644
index 0000000000..02fb8d7434
--- /dev/null
+++ b/windows/security/identity-protection/virtual-smart-cards/images/virtual-smart-card-icon.svg
@@ -0,0 +1,4 @@
+
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png
deleted file mode 100644
index 2d626ecf94..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-02-mmc-add-snap-in.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png
deleted file mode 100644
index e5c40ce136..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-03-add-certificate-templates-snap-in.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png
deleted file mode 100644
index b6fa6b75ba..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-04-right-click-smartcard-logon-template.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png
deleted file mode 100644
index 110fb05099..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-05-certificate-template-compatibility.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png
deleted file mode 100644
index f770d2f259..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-06-add-certification-authority-snap-in.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png
deleted file mode 100644
index 893abc8f34..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-07-right-click-certificate-templates.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png
deleted file mode 100644
index f060ca7e3e..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-08-enable-certificate-template.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png
deleted file mode 100644
index 4f3a65766f..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-09-stop-service-start-service.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png
deleted file mode 100644
index b9a6538540..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-10-cmd-run-as-administrator.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png
deleted file mode 100644
index 4eeba26de7..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-11-certificates-request-new-certificate.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png
deleted file mode 100644
index b8fb5e9635..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-12-certificate-enrollment-select-certificate.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/images/vsc-virtual-smart-card-icon.png b/windows/security/identity-protection/virtual-smart-cards/images/vsc-virtual-smart-card-icon.png
deleted file mode 100644
index 4614d7684b..0000000000
Binary files a/windows/security/identity-protection/virtual-smart-cards/images/vsc-virtual-smart-card-icon.png and /dev/null differ
diff --git a/windows/security/identity-protection/virtual-smart-cards/toc.yml b/windows/security/identity-protection/virtual-smart-cards/toc.yml
index 68842b6001..0eec1122c0 100644
--- a/windows/security/identity-protection/virtual-smart-cards/toc.yml
+++ b/windows/security/identity-protection/virtual-smart-cards/toc.yml
@@ -1,17 +1,15 @@
items:
- name: Virtual Smart Card overview
href: virtual-smart-card-overview.md
- items:
- - name: Understand and evaluate virtual smart cards
- href: virtual-smart-card-understanding-and-evaluating.md
- items:
- - name: Get started with virtual smart cards
- href: virtual-smart-card-get-started.md
- - name: Use virtual smart cards
- href: virtual-smart-card-use-virtual-smart-cards.md
- - name: Deploy virtual smart cards
- href: virtual-smart-card-deploy-virtual-smart-cards.md
- - name: Evaluate virtual smart card security
- href: virtual-smart-card-evaluate-security.md
- - name: Tpmvscmgr
- href: virtual-smart-card-tpmvscmgr.md
\ No newline at end of file
+- name: Understand and evaluate virtual smart cards
+ href: virtual-smart-card-understanding-and-evaluating.md
+- name: Get started with virtual smart cards
+ href: virtual-smart-card-get-started.md
+- name: Use virtual smart cards
+ href: virtual-smart-card-use-virtual-smart-cards.md
+- name: Deploy virtual smart cards
+ href: virtual-smart-card-deploy-virtual-smart-cards.md
+- name: Evaluate virtual smart card security
+ href: virtual-smart-card-evaluate-security.md
+- name: Tpmvscmgr
+ href: virtual-smart-card-tpmvscmgr.md
\ No newline at end of file
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index b20f03522b..9b7ee29239 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -2,7 +2,7 @@
title: Deploy Virtual Smart Cards
description: Learn about what to consider when deploying a virtual smart card authentication solution
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Deploy Virtual Smart Cards
@@ -19,11 +19,9 @@ A device manufacturer creates physical devices, and then an organization purchas
This topic contains information about the following phases in a virtual smart card lifecycle:
-- [Create and personalize virtual smart cards](#create-and-personalize-virtual-smart-cards)
-
-- [Provision virtual smart cards](#provision-virtual-smart-cards)
-
-- [Maintain virtual smart cards](#maintain-virtual-smart-cards)
+- [Create and personalize virtual smart cards](#create-and-personalize-virtual-smart-cards)
+- [Provision virtual smart cards](#provision-virtual-smart-cards)
+- [Maintain virtual smart cards](#maintain-virtual-smart-cards)
## Create and personalize virtual smart cards
@@ -54,9 +52,7 @@ A virtual smart card appears within the operating system as a physical smart car
- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
-
- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that is offered by physical smart cards, which is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
-
- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for some time instead of blocking the card. This is also known as lockout.
For more information, see [Blocked virtual smart card](#blocked-virtual-smart-card) and [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
@@ -70,12 +66,9 @@ During virtual smart card personalization, the values for the administrator key,
Because the administrator key is critical to the security of the card, it's important to consider the deployment environment and decide on the proper administrator key setting strategy. Options for these strategies include:
-- **Uniform**: Administrator keys for all the virtual smart cards deployed in the organization are the same. Although using the same key makes the maintenance infrastructure easy (only one key needs to be stored), it's highly insecure. This strategy might be sufficient for small organizations, but if the administrator key is compromised, all virtual smart cards that use the key must be reissued.
-
-- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they aren't recorded. This is a valid option if the deployment administrators don't require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This is a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary.
-
-- **Random, stored**: you assign the administrator keys randomly, storing them in a central location. Each card's security is independent of the others. This is a secure strategy on a large scale, unless the administrator key database is compromised.
-
+- **Uniform**: Administrator keys for all the virtual smart cards deployed in the organization are the same. Although using the same key makes the maintenance infrastructure easy (only one key needs to be stored), it's highly insecure. This strategy might be sufficient for small organizations, but if the administrator key is compromised, all virtual smart cards that use the key must be reissued
+- **Random, not stored**: Administrator keys are assigned randomly for all virtual smart cards, and they aren't recorded. This is a valid option if the deployment administrators don't require the ability to reset PINs, and instead prefer to delete and reissue virtual smart cards. This is a viable strategy if the administrator prefers to set PUK values for the virtual smart cards and then use this value to reset PINs, if necessary
+- **Random, stored**: you assign the administrator keys randomly, storing them in a central location. Each card's security is independent of the others. This is a secure strategy on a large scale, unless the administrator key database is compromised
- **Deterministic**: Administrator keys are the result of some function or known information. For example, the user ID could be used to randomly generate data that can be further processed through a symmetric encryption algorithm by using a secret. This administrator key can be similarly regenerated when needed, and it doesn't need to be stored. The security of this method relies on the security of the secret used.
Although the PUK and the administrator key methodologies provide unlocking and resetting functionality, they do so in different ways. The PUK is a PIN that is entered on the computer to enable a user PIN reset.
@@ -112,9 +105,8 @@ You can use APIs to build Microsoft Store apps that you can use to manage the fu
When a device or computer isn't joined to a domain, the TPM ownerAuth is stored in the registry under HKEY\_LOCAL\_MACHINE. This exposes some threats. Most of the threat vectors are protected by BitLocker, but threats that aren't protected include:
-- A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets.
-
-- A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised.
+- A malicious user possesses a device that has an active local sign-in session before the device locks. The malicious user could attempt a brute-force attack on the virtual smart card PIN, and then access the corporate secrets
+- A malicious user possesses a device that has an active virtual private network (VPN) session. The device is then compromised
The proposed mitigation for the previous scenarios is to use Exchange ActiveSync (EAS) policies to reduce the automatic lockout time from five minutes to 30 seconds of inactivity. You can set policies for automatic lockout while provisioning virtual smart cards. If an organization wants more security, they can also configure a setting to remove the ownerAuth from the local device.
@@ -165,7 +157,7 @@ Similar to physical smart cards, virtual smart cards require certificate enrollm
#### Certificate issuance
-Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality that was introduced in Windows Server 2003, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
+Users can enroll for certificates from within a remote desktop session that is established to provision the card. This process can also be managed by the smart card management tool that the user runs through the remote desktop connection. This model works for deployments that require the user to sign a request for enrollment by using a physical smart card. The driver for the physical smart card doesn't need to be installed on the client computer if it's installed on the remote computer. This is made possible by smart card redirection functionality, which ensures that smart cards that are connected to the client computer are available for use during a remote session.
Alternatively, without establishing a remote desktop connection, users can enroll for certificates from the Certificate Management console (certmgr.msc) on a client computer. Users can also create a request and submit it to a server from within a custom certificate enrollment application (for example, a registration authority) that has controlled access to the certification authority (CA). This requires specific enterprise configuration and deployments for Certificate Enrollment Policies (CEP) and Certificate Enrollment Services (CES).
@@ -189,11 +181,11 @@ This command creates a card with a randomized administrator key. The key is auto
`tpmvscmgr.exe destroy /instance `
-where <instance ID> is the value that is printed on the screen when the user creates the card. Specifically, for the first card created, the instance ID is ROOT\\SMARTCARDREADER\\0000).
+where `` is the value that is printed on the screen when the user creates the card. Specifically, for the first card created, the instance ID is `ROOT\SMARTCARDREADER\0000`.
### Certificate management for unmanaged cards
-Depending on the security requirements that are unique to an organization, users can initially enroll for certificates from the certificate management console (certmgr.msc) or from within custom certificate enrollment applications. The latter method can create a request and submit it to a server that has access to the Certification Authority. This requires specific organizational configurations and deployments for certificate enrollment policies and certificate enrollment services. Windows has built-in tools, specifically Certreq.exe and Certutil.exe, which can be used by scripts to perform the enrollment from the command line.
+Depending on the security requirements that are unique to an organization, users can initially enroll for certificates from the certificate management console (certmgr.msc) or from within custom certificate enrollment applications. The latter method can create a request and submit it to a server that has access to the Certification Authority. This requires specific organizational configurations and deployments for certificate enrollment policies and certificate enrollment services. Windows has built-in tools, specifically Certreq.exe and Certutil.exe, which can be used by scripts to perform the enrollment from the command line.
#### Requesting the certificate by providing domain credentials only
@@ -211,19 +203,15 @@ The user can import the certificate into the **MY** store (which is the user's c
For deployments that require users to use a physical smart card to sign the certificate request, you can use the procedure:
-1. Users initiate a request on a domain-joined computer.
-
-2. Users complete the request by using a physical smart card to sign the request.
-
-3. Users download the request to the virtual smart card on their client computer.
+1. Users initiate a request on a domain-joined computer
+1. Users complete the request by using a physical smart card to sign the request
+1. Users download the request to the virtual smart card on their client computer
#### Using one-time password for enrollment
Another option to ensure that users are strongly authenticated before virtual smart card certificates are issued, is to send a user a one-time password through SMS, email, or phone. The user then types the one-time password during the certificate enrollment from an application or a script on a desktop that invokes built-in command-line tools.
-#### Certificate lifecycle management
-
-Certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal.
+**Certificate lifecycle management**: certificate renewal can be done from the same tools that are used for the initial certificate enrollment. Certificate enrollment policies and certificate enrollment services can also be used to perform automatic renewal.
Certificate revocation requires careful planning. When information about the certificate to be revoked is reliably available, the specific certificate can be easily revoked. When information about the certificate to be revoked isn't easy to determine, all certificates issued to the user under the policy that was used to issue the certificate might need to be revoked. For example, if an employee reports a lost or compromised device, and information that associates the device with a certificate isn't available.
@@ -235,11 +223,11 @@ Maintenance is a significant portion of the virtual smart card lifecycle and one
When renewing with a previously used key, no extra steps are required because a strong certificate with this key was issued during the initial provisioning. However, when the user requests a new key pair, you must take the same steps that were used during provisioning to assure the strength of the credentials. Renewal with new keys should occur periodically to counter sophisticated long-term attempts by malicious users to infiltrate the system. When new keys are assigned, you must ensure that the new keys are being used by the expected individuals on the same virtual smart cards.
-**Resetting PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user's identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued.
+**Reset PINs**: Resetting virtual smart card PINs is also a frequent necessity, because employees forget their PINs. There are two ways to accomplish this, depending on choices made earlier in the deployment: Use a PUK (if the PUK is set), or use a challenge-response approach with the administration key. Before resetting the PIN, the user's identity must be verified by using some means other than the card—most likely the verification method that you used during initial provisioning (for example, in-person proofing). This is necessary in user-error scenarios when users forget their PINs. However, you should never reset a PIN if it has been compromised because the level of vulnerability after the PIN is exposed is difficult to identify. The entire card should be reissued.
**Lockout reset**: A frequent precursor to resetting a PIN is the necessity of resetting the TPM lockout time because the TPM anti-hammering logic will be engaged with multiple PIN entry failures for a virtual smart card. This is currently device specific.
-**Retiring cards**: The final aspect of virtual smart card management is retiring cards when they're no longer needed. When an employee leaves the company, it's desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal.
+**Retire cards**: The final aspect of virtual smart card management is retiring cards when they're no longer needed. When an employee leaves the company, it's desirable to revoke domain access. Revoking sign-in credentials from the certification authority (CA) accomplishes this goal.
The card should be reissued if the same computer is used by other employees without reinstalling the operating system. Reusing the former card can allow the former employee to change the PIN after leaving the organization, and then hijack certificates that belong to the new user to obtain unauthorized domain access. However, if the employee takes the virtual smart card-enabled computer, it's only necessary to revoke the certificates that are stored on the virtual smart card.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index d86c288331..55070ad4d8 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -2,7 +2,7 @@
title: Evaluate Virtual Smart Card Security
description: Learn about the security characteristics and considerations when deploying TPM virtual smart cards.
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Evaluate Virtual Smart Card Security
@@ -39,7 +39,7 @@ The Trusted Computing Group specifies that if the response to attacks involves s
1. Allow only a limited number of wrong PIN attempts before enabling a lockout that enforces a time delay before any further commands are accepted by the TPM.
> [!NOTE]
- >
+ >
> If the user enters the wrong PIN five consecutive times for a virtual smart card (which works in conjunction with the TPM), the card is blocked. When the card is blocked, it must be unblocked by using the administrative key or the PUK.
1. Increase the time delay exponentially as the user enters the wrong PIN so that an excessive number of wrong PIN attempts quickly trigger long delays in accepting commands.
@@ -49,4 +49,4 @@ For example, it will take 14 years to guess an eight character PIN for a TPM tha
1. Number of wrong PINs allowed before entering lockout (threshold): 9
1. Time the TPM is in lockout after the threshold is reached: 10 seconds
-1. Timed delay doubles for each wrong PIN after the threshold is reached
\ No newline at end of file
+1. Timed delay doubles for each wrong PIN after the threshold is reached
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index e3348db8ba..711c4ed802 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -2,7 +2,7 @@
title: Get Started with Virtual Smart Cards - Walkthrough Guide
description: This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Get Started with Virtual Smart Cards: Walkthrough Guide
@@ -11,123 +11,78 @@ ms.date: 02/22/2023
This topic for the IT professional describes how to set up a basic test environment for using TPM virtual smart cards.
-Virtual smart cards are a technology from Microsoft that offer comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: non-exportability, isolated cryptography, and anti-hammering.
+Virtual smart cards are a technology from Microsoft that offers comparable security benefits in two-factor authentication to physical smart cards. They also offer more convenience for users and lower cost for organizations to deploy. By utilizing Trusted Platform Module (TPM) devices that provide the same cryptographic capabilities as physical smart cards, virtual smart cards accomplish the three key properties that are desired by smart cards: nonexportability, isolated cryptography, and anti-hammering.
-This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you will have a functional virtual smart card installed on the Windows computer.
-
-**Time requirements**
+This step-by-step walkthrough shows you how to set up a basic test environment for using TPM virtual smart cards. After you complete this walkthrough, you'll have a functional virtual smart card installed on the Windows computer.
You should be able to complete this walkthrough in less than one hour, excluding installing software and setting up the test domain.
-**Walkthrough steps**
+## Walkthrough steps
-- [Prerequisites](#prerequisites)
+- [Prerequisites](#prerequisites)
+- [Step 1: Create the certificate template](#step-1-create-the-certificate-template)
+- [Step 2: Create the TPM virtual smart card](#step-2-create-the-tpm-virtual-smart-card)
+- [Step 3: Enroll for the certificate on the TPM Virtual Smart Card](#step-3-enroll-for-the-certificate-on-the-tpm-virtual-smart-card)
-- [Step 1: Create the certificate template](#step-1-create-the-certificate-template)
-
-- [Step 2: Create the TPM virtual smart card](#step-2-create-the-tpm-virtual-smart-card)
-
-- [Step 3: Enroll for the certificate on the TPM Virtual Smart Card](#step-3-enroll-for-the-certificate-on-the-tpm-virtual-smart-card)
-
-> **Important** This basic configuration is for test purposes only. It is not intended for use in a production environment.
+> [!IMPORTANT]
+> This basic configuration is for test purposes only. It is not intended for use in a production environment.
## Prerequisites
-You will need:
+You'll need:
-- A computer running Windows 10 with an installed and fully functional TPM (version 1.2 or version 2.0).
-
-- A test domain to which the computer listed above can be joined.
-
-- Access to a server in that domain with a fully installed and running certification authority (CA).
+- A computer running Windows 10 with an installed and fully functional TPM (version 1.2 or version 2.0)
+- A test domain to which the computer listed above can be joined
+- Access to a server in that domain with a fully installed and running certification authority (CA)
## Step 1: Create the certificate template
-On your domain server, you need to create a template for the certificate that you will request for the virtual smart card.
+On your domain server, you need to create a template for the certificate that you request for the virtual smart card.
### To create the certificate template
-1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and click **Run as administrator**.
+1. On your server, open the Microsoft Management Console (MMC). One way to do this is to type **mmc.exe** from the **Start** menu, right-click **mmc.exe**, and select **Run as administrator**
+1. Select **File** > **Add/Remove Snap-in**
+1. In the available snap-ins list, select **Certificate Templates**, and then select **Add**
+1. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates
+1. Right-click the **Smartcard Logon** template, and select **Duplicate Template**
+1. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed
+1. On the **General** tab:
+ 1. Specify a name, such as **TPM Virtual Smart Card Logon**
+ 1. Set the validity period to the desired value
+1. On the **Request Handling** tab:
+ 1. Set the **Purpose** to **Signature and smartcard logon**
+ 1. Select **Prompt the user during enrollment**
+1. On the **Cryptography** tab:
+ 1. Set the minimum key size to 2048
+ 1. Select **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**
+1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them
+1. Select **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates
+1. Select **File**, then select **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**
+1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list
+1. Right-click **Certificate Templates**, select **New**, and then select **Certificate Template to Issue**
+1. From the list, select the new template that you created (**TPM Virtual Smart Card Logon**), and then select **OK**
-2. Click **File**, and then click **Add/Remove Snap-in**.
+ > [!NOTE]
+ > It can take some time for your template to replicate to all servers and become available in this list.
- 
-
-3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**.
-
- 
-
-4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
-
-5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
-
- 
-
-6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
-
- 
-
-7. On the **General** tab:
-
- 1. Specify a name, such as **TPM Virtual Smart Card Logon**.
-
- 2. Set the validity period to the desired value.
-
-8. On the **Request Handling** tab:
-
- 1. Set the **Purpose** to **Signature and smartcard logon**.
-
- 2. Click **Prompt the user during enrollment**.
-
-9. On the **Cryptography** tab:
-
- 1. Set the minimum key size to 2048.
-
- 2. Click **Requests must use one of the following providers**, and then select **Microsoft Base Smart Card Crypto Provider**.
-
-10. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated users** group, and then select **Enroll** permissions for them.
-
-11. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
-
-12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
-
- 
-
-13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
-
-14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
-
- 
-
-15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
-
- > **Note** It can take some time for your template to replicate to all servers and become available in this list.
-
- 
-
-16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
-
- 
+1. After the template replicates, in the MMC, right-click in the Certification Authority list, select **All Tasks**, and then select **Stop Service**. Then, right-click the name of the CA again, select **All Tasks**, and then select **Start Service**.
## Step 2: Create the TPM virtual smart card
-In this step, you will create the virtual smart card on the client computer by using the command-line tool, [Tpmvscmgr.exe](virtual-smart-card-tpmvscmgr.md).
+In this step, you create the virtual smart card on the client computer by using the command-line tool, [Tpmvscmgr.exe](virtual-smart-card-tpmvscmgr.md).
### To create the TPM virtual smart card
-1. On a domain-joined computer, open a Command Prompt window with Administrative credentials.
+1. On a domain-joined computer, open a Command Prompt window with Administrative credentials.
+1. At the command prompt, type the following, and then press ENTER:
- 
+ `tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate`
-2. At the command prompt, type the following, and then press ENTER:
+ This creates a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN is set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.\
+ For more information about the Tpmvscmgr command-line tool, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) and [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
- `tpmvscmgr.exe create /name TestVSC /pin default /adminkey random /generate`
-
- This will create a virtual smart card with the name **TestVSC**, omit the unlock key, and generate the file system on the card. The PIN will be set to the default, 12345678. To be prompted for a PIN, instead of **/pin default** you can type **/pin prompt**.
-
- For more information about the Tpmvscmgr command-line tool, see [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md) and [Tpmvscmgr](virtual-smart-card-tpmvscmgr.md).
-
-4. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe will provide you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you will need it to manage or remove the virtual smart card.
+1. Wait several seconds for the process to finish. Upon completion, Tpmvscmgr.exe provides you with the device instance ID for the TPM Virtual Smart Card. Store this ID for later reference because you need it to manage or remove the virtual smart card.
## Step 3: Enroll for the certificate on the TPM Virtual Smart Card
@@ -135,28 +90,17 @@ The virtual smart card must be provisioned with a sign-in certificate for it to
### To enroll the certificate
-1. Open the Certificates console by typing **certmgr.msc** on the **Start** menu.
+1. Open the Certificates console by typing **certmgr.msc** on the **Start** menu
+1. Right-click **Personal**, select **All Tasks**, and then select **Request New Certificate**
+1. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1)
+1. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**
+1. Enter the PIN that was established when you created the TPM virtual smart card, and then select **OK**
+1. Wait for the enrollment to finish, and then select **Finish**
-2. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**.
-
- 
-
-3. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1).
-
- 
-
-4. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**.
-
-5. Enter the PIN that was established when you created the TPM virtual smart card, and then click **OK**.
-
-6. Wait for the enrollment to finish, and then click **Finish**.
-
-The virtual smart card can now be used as an alternative credential to sign in to your domain. To verify that your virtual smart card configuration and certificate enrollment were successful, sign out of your current session, and then sign in. When you sign in, you will see the icon for the new TPM virtual smart card on the Secure Desktop (sign in) screen or you will be automatically directed to the TPM smart card sign-in dialog box. Click the icon, enter your PIN (if necessary), and then click **OK**. You should be signed in to your domain account.
+The virtual smart card can now be used as an alternative credential to sign in to your domain. To verify that your virtual smart card configuration and certificate enrollment were successful, sign out of your current session, and then sign in. When you sign in, you'll see the icon for the new TPM virtual smart card on the Secure Desktop (sign in) screen or you are automatically directed to the TPM smart card sign-in dialog box. Select the icon, enter your PIN (if necessary), and then select **OK**. You should be signed in to your domain account.
## See also
-- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
-
-- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
-
-- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
+- [Understanding and Evaluating Virtual Smart Cards](virtual-smart-card-understanding-and-evaluating.md)
+- [Use Virtual Smart Cards](virtual-smart-card-use-virtual-smart-cards.md)
+- [Deploy Virtual Smart Cards](virtual-smart-card-deploy-virtual-smart-cards.md)
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
index 1445f06ad2..ed3cbe24d1 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
@@ -2,7 +2,7 @@
title: Virtual Smart Card Overview
description: Learn about virtual smart card technology for Windows.
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Virtual Smart Card Overview
@@ -23,27 +23,27 @@ Virtual smart cards are functionally similar to physical smart cards, appearing
### Authentication use cases
-**Two-factor authentication‒based remote access**
+#### Two-factor authentication‒based remote access
After a user has a fully functional TPM virtual smart card, provisioned with a sign-in certificate, the certificate is used to gain authenticated access to corporate resources. When the proper certificate is provisioned to the virtual card, the user need only provide the PIN for the virtual smart card, as if it was a physical smart card, to sign in to the domain.
In practice, this is as easy as entering a password to access the system. Technically, it's far more secure. Using the virtual smart card to access the system proves to the domain that the user who is requesting authentication has possession of the personal computer upon which the card has been provisioned and knows the virtual smart card PIN. Because this request couldn't have possibly originated from a system other than the system certified by the domain for this user's access, and the user couldn't have initiated the request without knowing the PIN, a strong two-factor authentication is established.
-**Client authentication**
+#### Client authentication
Virtual smart cards can also be used for client authentication by using TLS/SSL or a similar technology. Similar to domain access with a virtual smart card, an authentication certificate can be provisioned for the virtual smart card, provided to a remote service, as requested in the client authentication process. This adheres to the principles of two-factor authentication because the certificate is only accessible from the computer that hosts the virtual smart card, and the user is required to enter the PIN for initial access to the card.
-**Virtual smart card redirection for remote desktop connections**
+#### Virtual smart card redirection for remote desktop connections
The concept of two-factor authentication associated with virtual smart cards relies on the proximity of users to the devices that they use to access domain. When you connect to a device that is hosting virtual smart cards, you can't use the virtual smart cards located on the remote device during the remote session. However, you can access the virtual smart cards on the connecting device (which is under your physical control), which are loaded onto the remote device. You can use the virtual smart cards as if they were installed by using the remote devices' TPM, extending your privileges to the remote device, while maintaining the principles of two-factor authentication.
### Confidentiality use cases
-**S/MIME email encryption**
+#### S/MIME email encryption
Physical smart cards are designed to hold private keys. You can use the private keys for email encryption and decryption. The same functionality exists in virtual smart cards. By using S/MIME with a user's public key to encrypt email, the sender of an email is assured that only the person with the corresponding private key can decrypt the email. This assurance is a result of the non-exportability of the private key. It never exists within reach of malicious software, and it remains protected by the TPM—even during decryption.
-**BitLocker for data volumes**
+#### BitLocker for data volumes
BitLocker Drive Encryption technology makes use of symmetric-key encryption to protect the content of a user's hard drive. BitLocker ensures that if the physical ownership of a hard drive is compromised, an adversary won't be able to read data off the drive. The key used to encrypt the drive can be stored in a virtual smart card, which necessitates knowledge of the virtual smart card PIN to access the drive, and possession of the device that is hosting the TPM virtual smart card. If the drive is obtained without access to the TPM that hosts the virtual smart card, any brute force attack will be difficult.
@@ -51,7 +51,7 @@ You can use BitLocker to encrypt portable drives, storing keys in virtual smart
### Data integrity use case
-**Signing data**
+#### Signing data
To verify authorship of data, a user can sign it by using a private key stored in the virtual smart card. Digital signatures confirm the integrity and origin of the data.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
index 5eca1fae1e..89752f473d 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
@@ -2,7 +2,7 @@
title: Tpmvscmgr
description: Learn about the Tpmvscmgr command-line tool, through which an administrator can create and delete TPM virtual smart cards on a computer.
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Tpmvscmgr
@@ -84,4 +84,4 @@ The following command will create a TPM virtual smart card with the default valu
```console
tpmvscmgr.exe create /name "VirtualSmartCardForCorpAccess" /PIN PROMPT /pinpolicy minlen 4 maxlen 8 /AdminKey DEFAULT /attestation AIK_AND_CERT /generate
-```
\ No newline at end of file
+```
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
index 77e78baaf2..afc26113cb 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
@@ -1,9 +1,8 @@
---
title: Understanding and Evaluating Virtual Smart Cards
description: Learn how smart card technology can fit into your authentication design.
-ms.prod: windows-client
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Understand and Evaluate Virtual Smart Cards
@@ -12,17 +11,14 @@ ms.date: 02/22/2023
This article describes the virtual smart card technology and how it can fit into your authentication design.
-Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: non-exportability, isolated cryptography, and anti-hammering.
+Virtual smart card technology uses cryptographic keys that are stored on computers that have the Trusted Platform Module (TPM) installed. Virtual smart cards offer comparable security benefits to conventional smart cards by using two-factor authentication. The technology also offers more convenience for users and has a lower cost to deploy. By utilizing TPM devices that provide the same cryptographic capabilities as conventional smart cards, virtual smart cards accomplish the three key properties that are desired for smart cards: nonexportability, isolated cryptography, and anti-hammering.
-Virtual smart cards are functionally similar to physical smart cards. They appear as always-inserted smart cards, and they can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. Because TPM-enabled hardware is readily available and virtual smart cards can be easily deployed by using existing certificate enrollment methods, virtual smart cards can become a full replacement for other methods of strong authentication in a corporate setting of any scale.
+Virtual smart cards are functionally similar to physical smart cards. They appear as always-inserted smart cards, and they can be used for authentication to external resources, protection of data by secure encryption, and integrity through reliable signing. Since TPM-enabled hardware is readily available and virtual smart cards can be deployed using existing certificate enrollment methods, virtual smart cards can become a replacement for other methods of strong authentication in a corporate setting of any scale.
This topic contains the following sections:
-- [Comparing virtual smart cards with physical smart cards](#comparing-virtual-smart-cards-with-physical-smart-cards):
- Compares properties, functional aspects, security, and cost.
-
-- [Authentication design options](#authentication-design-options):
- Describes how passwords, smart cards, and virtual smart cards can be used to reach authentication goals in your organization.
+- [Comparing virtual smart cards with physical smart cards](#comparing-virtual-smart-cards-with-physical-smart-cards): compares properties, functional aspects, security, and cost.
+- [Authentication design options](#authentication-design-options): describes how passwords, smart cards, and virtual smart cards can be used to reach authentication goals in your organization.
## Comparing virtual smart cards with physical smart cards
@@ -34,71 +30,67 @@ All cryptographic operations occur in the secure, isolated environment of the TP
Virtual smart cards maintain the three key properties of physical smart cards:
-- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and non-exportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer.
- For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
-
-- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM.
-
-- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout.
- For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md).
+- **Non-exportability**: Because all private information on the virtual smart card is encrypted by using the TPM on the host computer, it can't be used on a different computer with a different TPM. Additionally, TPMs are designed to be tamper-resistant and nonexportable, so a malicious user can't reverse engineer an identical TPM or install the same TPM on a different computer. For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
+- **Isolated cryptography**: TPMs provide the same properties of isolated cryptography that are offered by physical smart cards, and this is utilized by virtual smart cards. Unencrypted copies of private keys are loaded only within the TPM and never into memory that is accessible by the operating system. All cryptographic operations with these private keys occur inside the TPM
+- **Anti-hammering**: If a user enters a PIN incorrectly, the virtual smart card responds by using the anti-hammering logic of the TPM, which rejects further attempts for a period of time instead of blocking the card. This is also known as lockout. For more information, see [Evaluate Virtual Smart Card Security](virtual-smart-card-evaluate-security.md)
The following subsections compare the functionality, security, and cost of virtual smart cards and physical smart cards.
-**Functionality**
+### Functionality
The virtual smart card system that was designed by Microsoft closely mimics the functionality of conventional smart cards. The most striking difference to the end user is that the virtual smart card is essentially a smart card that is always inserted into the computer. There's no method to export the user's virtual smart card for use on other computers, which adds to the security of virtual smart cards. If a user requires access to network resources on multiple computers, multiple virtual smart cards can be issued for that user. Additionally, a computer that is shared among multiple users can host multiple virtual smart cards for different users.
-The basic user experience for a virtual smart card is as simple as using a password to access a network. Because the smart card is loaded by default, the user must simply enter the PIN that is tied to the card to gain access. Users are no longer required to carry cards and readers or to take physical action to use the card.
+The basic user experience for a virtual smart card is as simple as using a password to access a network. Because the smart card is loaded by default, the user must enter the PIN that is tied to the card to gain access. Users are no longer required to carry cards and readers or to take physical action to use the card.
-Additionally, although the anti-hammering functionality of the virtual smart card is equally secure to that of a physical smart card, virtual smart card users are never required to contact an administrator to unblock the card. Instead, they simply wait a period of time (depending on the TPM specifications) before they reattempt to enter the PIN. Alternatively, the administrator can reset the lockout by providing owner authentication data to the TPM on the host computer.
+Additionally, although the anti-hammering functionality of the virtual smart card is equally secure to that of a physical smart card, virtual smart card users are never required to contact an administrator to unblock the card. Instead, they wait a period of time (depending on the TPM specifications) before they reattempt to enter the PIN. Alternatively, the administrator can reset the lockout by providing owner authentication data to the TPM on the host computer.
-**Security**
+### Security
Physical smart cards and virtual smart cards offer comparable levels of security. They both implement two-factor authentication for using network resources. However, they differ in certain aspects, including physical security and the practicality of an attack. Due to their compact and portable design, conventional smart cards are most frequently kept close to their intended user. They offer little opportunity for acquisition by a potential adversary, so any sort of interaction with the card is difficult without committing some variety of theft.
-TPM virtual smart cards, however, reside on a user's computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack somewhat simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user.
+TPM virtual smart cards, however, reside on a user's computer that may frequently be left unattended, which provides an opportunity for a malicious user to hammer the TPM. Although virtual smart cards are fully protected from hammering (as are physical smart cards), this accessibility makes the logistics of an attack simpler. Additionally, the anti-hammering behavior of a TPM smart card differs in that it only presents a time delay in response to repeated PIN failures, as opposed to fully blocking the user.
-However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user will more immediately notice its loss than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised.
+However, there are several advantages provided by virtual smart cards to mitigate these slight security deficits. Most importantly, a virtual smart card is much less likely to be lost. Virtual smart cards are integrated into computers and devices that the user already owns for other purposes and has incentive to keep safe. If the computer or device that hosts the virtual smart card is lost or stolen, a user notices its loss quicker than the loss of a physical smart card. When a computer or device is identified as lost, the user can notify the administrator of the system, who can revoke the certificate that is associated with the virtual smart card on that device. This precludes any future unauthorized access on that computer or device if the PIN for the virtual smart card is compromised.
-**Cost**
+### Cost
-If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, non-exportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market.
+If a company wants to deploy physical smart cards, they need to purchase smart cards and smart card readers for all employees. Although relatively inexpensive options can be found, options that ensure the three key properties of smart card security (most notably, nonexportability) are more expensive. If employees have computers with a built-in TPM, virtual smart cards can be deployed with no additional material costs. These computers and devices are relatively common in the market.
The maintenance cost of virtual smart cards is less than that for physical smart cards, which are easily lost, stolen, or broken from normal wear. TPM virtual smart cards are only lost or broken if the host computer or device is lost or broken, which in most cases is much less frequently.
-**Comparison summary**
+### Comparison summary
-| Physical Smart Cards | TPM virtual smart cards |
-|---------------------|-------------------|
-| Protects private keys by using the built-in cryptographic functionality of the card. | Protects private keys by using the cryptographic functionality of the TPM. |
-| Stores private keys in isolated non-volatile memory on the card, which means that access to private keys is only from the card, and access is never allowed to the operating system. | Stores encrypted private keys on the hard drive. The encryption ensures that these keys can only be decrypted and used in the TPM, not in the accessible memory of the operating system. |
-| Guarantees non-exportability through the card manufacturer, which includes isolating private information from operating system access. | Guarantees non-exportability through the TPM manufacturer, which includes the inability of an adversary to replicate or remove the TPM. |
-| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user's computer or device. |
-| Provides anti-hammering through the card. After a certain number of failed PIN entry attempts, the card blocks further access until administrative action is taken. | Provides anti-hammering through the TPM. Successive failed attempts increase the device lockout time (the time the user has to wait before trying again). This can be reset by an administrator. |
-| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without other equipment. |
-| Enables credential portability by inserting the smart card into smart card readers that are attached to other computers. | Prevents exporting credentials from a given computer or device. However, virtual smart cards can be issued for the same user on multiple computers or devices by using additional certificates. |
-| Enables multiple users to access network resources through the same computer by inserting their personal smart cards. | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device. |
-| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user's computer, which may be left unattended and allow a greater risk window for hammering attempts. |
-| Provides a generally single-purpose device that is carried explicitly for the purpose of authentication. The smart card can be easily misplaced or forgotten. | Installs the virtual smart card on a device that has other purposes for the user, so the user has greater incentive to be responsible for the computer or device. |
-| Alerts users that their card is lost or stolen only when they need to sign in and notice it's missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. |
-| Requires companies to invest in smart cards and smart card readers for all employees. | Requires that companies ensure all employees have TPM-enabled computers, which are relatively common. |
-| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user's sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and can't be removed from the computer. |
+| Physical Smart Cards | TPM virtual smart cards |
+|--|--|
+| Protects private keys by using the built-in cryptographic functionality of the card. | Protects private keys by using the cryptographic functionality of the TPM. |
+| Stores private keys in isolated non-volatile memory on the card, which means that access to private keys is only from the card, and access is never allowed to the operating system. | Stores encrypted private keys on the hard drive. The encryption ensures that these keys can only be decrypted and used in the TPM, not in the accessible memory of the operating system. |
+| Guarantees nonexportability through the card manufacturer, which includes isolating private information from operating system access. | Guarantees nonexportability through the TPM manufacturer, which includes the inability of an adversary to replicate or remove the TPM. |
+| Performs and isolates cryptographic operations within the built-in capabilities of the card. | Performs and isolates cryptographic operations in the TPM of the user's computer or device. |
+| Provides anti-hammering through the card. After some failed PIN entry attempts, the card blocks further access until administrative action is taken. | Provides anti-hammering through the TPM. Successive failed attempts increase the device lockout time (the time the user has to wait before trying again). This can be reset by an administrator. |
+| Requires that users carry their smart card and smart card reader with them to access network resources. | Allows users to access their TPM-enabled computers or devices, and potentially access the network, without other equipment. |
+| Enables credential portability by inserting the smart card into smart card readers that are attached to other computers. | Prevents exporting credentials from a given computer or device. However, virtual smart cards can be issued for the same user on multiple computers or devices by using additional certificates. |
+| Enables multiple users to access network resources through the same computer by inserting their personal smart cards. | Enables multiple users to access network resources through the same computer or device by issuing a virtual smart card for each user on that computer or device. |
+| Requires the user to carry the card, making it more difficult for an attacker to access the device and launch a hammering attempt. | Stores virtual smart card on the user's computer, which might be left unattended and allow a greater risk window for hammering attempts. |
+| Provides a generally single-purpose device that is carried explicitly for the purpose of authentication. The smart card can be easily misplaced or forgotten. | Installs the virtual smart card on a device that has other purposes for the user, so the user has greater incentive to be responsible for the computer or device. |
+| Alerts users that their card is lost or stolen only when they need to sign in and notice it's missing. | Installs the virtual smart card on a device that the user likely needs for other purposes, so users will notice its loss much more quickly. This reduces the associated risk window. |
+| Requires companies to invest in smart cards and smart card readers for all employees. | Requires that companies ensure all employees have TPM-enabled computers, which are relatively common. |
+| Enables using a smart card removal policy to affect system behavior when the smart card is removed. For example, the policy can dictate if the user's sign-in session is locked or terminated when the user removes the card. | Eliminates the necessity for a smart card removal policy because a TPM virtual smart card is always present and can't be removed from the computer. |
## Authentication design options
The following section presents several commonly used options and their respective strengths and weaknesses, which organizations can consider for authentication.
-**Passwords**
+### Passwords
A password is a secret string of characters that is tied to the identification credentials for a user's account. This establishes the user's identity. Although passwords are the most commonly used form of authentication, they're also the weakest. In a system where passwords are used as the sole method of user authentication, only individuals who know their passwords are considered valid users.
Password authentication places a great deal of responsibility on the user. Passwords must be sufficiently complex so they can't be easily guessed, but they must be simple enough to be committed to memory and not stored in a physical location. Even if this balance is successfully achieved, a wide variety of attacks exist (such as brute force attacks, eavesdropping, and social engineering tactics) where a malicious user can acquire a user's password and impersonate that person's identity. A user often won't realize that the password is compromised, which makes it's easy for a malicious user to maintain access to a system if a valid password has been obtained.
-**One-time passwords**
+### One-time passwords
A one-time password (OTP) is similar to a traditional password, but it's more secure in that it can be used only once to authenticate a user. The method for determining each new password varies by implementation. Assuming a secure deployment of each new password, OTPs have several advantages over the classic password model of authentication. Most importantly, if a given OTP token is intercepted in transmission between the user and the system, the interceptor can't use it for any future transactions. Similarly, if a malicious user obtains a valid user's OTP, the interceptor will have limited access to the system (only one session).
-**Smart cards**
+### Smart cards
Smart cards are physical authentication devices, which improve on the concept of a password by requiring that users actually have their smart card device with them to access the system, in addition to knowing the PIN that provides access to the smart card. Smart cards have three key properties that help maintain their security:
@@ -112,8 +104,8 @@ Additional security is achieved by the singular nature of the card because only
The additional security comes with added material and support costs. Traditional smart cards are expensive to purchase (cards and card readers must be supplied to employees), and users can misplace or lose them.
-**Virtual smart cards**
+### Virtual smart cards
-Virtual smart cards emulate the functionality of traditional smart cards. Instead of requiring the purchase of additional hardware, virtual smart cards utilize technology that users already own and are more likely to always have with them. Theoretically, any device that can provide the three key properties of smart cards (non-exportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. The virtual smart card platform is limited to the use of the Trusted Platform Module (TPM) chip, which is on most modern devices.
+Virtual smart cards emulate the functionality of traditional smart cards. Instead of requiring the purchase of additional hardware, virtual smart cards utilize technology that users already own and are more likely to always have with them. Theoretically, any device that can provide the three key properties of smart cards (nonexportability, isolated cryptography, and anti-hammering) can be commissioned as a virtual smart card. The virtual smart card platform is limited to the use of the Trusted Platform Module (TPM) chip, which is on most modern devices.
-Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards: non-exportability, isolated cryptography, and anti-hammering. Virtual smart cards are less expensive to implement and more convenient for users. Since many corporate computers already have a built-in TPM, there's no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity can't be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card.
+Virtual smart cards that utilize a TPM provide the three main security principles of traditional smart cards: nonexportability, isolated cryptography, and anti-hammering. Virtual smart cards are less expensive to implement and more convenient for users. Since many corporate computers already have a built-in TPM, there's no cost associated with purchasing new hardware. The user's possession of a computer or device is equivalent to the possession of a smart card, and a user's identity can't be assumed from any other computer or device without administrative provisioning of further credentials. Thus, two-factor authentication is achieved because the user must have a computer that is set up with a virtual smart card and know the PIN to use the virtual smart card.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index ddb91270e5..3132441a32 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -2,7 +2,7 @@
title: Use Virtual Smart Cards
description: Learn about the requirements for virtual smart cards, how to use and manage them.
ms.topic: conceptual
-ms.date: 02/22/2023
+ms.date: 11/06/2023
---
# Use Virtual Smart Cards
@@ -13,13 +13,12 @@ Learn about the requirements for virtual smart cards, how to use and manage them
## Requirements, restrictions, and limitations
-| Area | Requirements and details |
-|-------------|---------------------------|
-| Supported operating systems | Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows 10 Windows 8.1 Windows 8 |
-| Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). |
-| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.
**Note** You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them. |
-| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated. |
-| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters. The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
+| Area | Requirements and details |
+|--|--|
+| Supported Trusted Platform Module (TPM) | Any TPM that adheres to the TPM main specifications for version 1.2 or version 2.0 (as set by the Trusted Computing Group) is supported for use as a virtual smart card. For more information, see the [TPM Main Specification](http://www.trustedcomputinggroup.org/resources/tpm_main_specification). |
+| Supported virtual smart cards per computer | Ten smart cards can be connected to a computer or device at one time. This includes physical and virtual smart cards combined.
**Note** You can create more than one virtual smart card; however, after creating more than four virtual smart cards, you may start to notice performance degradation. Because all smart cards appear as if they're always inserted, if more than one person shares a computer or device, each person can see all the virtual smart cards that are created on that computer or device. If the user knows the PIN values for all the virtual smart cards, the user will also be able to use them. |
+| Supported number of certificates on a virtual smart card | A single TPM virtual smart card can contain 30 distinct certificates with the corresponding private keys. Users can continue to renew certificates on the card until the total number of certificates on a card exceeds 90. The reason that the total number of certificates is different from the total number of private keys is that sometimes the renewal can be done with the same private key—in which case a new private key isn't generated. |
+| PIN, PIN Unlock Key (PUK), and Administrative key requirements | The PIN and the PUK must be a minimum of eight characters that can include numerals, alphabetic characters, and special characters. The Administrative key must be entered as 48 hexadecimal characters. It's a 3-key triple DES with ISO/IEC 9797 padding method 2 in CBC chaining mode. |
## Using Tpmvscmgr.exe
@@ -29,63 +28,58 @@ To create and delete TPM virtual smart cards for end users, the Tpmvscmgr comman
Virtual smart cards can also be created and deleted by using APIs. For more information, see the following classes and interfaces:
-- [TpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707171(v=vs.85))
+- [TpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707171(v=vs.85))
+- [RemoteTpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707166(v=vs.85))
+- [ITpmVirtualSmartCardManager](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanager)
+- [ITPMVirtualSmartCardManagerStatusCallBack](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanagerstatuscallback)
-- [RemoteTpmVirtualSmartCardManager](/previous-versions/windows/desktop/legacy/hh707166(v=vs.85))
-
-- [ITpmVirtualSmartCardManager](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanager)
-
-- [ITPMVirtualSmartCardManagerStatusCallBack](/windows/win32/api/tpmvscmgr/nn-tpmvscmgr-itpmvirtualsmartcardmanagerstatuscallback)
-
-You can use APIs that were introduced in the Windows.Device.SmartCards namespace in Windows Server 2012 R2 and Windows 8.1 to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments | Build 2013 | Channel 9](https://channel9.msdn.com/events/build/2013/2-041).
+You can use APIs in the `Windows.Device.SmartCards` namespace to build Microsoft Store apps to manage the full lifecycle of virtual smart cards. For information about how to build an app to do this, see [Strong Authentication: Building Apps That Leverage Virtual Smart Cards in Enterprise, BYOD, and Consumer Environments](https://channel9.msdn.com/events/build/2013/2-041).
The following table describes the features that can be developed in a Microsoft Store app:
-| Feature | Physical Smart Card | Virtual Smart Card |
-|----------------------------------------------|---------------------|--------------------|
-| Query and monitor smart card readers | Yes | Yes |
-| List available smart cards in a reader, and retrieve the card name and card ID | Yes | Yes |
-| Verify if the administrative key of a card is correct | Yes | Yes |
-| Provision (or reformat) a card with a given card ID | Yes | Yes |
-| Change the PIN by entering the old PIN and specifying a new PIN | Yes | Yes |
-| Change the administrative key, reset the PIN, or unblock the smart card by using a challenge/response method | Yes | Yes |
-| Create a virtual smart card | Not applicable | Yes |
-| Delete a virtual smart card | Not applicable | Yes |
-| Set PIN policies | No | Yes |
+| Feature | Physical Smart Card | Virtual Smart Card |
+|--|--|--|
+| Query and monitor smart card readers | Yes | Yes |
+| List available smart cards in a reader, and retrieve the card name and card ID | Yes | Yes |
+| Verify if the administrative key of a card is correct | Yes | Yes |
+| Provision (or reformat) a card with a given card ID | Yes | Yes |
+| Change the PIN by entering the old PIN and specifying a new PIN | Yes | Yes |
+| Change the administrative key, reset the PIN, or unblock the smart card by using a challenge/response method | Yes | Yes |
+| Create a virtual smart card | Not applicable | Yes |
+| Delete a virtual smart card | Not applicable | Yes |
+| Set PIN policies | No | Yes |
For more information about these Windows APIs, see:
-- [Windows.Devices.SmartCards namespace (Windows)](/uwp/api/Windows.Devices.SmartCards)
-
-- [Windows.Security.Cryptography.Certificates namespace (Windows)](/uwp/api/Windows.Security.Cryptography.Certificates)
+- [Windows.Devices.SmartCards namespace (Windows)](/uwp/api/Windows.Devices.SmartCards)
+- [Windows.Security.Cryptography.Certificates namespace (Windows)](/uwp/api/Windows.Security.Cryptography.Certificates)
## Distinguishing TPM-based virtual smart cards from physical smart cards
-To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign-in, and on other screens that require the user to enter the PIN for a virtual smart card.
+To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The virtual smart card icon :::image type="icon" source="images/virtual-smart-card-icon.svg" border="false"::: is displayed during sign-in, and on other screens that require the user to enter the PIN for a virtual smart card.
-
-
-A TPM-based virtual smart card is labeled **Security Device** in the user interface.
+A TPM-based virtual smart card is labeled *Security Device* in the user interface.
## Changing the PIN
The PIN for a virtual smart card can be changed by following these steps:
-- Sign in with the old PIN or password.
-- Press Ctrl+Alt+Del and choose **Change a password**.
-- Select **Sign-in Options**.
-- Select the virtual smart card icon.
-- Enter and confirm the new PIN.
+
+- Sign in with the old PIN or password
+- Press Ctrl+Alt+Del and select **Change a password**
+- Select **Sign-in Options**
+- Select the virtual smart card icon
+- Enter and confirm the new PIN
+
## Resolving issues
### TPM not provisioned
-For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer. If the TPM is disabled in the BIOS, or it isn't provisioned with full ownership and the storage root key, the TPM virtual smart card creation will fail.
+For a TPM-based virtual smart card to function properly, a provisioned TPM must be available on the computer:
-If the TPM is initialized after creating a virtual smart card, the card will no longer function, and it will need to be re-created.
-
-If the TPM ownership was established on a Windows Vista installation, the TPM won't be ready to use virtual smart cards. The system administrator needs to clear and initialize the TPM for it to be suitable for creating TPM virtual smart cards.
-
-If the operating system is reinstalled, prior TPM virtual smart cards are no longer available and need to be re-created. If the operating system is upgraded, prior TPM virtual smart cards will be available to use in the upgraded operating system.
+- If the TPM is disabled in the BIOS, or it isn't provisioned with full ownership and the storage root key, the TPM virtual smart card creation fails
+- If the TPM is initialized after creating a virtual smart card, the card will no longer function, and it must be re-created
+- If the operating system is reinstalled, prior TPM virtual smart cards are no longer available and need to be re-created
+- If the operating system is upgraded, prior TPM virtual smart cards are available to use in the upgraded operating system
### TPM in lockout state
diff --git a/windows/security/identity-protection/web-sign-in/index.md b/windows/security/identity-protection/web-sign-in/index.md
index edd4b03647..d2d61e204a 100644
--- a/windows/security/identity-protection/web-sign-in/index.md
+++ b/windows/security/identity-protection/web-sign-in/index.md
@@ -6,7 +6,6 @@ ms.topic: how-to
appliesto:
- ✅ Windows 11
ms.collection:
- - highpri
- tier1
---
@@ -25,9 +24,12 @@ This article describes how to configure Web sign-in and the supported key scenar
To use web sign-in, the clients must meet the following prerequisites:
- Windows 11, version 22H2 with [5030310][KB-1], or later
-- Must be Microsoft Entra joined
+- Must be [Microsoft Entra joined](/entra/identity/devices/concept-directory-join)
- Must have Internet connectivity, as the authentication is done over the Internet
+> [!IMPORTANT]
+> Web sign-in is not supported for Microsoft Entra hybrid joined or domain joined devices.
+
[!INCLUDE [federated-sign-in](../../../../includes/licensing/web-sign-in.md)]
## Configure web sign-in
diff --git a/windows/security/includes/virtual-smart-card-deprecation-notice.md b/windows/security/includes/virtual-smart-card-deprecation-notice.md
index dea207534a..3a3a9e11c1 100644
--- a/windows/security/includes/virtual-smart-card-deprecation-notice.md
+++ b/windows/security/includes/virtual-smart-card-deprecation-notice.md
@@ -1,9 +1,9 @@
---
author: paolomatarazzo
ms.author: paoloma
-ms.date: 02/22/2023
+ms.date: 11/04/2023
ms.topic: include
---
> [!WARNING]
-> [Windows Hello for Business](../identity-protection/hello-for-business/hello-identity-verification.md) is the modern, two-factor authentication for Windows. Microsoft will deprecate virtual smart cards in the near future. Customers using virtual smart cards are strongly encouraged to move to Windows Hello for Business. Microsoft will publish the deprecation date to ensure customers have adequate lead time to move to Windows Hello for Business. We recommend that new Windows deployments use Windows Hello for Business.
\ No newline at end of file
+> [Windows Hello for Business](../identity-protection/hello-for-business/index.md) and FIDO2 security keys are modern, two-factor authentication methods for Windows. Customers using virtual smart cards are encouraged to move to Windows Hello for Business or FIDO2. For new Windows installations, we recommend Windows Hello for Business or FIDO2 security keys.
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 40983d837f..7433169832 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -9,7 +9,6 @@ metadata:
ms.prod: windows-client
ms.technology: itpro-security
ms.collection:
- - highpri
- tier1
author: paolomatarazzo
ms.author: paoloma
diff --git a/windows/security/licensing-and-edition-requirements.md b/windows/security/licensing-and-edition-requirements.md
index 6b192f2171..5f18fd26da 100644
--- a/windows/security/licensing-and-edition-requirements.md
+++ b/windows/security/licensing-and-edition-requirements.md
@@ -1,8 +1,6 @@
---
title: Windows security features licensing and edition requirements
description: Learn about Windows licensing and edition requirements for the features included in Windows.
-ms.collection:
-- tier2
ms.topic: conceptual
ms.date: 06/15/2023
appliesto:
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
index cf39c89999..22f80cb481 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md
@@ -1,31 +1,27 @@
---
title: BCD settings and BitLocker
-description: This article for IT professionals describes the BCD settings that are used by BitLocker.
+description: Learn how BCD settings are used by BitLocker.
ms.topic: reference
-ms.date: 11/08/2022
+ms.date: 10/30/2023
---
# Boot Configuration Data settings and BitLocker
-This article for IT professionals describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
+This article describes the Boot Configuration Data (BCD) settings that are used by BitLocker.
-When protecting data at rest on an operating system volume, during the boot process BitLocker verifies that the security sensitive BCD settings haven't changed since BitLocker was last enabled, resumed, or recovered.
+During the boot process, BitLocker verifies that the security sensitive BCD settings haven't changed since BitLocker was last enabled, resumed, or recovered.
-## BitLocker and BCD Settings
+If it's believed that there's a risk in excluding a particular BCD setting from the validation profile, you can include that BCD setting in the BCD validation coverage to suit the preferences for validation.\
+If the default BCD setting persistently triggers a recovery for benign changes, you can exclude that BCD setting from the validation coverage.
-In Windows 7 and Windows Server 2008 R2, BitLocker validated BCD settings with the winload, winresume, and memtest prefixes to a large degree. However, this high degree of validation caused BitLocker to go into recovery mode for benign setting changes, for example, when applying a language pack, BitLocker would enter recovery mode.
-
-In Windows 8, Windows Server 2012, and later operating systems, BitLocker narrows the set of BCD settings validated to reduce the chance of benign changes causing a BCD validation problem. If it's believed that there's a risk in excluding a particular BCD setting from the validation profile, include that BCD setting in the BCD validation coverage to suit the preferences for validation. If a default BCD setting is found to persistently trigger a recovery for benign changes, exclude that BCD setting from the validation coverage.
-
-### When secure boot is enabled
-
-Computers with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **Allow Secure Boot for integrity validation** group policy setting, the **Use enhanced Boot Configuration Data validation profile** group policy is ignored.
+> [!IMPORTANT]
+> Devices with UEFI firmware can use secure boot to provide enhanced boot security. When BitLocker is able to use secure boot for platform and BCD integrity validation, as defined by the **[Allow Secure Boot for integrity validation](configure.md?tabs=os#allow-secure-boot-for-integrity-validation)** policy setting, the **[Use enhanced Boot Configuration Data validation profile](configure.md?tabs=os#use-enhanced-boot-configuration-data-validation-profile)** policy is ignored.
One of the benefits of using secure boot is that it can correct BCD settings during boot without triggering recovery events. Secure boot enforces the same BCD settings as BitLocker. Secure boot BCD enforcement isn't configurable from within the operating system.
-## Customizing BCD validation settings
+## Customize BCD validation settings
-To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **Use enhanced Boot Configuration Data validation profile** group policy setting.
+To modify the BCD settings that are validated by BitLocker, the administrator will add or exclude BCD settings from the platform validation profile by enabling and configuring the **[Use enhanced Boot Configuration Data validation profile](configure.md?tabs=os#use-enhanced-boot-configuration-data-validation-profile)** policy setting.
For the purposes of BitLocker validation, BCD settings are associated with a specific set of Microsoft boot applications. These BCD settings can also be applied to the other Microsoft boot applications that aren't part of the set to which the BCD settings are already applicable for. This setting can be done by attaching any of the following prefixes to the BCD settings that are being entered in the group policy settings dialog:
@@ -34,15 +30,15 @@ For the purposes of BitLocker validation, BCD settings are associated with a spe
- memtest
- all of the above
-All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a "friendly name."
+All BCD settings are specified by combining the prefix value with either a hexadecimal (hex) value or a *friendly name*.
The BCD setting hex value is reported when BitLocker enters recovery mode and is stored in the event log (event ID 523). The hex value uniquely identifies the BCD setting that caused the recovery event.
You can quickly obtain the friendly name for the BCD settings on a computer by using the command `bcdedit.exe /enum all`.
-Not all BCD settings have friendly names; for those settings without a friendly name, the hex value is the only way to configure an exclusion policy.
+Not all BCD settings have friendly names. For those settings without a friendly name, the hex value is the only way to configure an exclusion policy.
-When specifying BCD values in the **Use enhanced Boot Configuration Data validation profile** group policy setting, use the following syntax:
+When specifying BCD values in the **[Use enhanced Boot Configuration Data validation profile](configure.md?tabs=os#use-enhanced-boot-configuration-data-validation-profile)** policy setting, use the following syntax:
- Prefix the setting with the boot application prefix
- Append a colon `:`
@@ -54,11 +50,11 @@ For example, either "`winload:hypervisordebugport`" or "`winload:0x250000f4`" yi
A setting that applies to all boot applications may be applied only to an individual application. However, the reverse isn't true. For example, one can specify either "`all:locale`" or "`winresume:locale`", but as the BCD setting "`win-pe`" doesn't apply to all boot applications, "`winload:winpe`" is valid, but "`all:winpe`" isn't valid. The setting that controls boot debugging ("`bootdebug`" or 0x16000010) will always be validated and will have no effect if it's included in the provided fields.
> [!NOTE]
-> Take care when configuring BCD entries in the Group Policy setting. The Local Group Policy Editor does not validate the correctness of the BCD entry. BitLocker will fail to be enabled if the Group Policy setting specified is invalid.
+> Take care when configuring BCD entries in the policy setting. The Local Group Policy Editor doesn't validate the correctness of the BCD entry. BitLocker fails to be enabled if the policy setting specified is invalid.
### Default BCD validation profile
-The following table contains the default BCD validation profile used by BitLocker in Windows 8, Windows Server 2012, and subsequent versions:
+The following table contains the default BCD validation profile used by BitLocker:
| Hex Value | Prefix | Friendly Name |
| - | - | - |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
deleted file mode 100644
index 16a611c770..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md
+++ /dev/null
@@ -1,455 +0,0 @@
----
-title: BitLocker basic deployment
-description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption.
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# BitLocker basic deployment
-
-This article for the IT professional explains how BitLocker features can be used to protect data through drive encryption.
-
-## Using BitLocker to encrypt volumes
-
-BitLocker provides full volume encryption (FVE) for operating system volumes, and fixed and removable data drives. To support fully encrypted operating system drives, BitLocker uses an unencrypted system partition for the files required to boot, decrypt, and load the operating system. This volume is automatically created during a new installation of both client and server operating systems.
-
-If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. BdeHdCfg.exe can create these volumes.
-
-> [!NOTE]
-> For more info about using this tool, see [Bdehdcfg](/windows-server/administration/windows-commands/bdehdcfg) in the Command-Line Reference.
-
-BitLocker encryption can be enabled and managed using the following methods:
-
-- BitLocker control panel
-- Windows Explorer
-- `manage-bde.exe` command-line interface
-- BitLocker Windows PowerShell cmdlets
-
-### Encrypting volumes using the BitLocker control panel
-
-Encrypting volumes with the BitLocker control panel (select **Start**, enter `Bitlocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
-
-To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the **BitLocker Drive Encryption Wizard**. **BitLocker Drive Encryption Wizard** options vary based on volume type (operating system volume or data volume).
-
-#### Operating system volume
-
-For the operating system volume the **BitLocker Drive Encryption Wizard** presents several screens that prompt for options while it performs several actions:
-
-1. When the **BitLocker Drive Encryption Wizard** first launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
-
- |Requirement|Description|
- |--- |--- |
- |Hardware configuration|The computer must meet the minimum requirements for the supported Windows versions.|
- |Operating system|BitLocker is an optional feature that can be installed by Server Manager on Windows Server 2012 and later.|
- |Hardware TPM|TPM version 1.2 or 2.0.
A TPM isn't required for BitLocker; however, only a computer with a TPM can provide the additional security of pre-startup system integrity verification and multifactor authentication.|
- |UEFI firmware/BIOS configuration|
A Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware.
The boot order must be set to start first from the hard disk, and not the USB or CD drives.
The firmware must be able to read from a USB flash drive during startup.
|
- |File system| One FAT32 partition for the system drive and one NTFS partition for the operating system drive. This requirement is applicable for computers that boot natively with UEFI firmware. For computers with legacy BIOS firmware, at least two NTFS disk partitions, one for the system drive and one for the operating system drive. For either firmware, the system drive partition must be at least 350 megabytes (MB) and set as the active partition.|
- |Hardware encrypted drive prerequisites (optional)|To use a hardware encrypted drive as the boot drive, the drive must be in the uninitialized state and in the security inactive state. In addition, the system must always boot with native UEFI version 2.3.1 or higher and the CSM (if any) disabled.|
-
- If the volume doesn't pass the initial configuration for BitLocker, the user is presented with an error dialog describing the appropriate actions to be taken.
-
-2. Upon passing the initial configuration, users may be prompted to enter a password for the volume, for example, if a TPM isn't available. If a TPM is available, the password screen will be skipped.
-
-3. After the initial configuration/password screens, a recovery key will be generated. The **BitLocker Drive Encryption Wizard** will prompt for a location to save the recovery key. A BitLocker recovery key is a special key that is created when BitLocker Drive Encryption is turned on for the first time on each drive that is encrypted. The recovery key can be used to gain access to the computer if:
-
- - The drive that Windows is installed on (the operating system drive) is encrypted using BitLocker Drive Encryption
- - BitLocker detects a condition that prevents it from unlocking the drive when the computer is starting up
-
- A recovery key can also be used to gain access to the files and folders on a removable data drive (such as an external hard drive or USB flash drive) that is encrypted using BitLocker To Go, if for some reason the password is forgotten or the computer can't access the drive.
-
- The recovery key can be stored using the following methods:
-
- - **Save to your Microsoft Entra account** (if applicable)
- - **Save to a USB flash drive**
- - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
- - **Print the recovery key**
-
- The recovery key can't be stored at the following locations:
-
- - The drive being encrypted
- - The root directory of a non-removable/fixed drive
- - An encrypted volume
-
- > [!TIP]
- > Ideally, a computer's recovery key should be stored separate from the computer itself.
-
- > [!NOTE]
- > After a recovery key is created, the BitLocker control panel can be used to make additional copies of the recovery key.
-
-4. The **BitLocker Drive Encryption Wizard** will then prompt how much of the drive to encrypt. The **BitLocker Drive Encryption Wizard** will have two options that determine how much of the drive is encrypted:
-
- - **Encrypt used disk space only** - Encrypts only disk space that contains data.
- - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption.
-
- Each of the methods is recommended in the following scenarios:
-
- - **Encrypt used disk space only**:
-
- - The drive has never had data
- - Formatted or erased drives that in the past have never had confidential data that was never encrypted
-
- - **Encrypt entire drive** (full disk encryption):
-
- - Drives that currently have data
- - Drives that currently have an operating system
- - Formatted or erased drives that in the past had confidential data that was never encrypted
-
- > [!IMPORTANT]
- > Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
-
-5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode:
-
- - **New encryption mode**
- - **Compatible mode**
-
- Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**.
-
-6. After selecting an encryption mode, the **BitLocker Drive Encryption Wizard** will give the option of running a BitLocker system check via the option **Run BitLocker system check**. This system check will ensure that BitLocker can properly access the recovery and encryption keys before the volume encryption begins. it's recommended run this system check before starting the encryption process. If the system check isn't run and a problem is encountered when the operating system attempts to start, the user will need to provide the recovery key to start Windows.
-
-After completing the system check (if selected), the **BitLocker Drive Encryption Wizard** will begin encryption. A reboot may be initiated to start encryption. If a reboot was initiated, if there was no TPM and a password was specified, the password will need to be entered to boot into the operating system volume.
-
-Users can check encryption status by checking the system notification area or the BitLocker control panel.
-
-Until encryption is completed, the only available options for managing BitLocker involve manipulation of the password protecting the operating system volume, backing up the recovery key, and turning off BitLocker.
-
-#### Data volume
-
-Encrypting data volumes using the BitLocker control panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLocker control panel to begin the **BitLocker Drive Encryption Wizard**.
-
-1. Upon launching the **BitLocker Drive Encryption Wizard**, unlike for operating system volumes, data volumes aren't required to pass any configuration tests for the **BitLocker Drive Encryption Wizard** to proceed
-
-2. A choice of authentication methods to unlock the drive appears. The available options are:
-
- - **Use a password to unlock the drive**
- - **Use my smart card to unlock the drive**
- - **Automatically unlock this drive on this computer** - Disabled by default but if enabled, this option will unlock the data volume without user input when the operating system volume is unlocked.
-
-3. The **BitLocker Drive Encryption Wizard** presents options for storage of the recovery key. These options are the same as for operating system volumes:
-
- - **Save to your Microsoft Entra account** (if applicable)
- - **Save to a USB flash drive**
- - **Save to a file** - the file needs to be saved to a location that isn't on the computer itself such as a network folder or OneDrive
- - **Print the recovery key**
-
-4. After saving the recovery key, the **BitLocker Drive Encryption Wizard** will show available options for encryption. These options are the same as for operating system volumes:
-
- - **Encrypt used disk space only** - Encrypts only disk space that contains data.
- - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption.
-
-5. The **BitLocker Drive Encryption Wizard** will then prompt for an encryption mode:
-
- - **New encryption mode**
- - **Compatible mode**
-
- Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another computer with an older Windows operating system, then select **Compatible mode**.
-
-6. The **BitLocker Drive Encryption Wizard** will display a final confirmation screen before the encryption process begins. Selecting **Start encrypting** begins encryption.
-
-Encryption status displays in the notification area or within the BitLocker control panel.
-
-### OneDrive option
-
-There's an option for storing the BitLocker recovery key using OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default recommended recovery key storage method for computers that aren't joined to a domain.
-
-Users can verify whether the recovery key was saved properly by checking OneDrive for the BitLocker folder. The BitLocker folder on OneDrive is created automatically during the save process. The folder will contain two files, a `readme.txt` and the recovery key. For users storing more than one recovery password on their OneDrive, they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
-
-### Using BitLocker within Windows Explorer
-
-Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker control panel.
-
-## Down-level compatibility
-
-The following table shows the compatibility matrix for systems that have been BitLocker enabled and then presented to a different version of Windows.
-
-Table 1: Cross compatibility for Windows 11, Windows 10, Windows 8.1, Windows 8, and Windows 7 encrypted volumes
-
-|Encryption Type|Windows 11, Windows 10, and Windows 8.1|Windows 8|Windows 7|
-|---|---|---|---|
-|Fully encrypted on Windows 8|Presents as fully encrypted|N/A|Presented as fully encrypted|
-|Used Disk Space Only encrypted on Windows 8|Presents as encrypt on write|N/A|Presented as fully encrypted|
-|Fully encrypted volume from Windows 7|Presents as fully encrypted|Presented as fully encrypted|N/A|
-|Partially encrypted volume from Windows 7|Windows 11, Windows 10, and Windows 8.1 will complete encryption regardless of policy|Windows 8 will complete encryption regardless of policy|N/A|
-
-## Encrypting volumes using the `manage-bde.exe` command-line interface
-
-`Manage-bde.exe` is a command-line utility that can be used for scripting BitLocker operations. `Manage-bde.exe` offers additional options not displayed in the BitLocker control panel. For a complete list of the options, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-
-`Manage-bde.exe` offers a multitude of wider options for configuring BitLocker. Using the command syntax may require care. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed. For the volume to be fully protected, an authentication method needs to also be added to the volume in addition to running the `manage-bde.exe`command.
-
-Command-line users need to determine the appropriate syntax for a given situation. The following section covers general encryption for operating system volumes and data volumes.
-
-### Operating system volume commands
-
-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on ` command encrypts the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect to be able to recover information with a recovery key.
-
-#### Determining volume status
-
-A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status:
-
-`manage-bde.exe -status`
-
-This command returns the volumes on the target, current encryption status, and volume type (operating system or data) for each volume. Using this information, users can determine the best encryption method for their environment.
-
-#### Enabling BitLocker without a TPM
-
-Suppose BitLocker is desired on a computer without a TPM. In this scenario, a USB flash drive is needed as a startup key for the operating system volume. The startup key will then allow the computer to boot. To create the startup key using `manage-bde.exe`, the `-protectors` switch would be used specifying the `-startupkey` option. Assuming the USB flash drive is drive letter `E:`, then the following `manage-bde.exe` commands would be used t create the startup key and start the BitLocker encryption:
-
-```powershell
-manage-bde.exe -protectors -add C: -startupkey E:
-manage-bde.exe -on C:
-```
-
-If prompted, reboot the computer to complete the encryption process.
-
-#### Enabling BitLocker with a TPM only
-
-It's possible to encrypt the operating system volume without any defined protectors by using `manage-bde.exe`. Use this command:
-
-```cmd
-manage-bde.exe -on C:
-```
-
-This command will encrypt the drive using the TPM as the protector. If users are unsure of the protector for a volume, they can use the `-protectors` option in `manage-bde.exe` to list this information by executing the following command:
-
-```cmd
-manage-bde.exe -protectors -get
-```
-
-#### Provisioning BitLocker with two protectors
-
-Another example is a user on a non-TPM hardware who wishes to add a password and SID-based protector to the operating system volume. In this instance, the user adds the protectors first. Adding the protectors is done with the command:
-
-```cmd
-manage-bde.exe -protectors -add C: -pw -sid
-```
-
-This command requires the user to enter and then confirm the password protectors before adding them to the volume. With the protectors enabled on the volume, the user just needs to turn on BitLocker.
-
-### Data volume commands
-
-Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command:
-
-```cmd
-manage-bde.exe -on
-```
-
-Or users can choose to add protectors to the volume. It is recommended to add at least one primary protector and a recovery protector to a data volume.
-
-#### Enabling BitLocker with a password
-
-A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and turn on BitLocker.
-
-```powershell
-manage-bde.exe -protectors -add -pw C:
-manage-bde.exe -on C:
-```
-
-## Encrypting volumes using the BitLocker Windows PowerShell cmdlets
-
-Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
-
-|Name|Parameters|
-|--- |--- |
-|**Add-BitLockerKeyProtector**|
ADAccountOrGroup
ADAccountOrGroupProtector
Confirm
MountPoint
Password
PasswordProtector
Pin
RecoveryKeyPath
RecoveryKeyProtector
RecoveryPassword
RecoveryPasswordProtector
Service
StartupKeyPath
StartupKeyProtector
TpmAndPinAndStartupKeyProtector
TpmAndPinProtector
TpmAndStartupKeyProtector
TpmProtector
WhatIf|
-|**Backup-BitLockerKeyProtector**|
Confirm
KeyProtectorId
MountPoint
WhatIf|
-|**Disable-BitLocker**|
Confirm
MountPoint
WhatIf|
-|**Disable-BitLockerAutoUnlock**|
Confirm
MountPoint
WhatIf|
-|**Enable-BitLocker**|
AdAccountOrGroup
AdAccountOrGroupProtector
Confirm
EncryptionMethod
HardwareEncryption
Password
PasswordProtector
Pin
RecoveryKeyPath
RecoveryKeyProtector
RecoveryPassword
RecoveryPasswordProtector
Service
SkipHardwareTest
StartupKeyPath
StartupKeyProtector
TpmAndPinAndStartupKeyProtector
TpmAndPinProtector
TpmAndStartupKeyProtector
TpmProtector
UsedSpaceOnly
WhatIf|
-|**Enable-BitLockerAutoUnlock**|
Confirm
MountPoint
WhatIf|
-|**Get-BitLockerVolume**|
MountPoint|
-|**Lock-BitLocker**|
Confirm
ForceDismount
MountPoint
WhatIf|
-|**Remove-BitLockerKeyProtector**|
Confirm
KeyProtectorId
MountPoint
WhatIf|
-|**Resume-BitLocker**|
Confirm
MountPoint
WhatIf|
-|**Suspend-BitLocker**|
Confirm
MountPoint
RebootCount
WhatIf|
-|**Unlock-BitLocker**|
AdAccountOrGroup
Confirm
MountPoint
Password
RecoveryKeyPath
RecoveryPassword
RecoveryPassword
WhatIf|
-
-Similar to `manage-bde.exe`, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with `manage-bde.exe`, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.
-
-A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the `Get-BitLocker` volume PowerShell cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
-
-Occasionally, all protectors may not be shown when using **Get-BitLockerVolume** due to lack of space in the output display. If all of the protectors for a volume aren't seen, the Windows PowerShell pipe command (`|`) can be used to format a listing of the protectors.
-
-> [!NOTE]
-> In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.
-
-```powershell
-Get-BitLockerVolume C: | fl
-```
-
-If the existing protectors need to be removed prior to provisioning BitLocker on the volume, the `Remove-BitLockerKeyProtector` cmdlet can be used. Accomplishing this action requires the GUID associated with the protector to be removed.
-A simple script can pipe out the values of each **Get-BitLockerVolume** return to another variable as seen below:
-
-```powershell
-$vol = Get-BitLockerVolume
-$keyprotectors = $vol.KeyProtector
-```
-
-Using this script, the information in the **$keyprotectors** variable can be displayed to determine the GUID for each protector. This information can then be used to remove the key protector for a specific volume using the command:
-
-```powershell
-Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
-```
-
-> [!NOTE]
-> The BitLocker cmdlet requires the key protector GUID (enclosed in quotation marks) to execute. Ensure the entire GUID, with braces, is included in the command.
-
-### Operating system volume PowerShell cmdlets
-
-Using the BitLocker Windows PowerShell cmdlets is similar to working with the `manage-bde.exe` tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell.
-
-To enable BitLocker with just the TPM protector, use this command:
-
-```powershell
-Enable-BitLocker C:
-```
-
-The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
-
-```powershell
-Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest
-```
-
-### Data volume PowerShell cmdlets
-
-Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user-defined password. Last, encryption begins.
-
-```powershell
-$pw = Read-Host -AsSecureString
-
-Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
-```
-
-### Using an SID-based protector in Windows PowerShell
-
-The **ADAccountOrGroup** protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster.
-
-> [!WARNING]
-> The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes.
-
-To add an **ADAccountOrGroup** protector to a volume, either the domain SID is needed or the group name preceded by the domain and a backslash. In the example below, the **CONTOSO\\Administrator** account is added as a protector to the data volume G.
-
-```powershell
-Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
-```
-
-For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
-
-```powershell
-Get-ADUser -filter {samaccountname -eq "administrator"}
-```
-
-> [!NOTE]
-> Use of this command requires the RSAT-AD-PowerShell feature.
-
-> [!TIP]
-> In addition to the Windows PowerShell command above, information about the locally logged on user and group membership can be found using: `WHOAMI /ALL`. This doesn't require the use of additional features.
-
-In the example below, the user wishes to add a domain SID-based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command:
-
-```powershell
-Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup ""
-```
-
-> [!NOTE]
-> Active Directory-based protectors are normally used to unlock Failover Cluster-enabled volumes.
-
-## Checking BitLocker status
-
-To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker control panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use. We'll look at each of the available methods in the following section.
-
-### Checking BitLocker status with the control panel
-
-Checking BitLocker status with the control panel is the most common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with the control panel include:
-
-| Status | Description |
-| - | - |
-| **On**|BitLocker is enabled for the volume |
-| **Off**| BitLocker isn't enabled for the volume |
-| **Suspended** | BitLocker is suspended and not actively protecting the volume |
-| **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
-
-If a drive is pre-provisioned with BitLocker, a status of "Waiting for Activation" displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the control panel, `manage-bde.exe` tool, or WMI APIs to add an appropriate key protector. Once complete, the control panel will update to reflect the new status.
-
-Using the control panel, administrators can choose **Turn on BitLocker** to start the BitLocker Drive Encryption wizard and add a protector, like PIN for an operating system volume (or password if no TPM exists), or a password or smart card protector to a data volume.
-The drive security window displays prior to changing the volume status. Selecting **Activate BitLocker** will complete the encryption process.
-
-Once BitLocker protector activation is completed, the completion notice is displayed.
-
-### Checking BitLocker status with `manage-bde.exe`
-
-Administrators who prefer a command-line interface can utilize `manage-bde.exe` to check volume status. Manage-bde is capable of returning more information about the volume than the graphical user interface tools in the control panel. For example, `manage-bde.exe` can display the BitLocker version in use, the encryption type, and the protectors associated with a volume.
-
-To check the status of a volume using `manage-bde.exe`, use the following command:
-
-```powershell
-manage-bde.exe -status
-```
-
-> [!NOTE]
-> If no volume letter is associated with the -status command, all volumes on the computer display their status.
-
-### Checking BitLocker status with Windows PowerShell
-
-Windows PowerShell commands offer another way to query BitLocker status for volumes. Like `manage-bde.exe`, Windows PowerShell includes the advantage of being able to check the status of a volume on a remote computer.
-
-Using the Get-BitLockerVolume cmdlet, each volume on the system displays its current BitLocker status. To get information that is more detailed on a specific volume, use the following command:
-
-```powershell
-Get-BitLockerVolume -Verbose | fl
-```
-
-This command displays information about the encryption method, volume type, key protectors, and more.
-
-### Provisioning BitLocker during operating system deployment
-
-Administrators can enable BitLocker prior to operating system deployment from the Windows Pre-installation environment. Enabling BitLocker prior to the operating system deployment is done with a randomly generated clear key protector applied to the formatted volume and by encrypting the volume prior to running the Windows setup process. If the encryption uses the **Used Disk Space Only** option described later in this document, this step takes only a few seconds and incorporates well into regular deployment processes.
-
-### Decrypting BitLocker volumes
-
-Decrypting volumes removes BitLocker and any associated protectors from the volumes. Decryption should occur when protection is no longer required. BitLocker decryption shouldn't occur as a troubleshooting step. BitLocker can be removed from a volume using the BitLocker control panel applet, `manage-bde.exe`, or Windows PowerShell cmdlets. We'll discuss each method further below.
-
-### Decrypting volumes using the BitLocker control panel applet
-
-BitLocker decryption using the control panel is done using a wizard. The control panel can be called from Windows Explorer or by opening it directly. After opening the BitLocker control panel, users will select the **Turn off BitLocker** option to begin the process.
-After selecting the **Turn off BitLocker** option, the user chooses to continue by clicking the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins and reports status to the control panel.
-
-The control panel doesn't report decryption progress but displays it in the notification area of the task bar. Selecting the notification area icon will open a modal dialog with progress.
-
-Once decryption is complete, the drive updates its status in the control panel and becomes available for encryption.
-
-### Decrypting volumes using the `manage-bde.exe` command-line interface
-
-Decrypting volumes using `manage-bde.exe` is straightforward. Decryption with `manage-bde.exe` offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
-
-```powershell
-manage-bde.exe -off C:
-```
-
-This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If users wish to check the status of the decryption, they can use the following command:
-
-```powershell
-manage-bde.exe -status C:
-```
-
-### Decrypting volumes using the BitLocker Windows PowerShell cmdlets
-
-Decryption with Windows PowerShell cmdlets is straightforward, similar to `manage-bde.exe`. Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the example below, the user has three encrypted volumes, which they wish to decrypt.
-
-Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is:
-
-```powershell
-Disable-BitLocker
-```
-
-If a user didn't want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is:
-
-```powershell
-Disable-BitLocker -MountPoint E:,F:,G:
-```
-
-## Related articles
-
-- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
-- [BitLocker recovery guide](bitlocker-recovery-guide-plan.md)
-- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-- [BitLocker overview](index.md)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
deleted file mode 100644
index 46118e83d3..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md
+++ /dev/null
@@ -1,183 +0,0 @@
----
-title: BitLocker Countermeasures
-description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key.
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# BitLocker Countermeasures
-
-Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer.
-
-BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by:
-
-- **Encrypting volumes on a computer.** For example, BitLocker can be turned on for the operating system volume, a volume on a fixed drive. or removable data drive (such as a USB flash drive, SD card, etc.) Turning on BitLocker for the operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
-
-- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer's BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that use TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
-
-The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 11, Windows 10, Windows 8.1, and Windows 8.
-
-For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
-
-## Protection before startup
-
-Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot. Fortunately, many modern computers feature a TPM and secure boot.
-
-### Trusted Platform Module
-
-A trusted platform module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. On some platforms, TPM can alternatively be implemented as a part of secure firmware. BitLocker binds encryption keys with the TPM to ensure that a computer hasn't been tampered with while the system was offline. For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview).
-
-### UEFI and secure boot
-
-Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader.
-
-The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../system-security/secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
-
-By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key.
-
-### BitLocker and reset attacks
-
-To defend against malicious reset attacks, BitLocker uses the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory.
-
->[!NOTE]
->This does not protect against physical attacks where an attacker opens the case and attacks the hardware.
-
-## Security policies
-
-The next sections cover pre-boot authentication and DMA policies that can provide additional protection for BitLocker.
-
-### Pre-boot authentication
-
-Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
-
-BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
-
-Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key. This feature helps mitigate DMA and memory remanence attacks.
-
-On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
-
-- **TPM-only.** Using TPM-only validation doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.
-
-- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume can't be accessed without the startup key.
-
-- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection](/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
-
-- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the correct PIN is also required.
-
-In the following group policy example, TPM + PIN is required to unlock an operating system drive:
-
-
-
-Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
-
-On the other hand, Pre-boot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
-
-To address these issues, [BitLocker Network Unlock](bitlocker-how-to-enable-network-unlock.md) can be deployed. Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
-
-### Protecting Thunderbolt and other DMA ports
-
-There are a few different options to protect DMA ports, such as Thunderbolt™3. Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default. This Kernel DMA Protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
-
-You can use the System Information desktop app `MSINFO32.exe` to check if a device has kernel DMA protection enabled:
-
-
-
-If kernel DMA protection isn't enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
-
-1. Require a password for BIOS changes
-
-2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings. Refer to [Intel Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating System documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf)
-
-3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607 or Windows 11):
-
- - MDM: [DataProtection/AllowDirectMemoryAccess](/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy
-
- - Group Policy: [Disable new DMA devices when this computer is locked](bitlocker-group-policy-settings.md#disable-new-dma-devices-when-this-computer-is-locked) (This setting isn't configured by default.)
-
-For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the **Thunderbolt Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d). For SBP-2 and 1394 (also known as Firewire), refer to the **SBP-2 Mitigation** section in [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
-
-## Attack countermeasures
-
-This section covers countermeasures for specific types of attacks.
-
-### Bootkits and rootkits
-
-A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements, and the BitLocker key won't be released.
-
-> [!NOTE]
-> BitLocker protects against this attack by default.
-
-A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device](/windows-hardware/design/device-experiences/oem-highly-secure).
-
-### Brute force attacks against a PIN
-
-Require TPM + PIN for anti-hammering protection.
-
-### DMA attacks
-
-See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this article.
-
-### Paging file, crash dump, and Hyberfil.sys attacks
-
-These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. It also blocks automatic or manual attempts to move the paging file.
-
-### Memory remanence
-
-Enable secure boot and mandatorily prompt a password to change BIOS settings. For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
-
-### Tricking BitLocker to pass the key to a rogue operating system
-
-An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
-
-An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
-
-## Attacker countermeasures
-
-The following sections cover mitigations for different types of attackers.
-
-### Attacker without much skill or with limited physical access
-
-Physical access may be limited by a form factor that doesn't expose buses and memory. For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard.
-
-This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software.
-
-Mitigation:
-
-- Pre-boot authentication set to TPM only (the default)
-
-### Attacker with skill and lengthy physical access
-
-Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software.
-
-Mitigation:
-
-- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation).
-
- -And-
-
-- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This configuration can be set using the following Group Policy:
-
- - *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *File Explorer* > **Show hibernate in the power options menu**
-
- - *Computer Configuration* > *Policies* > *Administrative Templates* > *Power Management* > *Sleep Settings* > **Allow standby states (S1-S3) when sleeping (plugged in)**
-
- - *Computer Configuration* > *Policies* > *Administrative Templates* > *Power Management* > *Sleep Settings* > **Allow standby states (S1-S3) when sleeping (on battery)**
-
-> [!IMPORTANT]
-> These settings are **not configured** by default.
-
-For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](bitlocker-group-policy-settings.md) is:
-
-- *Computer Configuration* > *Policies* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Allow enhanced PINs for startup**
-
-> [!IMPORTANT]
-> This setting is **not configured** by default.
-
-For secure administrative workstations, Microsoft recommends a TPM with PIN protector and to disable Standby power management and shut down or hibernate the device.
-
-## Related articles
-
-- [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
-- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
-- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp)
-- [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
deleted file mode 100644
index dd95d6dbc5..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md
+++ /dev/null
@@ -1,49 +0,0 @@
----
-title: BitLocker deployment comparison
-description: This article shows the BitLocker deployment comparison chart.
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# BitLocker deployment comparison
-
-This article depicts the BitLocker deployment comparison chart.
-
-## BitLocker deployment comparison chart
-
-| Requirements | Microsoft Intune | Microsoft Configuration Manager | Microsoft BitLocker Administration and Monitoring (MBAM) |
-|--|--|--|--|
-| *Minimum client operating system version* | Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
-| *Supported Windows SKUs* | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
-| *Minimum Windows version* | 1909 | None | None |
-| *Supported domain-joined status* | Microsoft Entra joined, Microsoft Entra hybrid joined | Active Directory-joined, Microsoft Entra hybrid joined | Active Directory-joined |
-| *Permissions required to manage policies* | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
-| *Cloud or on premises* | Cloud | On premises | On premises |
-| Server components required? | | ✅ | ✅ |
-| *Additional agent required?* | No (device enrollment only) | Configuration Manager client | MBAM client |
-| *Administrative plane* | Microsoft Intune admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
-| *Administrative portal installation required* | | ✅ | ✅ |
-| *Compliance reporting capabilities* | ✅ | ✅ | ✅ |
-| *Force encryption* | ✅ | ✅ | ✅ |
-| *Encryption for storage cards (mobile)* | ✅ | ✅ | |
-| *Allow recovery password* | ✅ | ✅ | ✅ |
-| *Manage startup authentication* | ✅ | ✅ | ✅ |
-| *Select cipher strength and algorithms for fixed drives* | ✅ | ✅ | ✅ |
-| *Select cipher strength and algorithms for removable drives* | ✅ | ✅ | ✅ |
-| *Select cipher strength and algorithms for operating environment drives* | ✅ | ✅ | ✅ |
-| *Standard recovery password storage location* | Microsoft Entra ID or Active Directory | Configuration Manager site database | MBAM database |
-| *Store recovery password for operating system and fixed drives to Microsoft Entra ID or Active Directory* | Yes (Active Directory and Microsoft Entra ID) | Yes (Active Directory only) | Yes (Active Directory only) |
-| *Customize preboot message and recovery link* | ✅ | ✅ | ✅ |
-| *Allow/deny key file creation* | ✅ | ✅ | ✅ |
-| *Deny Write permission to unprotected drives* | ✅ | ✅ | ✅ |
-| *Can be administered outside company network* | ✅ | ✅ | |
-| *Support for organization unique IDs* | | ✅ | ✅ |
-| *Self-service recovery* | Yes (through Microsoft Entra ID or Company Portal app) | ✅ | ✅ |
-| *Recovery password rotation for fixed and operating environment drives* | Yes (Windows 10, version 1909 and later) | ✅ | ✅ |
-| *Wait to complete encryption until recovery information is backed up to Microsoft Entra ID* | ✅ | | |
-| *Wait to complete encryption until recovery information is backed up to Active Directory* | | ✅ | ✅ |
-| *Allow or deny Data Recovery Agent* | ✅ | ✅ | ✅ |
-| *Unlock a volume using certificate with custom object identifier* | | ✅ | ✅ |
-| *Prevent memory overwrite on restart* | | ✅ | ✅ |
-| *Configure custom Trusted Platform Module Platform Configuration Register profiles* | | | ✅ |
-| *Manage auto-unlock functionality* | | ✅ | ✅ |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
deleted file mode 100644
index 7b8887a82c..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+++ /dev/null
@@ -1,163 +0,0 @@
----
-title: Overview of BitLocker Device Encryption in Windows
-description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
-ms.collection:
- - highpri
- - tier1
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# Overview of BitLocker device encryption
-
-This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](index.md) for a general overview and list of articles.
-
-When users travel, their organization's confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies.
-
-## Data Protection in Windows 11, Windows 10, and Windows 7
-
-The below table lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
-
-| Windows 7 | Windows 11 and Windows 10 |
-|---|---|
-| When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.
Network Unlock allows PCs to start automatically when connected to the internal network. |
-| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
-| There's no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
-| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
-| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. |
-| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when the PIN or password is lost. |
-| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
-
-## Prepare for drive and file encryption
-
-The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's a strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that's a scenario that organizations need to avoid. Whether planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet these needs by providing streamlined, usable solutions. In fact, several steps can be taken in advance to prepare for data encryption and make the deployment quick and smooth.
-
-### TPM pre-provisioning
-
-In Windows 7, preparing the TPM offered a few challenges:
-
-- Turning on the TPM required going into the BIOS or UEFI firmware of the device. Turning on the TPM at the device requires someone to either physically go into the BIOS or UEFI firmware settings of the device to turn on the TPM, or to install a driver in Windows to turn on the TPM from within Windows.
-- When the TPM is enabled, it may require one or more restarts.
-
-This made preparing the TPM in Windows 7 problematic. If IT staff are provisioning new PCs, they can handle the required steps for preparing a TPM. However, if BitLocker needed to be enabled on devices that are already in users' hands, those users would probably struggle with the technical challenges. The user would then either call to IT for support or leave BitLocker disabled.
-
-Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There's no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
-
-## Deploy hard drive encryption
-
-BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Pre-installation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows isn't yet installed), it takes only a few seconds to enable BitLocker.
-
-With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
-
-## BitLocker Device Encryption
-
-Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those devices that are Modern Standby, and devices that run Home edition of Windows 10 or Windows 11.
-
-Microsoft expects that most devices in the future will pass the requirements for BitLocker Device Encryption that will make BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
-
-Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how BitLocker Device Encryption is enabled automatically:
-
-- When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
-
-- If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials.
-
-- If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain, and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). The following Group Policy settings must be enabled for the recovery key to be backed up to AD DS:
-
- *Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives**
-
- With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
-
-- Similar to signing in with a domain account, the clear key is removed when the user signs in to a Microsoft Entra account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Microsoft Entra ID. Then, the recovery key is backed up to Microsoft Entra ID, the TPM protector is created, and the clear key is removed.
-
-Microsoft recommends automatically enabling BitLocker Device Encryption on any systems that support it. However, the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
-
-- **Subkey**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker`
-- **Type**: `REG_DWORD`
-- **Value**: `PreventDeviceEncryption` equal to `1` (True)
-
-Administrators can manage domain-joined devices that have BitLocker Device Encryption enabled through Microsoft BitLocker Administration and Monitoring (MBAM). In this case, BitLocker Device Encryption automatically makes additional BitLocker options available. No conversion or encryption is required, and MBAM can manage the full BitLocker policy set if any configuration changes are required.
-
-> [!NOTE]
-> BitLocker Device Encryption uses the XTS-AES 128-bit encryption method. If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device has been decrypted, different BitLocker settings can be applied.
-
-## Used Disk Space Only encryption
-
-BitLocker in earlier Windows versions could take a long time to encrypt a drive because it encrypted every byte on the volume including areas that didn't have data. Encrypting every byte on the volume including areas that didn't have data is known as full disk encryption. Full disk encryption is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. If a drive previously had confidential data that has been moved or deleted, traces of the confidential data could remain on portions of the drive marked as unused.
-
-To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just the areas of the disk that contain data. Areas of the disk that don't contain data and are empty won't be encrypted. Any new data is encrypted as it's created. Depending on the amount of data on the drive, this option can reduce the initial encryption time by more than 99 percent.
-
-Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state. When using used space encryption, sectors where previously unencrypted data are stored can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
-
-## Encrypted hard drive support
-
-SEDs have been available for years, but Microsoft couldn't support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.
-
-Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives. This feature improves both drive and system performance by offloading cryptographic calculations from the PC's processor to the drive itself. Data is rapidly encrypted by the drive by using dedicated, purpose-built hardware. If planning to use whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends researching hard drive manufacturers and models to determine whether any of their encrypted hard drives meet the security and budget requirements.
-
-For more information about encrypted hard drives, see [Encrypted hard drive](../encrypted-hard-drive.md).
-
-## Preboot information protection
-
-An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
-
-It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided.
-
-Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
-
-## Manage passwords and PINs
-
-When BitLocker is enabled on a system drive and the PC has a TPM, users can be required to type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files.
-
-Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor. However, this configuration comes with some costs. One of the most significant costs is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
-
-Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
-
-For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](bitlocker-countermeasures.md).
-
-## Configure Network Unlock
-
-Some organizations have location specific data security requirements. Location specific data security requirements are most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
-
-Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
-Network Unlock requires the following infrastructure:
-
-- Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
-
-- A server running at least Windows Server 2012 with the Windows deployment services (WDS) role
-
-- A server with the DHCP server role installed
-
-For more information about how to configure Network unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
-
-## Microsoft BitLocker administration and monitoring
-
-Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administration and Monitoring (MBAM) makes it easier to manage and support BitLocker and BitLocker To Go. MBAM 2.5 with Service Pack 1, the latest version, has the following key features:
-
-- Enables administrators to automate the process of encrypting volumes on client computers across the enterprise.
-
-- Enables security officers to quickly determine the compliance state of individual computers or even of the enterprise itself.
-
-- Provides centralized reporting and hardware management with Microsoft Configuration Manager.
-
-- Reduces the workload on the help desk to assist end users with BitLocker recovery requests.
-
-- Enables end users to recover encrypted devices independently by using the Self-Service Portal.
-
-- Enables security officers to easily audit access to recovery key information.
-
-- Empowers Windows Enterprise users to continue working anywhere with the assurance that their corporate data is protected.
-
-- Enforces the BitLocker encryption policy options that are set for the enterprise.
-
-- Integrates with existing management tools, such as Microsoft Configuration Manager.
-
-- Offers an IT-customizable recovery user experience.
-
-- Supports Windows 11 and Windows 10.
-
-> [!IMPORTANT]
-> Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July 2019, or they could receive extended support until April 2026.
-
-Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management).
-
-Enterprises not using Configuration Manager can use the built-in features of Microsoft Entra ID and Microsoft Intune for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
deleted file mode 100644
index f6aa783b9e..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md
+++ /dev/null
@@ -1,1328 +0,0 @@
----
-title: BitLocker Group Policy settings
-description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
-ms.collection:
- - highpri
- - tier1
-ms.topic: reference
-ms.date: 11/08/2022
----
-
-# BitLocker group policy settings
-
-This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
-
-Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users.
-
-> [!NOTE]
-> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md).
-
-BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**.
-
-Most of the BitLocker Group Policy settings are applied when BitLocker is initially turned on for a drive. If a computer isn't compliant with existing Group Policy settings, BitLocker may not be turned on, or BitLocker configuration may be modified until the computer is in a compliant state. When a drive becomes out of compliance with Group Policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. This scenario could occur, for example, if a previously encrypted drive was brought out of compliance by change in Group Policy settings.
-
-If multiple changes are necessary to bring the drive into compliance, BitLocker protection may need to be suspended, the necessary changes made, and then protection resumed. This situation could occur, for example, if a removable drive is initially configured for unlock with a password but then Group Policy settings are changed to disallow passwords and require smart cards. In this situation, BitLocker protection needs to be suspended by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the Group Policy setting, and BitLocker protection on the drive can be resumed.
-
-In other scenarios, to bring the drive into compliance with a change in Group Policy settings, BitLocker may need to be disabled and the drive decrypted followed by reenabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed. The [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line can also be used in this scenario to help bring the device into compliance.
-
-## BitLocker group policy settings details
-
-> [!NOTE]
-> For more details about Active Directory configuration related to BitLocker enablement, please see [Set up MDT for BitLocker](/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker).
-
-The following sections provide a comprehensive list of BitLocker group policy settings that are organized by usage. BitLocker group policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives.
-
-The following policy settings can be used to determine how a BitLocker-protected drive can be unlocked.
-
-- [Allow devices with Secure Boot and protected DMA ports to opt out of preboot PIN](#allow-devices-with-secure-boot-and-protected-dma-ports-to-opt-out-of-preboot-pin)
-- [Allow network unlock at startup](#allow-network-unlock-at-startup)
-- [Require additional authentication at startup](#require-additional-authentication-at-startup)
-- [Allow enhanced PINs for startup](#allow-enhanced-pins-for-startup)
-- [Configure minimum PIN length for startup](#configure-minimum-pin-length-for-startup)
-- [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)
-- [Disallow standard users from changing the PIN or password](#disallow-standard-users-from-changing-the-pin-or-password)
-- [Configure use of passwords for operating system drives](#configure-use-of-passwords-for-operating-system-drives)
-- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#require-additional-authentication-at-startup-windows-server-2008-and-windows-vista)
-- [Configure use of smart cards on fixed data drives](#configure-use-of-smart-cards-on-fixed-data-drives)
-- [Configure use of passwords on fixed data drives](#configure-use-of-passwords-on-fixed-data-drives)
-- [Configure use of smart cards on removable data drives](#configure-use-of-smart-cards-on-removable-data-drives)
-- [Configure use of passwords on removable data drives](#configure-use-of-passwords-on-removable-data-drives)
-- [Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance)
-- [Enable use of BitLocker authentication requiring preboot keyboard input on slates](#enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates)
-
-The following policy settings are used to control how users can access drives and how they can use BitLocker on their computers.
-
-- [Deny write access to fixed drives not protected by BitLocker](#deny-write-access-to-fixed-drives-not-protected-by-bitlocker)
-- [Deny write access to removable drives not protected by BitLocker](#deny-write-access-to-removable-drives-not-protected-by-bitlocker)
-- [Control use of BitLocker on removable drives](#control-use-of-bitlocker-on-removable-drives)
-
-The following policy settings determine the encryption methods and encryption types that are used with BitLocker.
-
-- [Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength)
-- [Configure use of hardware-based encryption for fixed data drives](#configure-use-of-hardware-based-encryption-for-fixed-data-drives)
-- [Configure use of hardware-based encryption for operating system drives](#configure-use-of-hardware-based-encryption-for-operating-system-drives)
-- [Configure use of hardware-based encryption for removable data drives](#configure-use-of-hardware-based-encryption-for-removable-data-drives)
-- [Enforce drive encryption type on fixed data drives](#enforce-drive-encryption-type-on-fixed-data-drives)
-- [Enforce drive encryption type on operating system drives](#enforce-drive-encryption-type-on-operating-system-drives)
-- [Enforce drive encryption type on removable data drives](#enforce-drive-encryption-type-on-removable-data-drives)
-
-The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
-
-- [Choose how BitLocker-protected operating system drives can be recovered](#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
-- [Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)](#choose-how-users-can-recover-bitlocker-protected-drives-windows-server-2008-and-windows-vista)
-- [Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)](#store-bitlocker-recovery-information-in-active-directory-domain-services-windows-server-2008-and-windows-vista)
-- [Choose default folder for recovery password](#choose-default-folder-for-recovery-password)
-- [Choose how BitLocker-protected fixed drives can be recovered](#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
-- [Choose how BitLocker-protected removable drives can be recovered](#choose-how-bitlocker-protected-removable-drives-can-be-recovered)
-- [Configure the pre-boot recovery message and URL](#configure-the-pre-boot-recovery-message-and-url)
-
-The following policies are used to support customized deployment scenarios in an organization.
-
-- [Allow Secure Boot for integrity validation](#allow-secure-boot-for-integrity-validation)
-- [Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization)
-- [Prevent memory overwrite on restart](#prevent-memory-overwrite-on-restart)
-- [Configure TPM platform validation profile for BIOS-based firmware configurations](#configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations)
-- [Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)](#configure-tpm-platform-validation-profile-windows-vista-windows-server-2008-windows-7-windows-server-2008-r2)
-- [Configure TPM platform validation profile for native UEFI firmware configurations](#configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations)
-- [Reset platform validation data after BitLocker recovery](#reset-platform-validation-data-after-bitlocker-recovery)
-- [Use enhanced Boot Configuration Data validation profile](#use-enhanced-boot-configuration-data-validation-profile)
-- [Allow access to BitLocker-protected fixed data drives from earlier versions of Windows](#allow-access-to-bitlocker-protected-fixed-data-drives-from-earlier-versions-of-windows)
-- [Allow access to BitLocker-protected removable data drives from earlier versions of Windows](#allow-access-to-bitlocker-protected-removable-data-drives-from-earlier-versions-of-windows)
-
-### Allow devices with secure boot and protected DMA ports to opt out of preboot PIN
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, TPM-only protection can be allowed for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.|
-|**Introduced**|Windows 10, version 1703|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy on compliant hardware.|
-|**When enabled**|Users on Modern Standby and HSTI compliant devices will have the choice to turn on BitLocker without preboot authentication.|
-|**When disabled or not configured**|The options of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy apply.|
-
-#### Reference: Allow devices with secure boot and protected DMA ports to opt out of preboot PIN
-
-The preboot authentication option **Require startup PIN with TPM** of the [Require additional authentication at startup](#require-additional-authentication-at-startup) policy is often enabled to help ensure security for older devices that don't support Modern Standby. But visually impaired users have no audible way to know when to enter a PIN.
-This setting enables an exception to the PIN-required policy on secure hardware.
-
-### Allow network unlock at startup
-
-This policy controls a portion of the behavior of the Network Unlock feature in BitLocker. This policy is required to enable BitLocker Network Unlock on a network because it allows clients running BitLocker to create the necessary network key protector during encryption.
-
-This policy is used with the BitLocker Drive Encryption Network Unlock Certificate security policy (located in the **Public Key Policies** folder of Local Computer Policy) to allow systems that are connected to a trusted network to properly utilize the Network Unlock feature.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled whether a BitLocker-protected computer that is connected to a trusted local area network and joined to a domain can create and use network key protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|Clients configured with a BitLocker Network Unlock certificate can create and use Network Key Protectors.|
-|**When disabled or not configured**|Clients can't create and use Network Key Protectors.|
-
-#### Reference: Allow network unlock at startup
-
-To use a network key protector to unlock the computer, the computer and the server that hosts BitLocker Drive Encryption Network Unlock must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create a network key protector and to protect the information exchange with the server to unlock the computer. The Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate** can be used on the domain controller to distribute this certificate to computers in the organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM can't create network key protectors to automatically unlock by using Network Unlock.
-
-> [!NOTE]
-> For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or can't connect to the domain controller at startup.
-
-For more information about Network Unlock feature, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
-
-### Require additional authentication at startup
-
-This policy setting is used to control which unlock options are available for operating system drives.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured whether BitLocker requires additional authentication each time the computer starts and whether BitLocker will be used with a Trusted Platform Module (TPM). This policy setting is applied when BitLocker is turned on.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|If one authentication method is required, the other methods can't be allowed. Use of BitLocker with a TPM startup key or with a TPM startup key and a PIN must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.|
-|**When enabled**|Users can configure advanced startup options in the BitLocker Setup Wizard.|
-|**When disabled or not configured**|Users can configure only basic options on computers with a TPM.
Only one of the additional authentication options can be required at startup; otherwise, a policy error occurs.|
-
-#### Reference: Require additional authentication at startup
-
-If BitLocker needs to be used on a computer without a TPM, select **Allow BitLocker without a compatible TPM**. In this mode, a password or USB drive is required for startup. The USB drive stores the startup key that is used to encrypt the drive. When the USB drive is inserted, the startup key is authenticated, and the operating system drive is accessible. If the USB drive is lost or unavailable, BitLocker recovery is required to access the drive.
-
-On a computer with a compatible TPM, additional authentication methods can be used at startup to improve protection for encrypted data. When the computer starts, it can use:
-
-- Only the TPM
-- Insertion of a USB flash drive containing the startup key
-- The entry of a 4-digit to 20-digit personal identification number (PIN)
-- A combination of the PIN and the USB flash drive
-
-There are four options for TPM-enabled computers or devices:
-
-- Configure TPM startup
- - Allow TPM
- - Require TPM
- - Do not allow TPM
-- Configure TPM startup PIN
-
- - Allow startup PIN with TPM
- - Require startup PIN with TPM
- - Do not allow startup PIN with TPM
-
-- Configure TPM startup key
- - Allow startup key with TPM
- - Require startup key with TPM
- - Do not allow startup key with TPM
-
-- Configure TPM startup key and PIN
- - Allow TPM startup key with PIN
- - Require startup key and PIN with TPM
- - Do not allow TPM startup key with PIN
-
-### Allow enhanced PINs for startup
-
-This policy setting permits the use of enhanced PINs when an unlock method that includes a PIN is used.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured whether enhanced startup PINs are used with BitLocker.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|All new BitLocker startup PINs that are set will be enhanced PINs. Existing drives that were protected by using standard startup PINs aren't affected.|
-|**When disabled or not configured**|Enhanced PINs won't be used.|
-
-#### Reference: Allow enhanced PINs for startup
-
-Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces). This policy setting is applied when BitLocker is turned on.
-
-> [!IMPORTANT]
-> Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
-
-### Configure minimum PIN length for startup
-
-This policy setting is used to set a minimum PIN length when an unlock method that includes a PIN is used.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured a minimum length for a TPM startup PIN. This policy setting is applied when BitLocker is turned on. The startup PIN must have a minimum length of four digits, and it can have a maximum length of 20 digits. By default, the minimum PIN length is 6.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|The required minimum length of startup PINs set by users can be set between 4 and 20 digits.|
-|**When disabled or not configured**|Users can configure a startup PIN of any length between 6 and 20 digits.|
-
-#### Reference: Configure minimum PIN length for startup
-
-This policy setting is applied when BitLocker is turned on. The startup PIN must have a minimum length of four digits and can have a maximum length of 20 digits.
-
-Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
-
-The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
-
-The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
-
-Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
-
-Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to six characters to better align with other Windows features that use TPM 2.0, including Windows Hello. To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is six characters by default, but it can be reduced to four characters. If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
-
-### Disable new DMA devices when this computer is locked
-
-This policy setting allows blocking of direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys.|
-|**Introduced**|Windows 10, version 1703|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
-|**Conflicts**|None|
-|**When enabled**|Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again.|
-|**When disabled or not configured**|DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
-
-#### Reference: Disable new DMA devices when this computer is locked
-
-This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](/archive/blogs/secguide/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105).
-
-### Disallow standard users from changing the PIN or password
-
-This policy setting allows configuration of whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured whether standard users are allowed to change the PIN or password used to protect the operating system drive.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|Standard users aren't allowed to change BitLocker PINs or passwords.|
-|**When disabled or not configured**|Standard users are permitted to change BitLocker PINs or passwords.|
-
-#### Reference: Disallow standard users from changing the PIN or password
-
-To change the PIN or password, the user must be able to provide the current PIN or password. This policy setting is applied when BitLocker is turned on.
-
-### Configure use of passwords for operating system drives
-
-This policy controls how non-TPM based systems utilize the password protector. Used with the **Password must meet complexity requirements** policy, this policy allows administrators to require password length and complexity for using the password protector. By default, passwords must be eight characters in length. Complexity configuration options determine how important domain connectivity is for the client. For the strongest password security, administrators should choose **Require password complexity** because it requires domain connectivity, and it requires that the BitLocker password meets the same password complexity requirements as domain sign-in passwords.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, the constraints for passwords that are used to unlock operating system drives that are protected with BitLocker can be specified.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|Passwords can't be used if FIPS-compliance is enabled.
**NOTE:** The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Local Policies* > *Security Options* specifies whether FIPS-compliance is enabled.
|
-|**When enabled**|Users can configure a password that meets the defined requirements. To enforce complexity requirements for the password, select **Require complexity**.|
-|**When disabled or not configured**|The default length constraint of eight characters will apply to operating system drive passwords and no complexity checks will occur.|
-
-#### Reference: Configure use of passwords for operating system drives
-
-If non-TPM protectors are allowed on operating system drives, a password, enforcement of complexity requirements on the password, and configuration of a minimum length for the password can all be provisioned. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy*, must be also enabled.
-
-> [!NOTE]
-> These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
-
-When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password will be accepted regardless of actual password complexity, and the drive will be encrypted by using that password as a protector. When set to **Do not allow complexity**, there's no password complexity validation.
-
-Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
-
-When this policy setting is enabled, the option **Configure password complexity for operating system drives** can be set to:
-
-- Allow password complexity
-- Deny password complexity
-- Require password complexity
-
-### Require additional authentication at startup (Windows Server 2008 and Windows Vista)
-
-This policy setting is used to control what unlock options are available for computers running Windows Server 2008 or Windows Vista.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled whether the BitLocker Setup Wizard on computers running Windows Vista or Windows Server 2008 can set up an additional authentication method that is required each time the computer starts.|
-|**Introduced**|Windows Server 2008 and Windows Vista|
-|**Drive type**|Operating system drives (Windows Server 2008 and Windows Vista)|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|If an additional authentication method is chosen, other authentication methods can't be allowed.|
-|**When enabled**|The BitLocker Setup Wizard displays the page that allows the user to configure advanced startup options for BitLocker. Setting options can be further configured for computers with or without a TPM.|
-|**When disabled or not configured**|The BitLocker Setup Wizard displays basic steps that allow users to enable BitLocker on computers with a TPM. In this basic wizard, no additional startup key or startup PIN can be configured.|
-
-#### Reference: Require additional authentication at startup (Windows Server 2008 and Windows Vista)
-
-On a computer with a compatible TPM, two authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can prompt users to insert a USB drive that contains a startup key. It can also prompt users to enter a startup PIN with a length between 6 and 20 digits.
-
-A USB drive that contains a startup key is needed on computers without a compatible TPM. Without a TPM, BitLocker-encrypted data is protected solely by the key material that is on this USB drive.
-
-There are two options for TPM-enabled computers or devices:
-
-- Configure TPM startup PIN
- - Allow startup PIN with TPM
- - Require startup PIN with TPM
- - Do not allow startup PIN with TPM
-
-- Configure TPM startup key
- - Allow startup key with TPM
- - Require startup key with TPM
- - Do not allow startup key with TPM
-
-These options are mutually exclusive. If a startup key is required, a startup PIN isn't allowed. If startup PIN is required, startup key isn't allowed. If these policies are in conflict, a policy error will occur.
-
-To hide the advanced page on a TPM-enabled computer or device, set these options to **Do not allow** for the startup key and for the startup PIN.
-
-### Configure use of smart cards on fixed data drives
-
-This policy setting is used to require, allow, or deny the use of smart cards with fixed data drives.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|This policy setting can be used to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Fixed data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
-|**Conflicts**|To use smart cards with BitLocker, the object identifier setting in the **Computer Configuration\Administrative Templates\BitLocker Drive Encryption\Validate smart card certificate usage rule compliance** policy setting may need to be modified to match the object identifier of the smart card certificates.|
-|**When enabled**|Smart cards can be used to authenticate user access to the drive. Smart card authentication can be required by selecting the **Require use of smart cards on fixed data drives** check box.|
-|**When disabled**|Users can't use smart cards to authenticate their access to BitLocker-protected fixed data drives.|
-|**When not configured**|Smart cards can be used to authenticate user access to a BitLocker-protected drive.|
-
-#### Reference: Configure use of smart cards on fixed data drives
-
-> [!NOTE]
-> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive by using any of the protectors that are available on the drive.
-
-### Configure use of passwords on fixed data drives
-
-This policy setting is used to require, allow, or deny the use of passwords with fixed data drives.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be specified whether a password is required to unlock BitLocker-protected fixed data drives.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Fixed data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
-|**Conflicts**|To use password complexity, the **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements** policy setting must also be enabled.|
-|**When enabled**|Users can configure a password that meets the defined requirements. To require the use of a password, select **Require password for fixed data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
-|**When disabled**|The user isn't allowed to use a password.|
-|**When not configured**|Passwords are supported with the default settings, which don't include password complexity requirements and require only eight characters.|
-
-#### Reference: Configure use of passwords on fixed data drives
-
-When set to **Require complexity**, a connection to a domain controller is necessary to validate the complexity of the password when BitLocker is enabled.
-
-When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is accepted regardless of the actual password complexity, and the drive is encrypted by using that password as a protector.
-
-When set to **Do not allow complexity**, no password complexity validation is performed.
-
-Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the desired number of characters in the **Minimum password length** box.
-
-> [!NOTE]
-> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
-
-For the complexity requirement setting to be effective, the Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy** > **Password must meet complexity requirements** must also be enabled. This policy setting is configured on a per-computer basis. The policy setting also applies to both local user accounts and domain user accounts. Because the password filter that's used to validate password complexity is located on the domain controllers, local user accounts can't access the password filter because they're not authenticated for domain access. When this policy setting is enabled, if a local user account signs in, and a drive is attempted to be encrypted or a password changed on an existing BitLocker-protected drive, an **Access denied** error message is displayed. In this situation, the password key protector can't be added to the drive.
-
-Enabling this policy setting requires that a device is connected to a domain before adding a password key protector to a BitLocker-protected drive. Users who work remotely and have periods of time in which they can't connect to the domain should be made aware of this requirement so that they can schedule a time when they'll be connected to the domain to turn on BitLocker or to change a password on a BitLocker-protected data drive.
-
-> [!IMPORTANT]
-> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in *Computer Configuration* > *Windows Settings* > *Security Settings* > *Local Policies* > *Security Options* specifies whether FIPS compliance is enabled.
-
-### Configure use of smart cards on removable data drives
-
-This policy setting is used to require, allow, or deny the use of smart cards with removable data drives.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|This policy setting can be used to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Removable data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
-|**Conflicts**|To use smart cards with BitLocker, the object identifier setting in the **Computer Configuration** > **Administrative Templates** > **BitLocker Drive Encryption** > **Validate smart card certificate usage rule compliance** policy setting may also need to be modified to match the object identifier of the smart card certificates.|
-|**When enabled**|Smart cards can be used to authenticate user access to the drive. Smart card authentication can be required by selecting the **Require use of smart cards on removable data drives** check box.|
-|**When disabled or not configured**|Users aren't allowed to use smart cards to authenticate their access to BitLocker-protected removable data drives.|
-|**When not configured**|Smart cards are available to authenticate user access to a BitLocker-protected removable data drive.|
-
-#### Reference: Configure use of smart cards on removable data drives
-
-> [!NOTE]
-> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
-
-### Configure use of passwords on removable data drives
-
-This policy setting is used to require, allow, or deny the use of passwords with removable data drives.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be specified whether a password is required to unlock BitLocker-protected removable data drives.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Removable data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
-|**Conflicts**|To use password complexity, the **Password must meet complexity requirements** policy setting, which is located at **Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy** must also be enabled.|
-|**When enabled**|Users can configure a password that meets the defined requirements. To require the use of a password, select **Require password for removable data drive**. To enforce complexity requirements on the password, select **Require complexity**.|
-|**When disabled**|The user isn't allowed to use a password.|
-|**When not configured**|Passwords are supported with the default settings, which don't include password complexity requirements and require only eight characters.|
-
-#### Reference: Configure use of passwords on removable data drives
-
-If use of passwords is allowed, requiring a password to be used, enforcement of password complexity requirements, and password minimum length can all be configured. For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements**, which is located at *Computer Configuration* > *Windows Settings* > *Security Settings* > *Account Policies* > *Password Policy*, must also be enabled.
-
-> [!NOTE]
-> These settings are enforced when turning on BitLocker, not when unlocking a drive. BitLocker allows unlocking a drive with any of the protectors that are available on the drive.
-
-Passwords must be at least eight characters. To configure a greater minimum length for the password, enter the wanted number of characters in the **Minimum password length** box.
-
-When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity of the password.
-
-When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. However, if no domain controllers are found, the password is still be accepted regardless of actual password complexity and the drive is encrypted by using that password as a protector.
-
-When set to **Do not allow complexity**, no password complexity validation is done.
-
-> [!NOTE]
-> Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS compliance is enabled.
-
-For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
-
-### Validate smart card certificate usage rule compliance
-
-This policy setting is used to determine what certificate to use with BitLocker.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, an object identifier from a smart card certificate can be associated to a BitLocker-protected drive.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Fixed and removable data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
-|**Conflicts**|None|
-|**When enabled**|The object identifier that is specified in the **Object identifier** setting must match the object identifier in the smart card certificate.|
-|**When disabled or not configured**|The default object identifier is used.|
-
-#### Reference: Validate smart card certificate usage rule compliance
-
-This policy setting is applied when BitLocker is turned on.
-
-The object identifier is specified in the extended key usage (EKU) of a certificate. BitLocker can identify which certificates can be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting.
-
-The default object identifier is 1.3.6.1.4.1.311.67.1.1.
-
-> [!NOTE]
-> BitLocker doesn't require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
-
-### Enable use of BitLocker authentication requiring preboot keyboard input on slates
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, users can be allowed to enable authentication options that require user input from the preboot environment, even if the platform indicates a lack of preboot input capability.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drive|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|Devices must have an alternative means of preboot input (such as an attached USB keyboard).|
-|**When disabled or not configured**|The Windows Recovery Environment must be enabled on tablets to support entering the BitLocker recovery password.|
-
-#### Reference: Enable use of BitLocker authentication requiring preboot keyboard input on slates
-
-The Windows touch keyboard (such as used by tablets) isn't available in the preboot environment where BitLocker requires additional information, such as a PIN or password.
-
-It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
-
-When the Windows Recovery Environment (WinRE) isn't enabled and this policy isn't enabled, BitLocker can't be turned on a device that uses the Windows touch keyboard.
-
-If this policy setting isn't enabled, the following options in the **Require additional authentication at startup** policy might not be available:
-
-- Configure TPM startup PIN: Required and Allowed
-- Configure TPM startup key and PIN: Required and Allowed
-- Configure use of passwords for operating system drives
-
-### Deny write access to fixed drives not protected by BitLocker
-
-This policy setting is used to require encryption of fixed drives prior to granting Write access.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be set whether BitLocker protection is required for fixed data drives to be writable on a computer.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Fixed data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
-|**Conflicts**|See the Reference section for a description of conflicts.|
-|**When enabled**|All fixed data drives that aren't BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it's mounted with Read and Write access.|
-|**When disabled or not configured**|All fixed data drives on the computer are mounted with Read and Write access.|
-
-#### Reference: Deny write access to fixed drives not protected by BitLocker
-
-This policy setting is applied when BitLocker is turned on.
-
-Conflict considerations include:
-
-1. When this policy setting is enabled, users receive **Access denied** error messages when they try to save data to unencrypted fixed data drives. See the Reference section for additional conflicts.
-
-2. If `BdeHdCfg.exe` is run on a computer when this policy setting is enabled, the following issues could be encountered:
-
- - If it was attempted to shrink a drive to create the system drive, the drive size is successfully reduced, and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: **The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.**
-
- - If it was attempted to use unallocated space to create the system drive, a raw partition will be created. However, the raw partition won't be formatted. The following error message is displayed: **The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.**
-
- - If it was attempted to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: **BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker.**
-
-3. If this policy setting is enforced, a hard drive can't be repartitioned because the drive is protected. If computers are being upgrading in an organization from a previous version of Windows, and those computers were configured with a single partition, the required BitLocker system partition should be created before applying this policy setting to the computers.
-
-### Deny write access to removable drives not protected by BitLocker
-
-This policy setting is used to require that removable drives are encrypted prior to granting Write access, and to control whether BitLocker-protected removable drives that were configured in another organization can be opened with Write access.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured whether BitLocker protection is required for a computer to be able to write data to a removable data drive.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Removable data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
-|**Conflicts**|See the Reference section for a description of conflicts.|
-|**When enabled**|All removable data drives that aren't BitLocker-protected are mounted as Read-only. If the drive is protected by BitLocker, it's mounted with Read and Write access.|
-|**When disabled or not configured**|All removable data drives on the computer are mounted with Read and Write access.|
-
-#### Reference: Deny write access to removable drives not protected by BitLocker
-
-If the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields that match the computer's identification fields are given Write access. When a removable data drive is accessed, it's checked for a valid identification field and allowed identification fields. These fields are defined by the **Provide the unique identifiers for your organization** policy setting.
-
-> [!NOTE]
-> This policy setting can be overridden with the policy settings under **User Configuration** > **Administrative Templates** > **System** > **Removable Storage Access**. If the **Removable Disks: Deny write access** policy setting is enabled, this policy setting will be ignored.
-
-Conflict considerations include:
-
-1. Use of BitLocker with the TPM plus a startup key or with the TPM plus a PIN and startup key must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
-
-2. Use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
-
-3. The **Provide the unique identifiers for your organization** policy setting must be enabled if Write access needs to be denied to drives that were configured in another organization.
-
-### Control use of BitLocker on removable drives
-
-This policy setting is used to prevent users from turning BitLocker on or off on removable data drives.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled the use of BitLocker on removable data drives.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Removable data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
-|**Conflicts**|None|
-|**When enabled**|Property settings can be selected that control how users can configure BitLocker.|
-|**When disabled**|Users can't use BitLocker on removable data drives.|
-|**When not configured**|Users can use BitLocker on removable data drives.|
-
-#### Reference: Control use of BitLocker on removable drives
-
-This policy setting is applied when BitLocker is turned on.
-
-For information about suspending BitLocker protection, see [BitLocker Basic Deployment](bitlocker-basic-deployment.md).
-
-The options for choosing property settings that control how users can configure BitLocker are:
-
-- **Allow users to apply BitLocker protection on removable data drives** Enables the user to run the BitLocker Setup Wizard on a removable data drive.
-
-- **Allow users to suspend and decrypt BitLocker on removable data drives** Enables the user to remove BitLocker from the drive or to suspend the encryption while performing maintenance.
-
-### Choose drive encryption method and cipher strength
-
-This policy setting is used to control the encryption method and cipher strength.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled the encryption method and strength for drives.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|All drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
-|**Conflicts**|None|
-|**When enabled**|An encryption algorithm and key cipher strength for BitLocker can be chosen to use to encrypt drives.|
-|**When disabled or not configured**|Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script.
-
-#### Reference: Choose drive encryption method and cipher strength
-
-The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128).
-
-If this setting is enabled, it can be configured an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually.
-
-- For fixed and operating system drives, it's recommended to use the XTS-AES algorithm.
-
-- For removable drives, AES-CBC 128-bit or AES-CBC 256-bit should be used if the drive will be used in other devices that aren't running Windows 10, version 1511 or later.
-
-Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
-
-> [!WARNING]
-> This policy doesn't apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.
-
-When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script.
-
-### Configure use of hardware-based encryption for fixed data drives
-
-This policy controls how BitLocker reacts to systems that are equipped with encrypted drives when they're used as fixed data volumes. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on fixed data drives and to specify which encryption algorithms BitLocker can use with hardware-based encryption.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Fixed data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
-|**Conflicts**|None|
-|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
-|**When disabled**|BitLocker can't use hardware-based encryption with fixed data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
-|**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
-
-#### Reference: Configure use of hardware-based encryption for fixed data drives
-
-> [!NOTE]
-> The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption.
-
-The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
-
-- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
-- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
-
-### Configure use of hardware-based encryption for operating system drives
-
-This policy controls how BitLocker reacts when encrypted drives are used as operating system drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on operating system drives and specifies which encryption algorithms it can use with hardware-based encryption.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
-|**When disabled**|BitLocker can't use hardware-based encryption with operating system drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
-|**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
-
-#### Reference: Configure use of hardware-based encryption for operating system drives
-
-If hardware-based encryption isn't available, BitLocker software-based encryption is used instead.
-
-> [!NOTE]
-> The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption.
-
-The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
-
-- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
-- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
-
-### Configure use of hardware-based encryption for removable data drives
-
-This policy controls how BitLocker reacts to encrypted drives when they're used as removable data drives. Using hardware-based encryption can improve the performance of drive operations that involve frequent reading or writing of data to the drive.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|This policy setting allows management of BitLocker's use of hardware-based encryption on removable data drives and specifies which encryption algorithms it can use with hardware-based encryption.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Removable data drive|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
-|**Conflicts**|None|
-|**When enabled**|Additional options can be specified that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that don't support hardware-based encryption. It can also be specified to restrict the encryption algorithms and cipher suites that are used with hardware-based encryption.|
-|**When disabled**|BitLocker can't use hardware-based encryption with removable data drives, and BitLocker software-based encryption is used by default when the drive in encrypted.|
-|**When not configured**|BitLocker software-based encryption is used irrespective of hardware-based encryption ability.|
-
-#### Reference: Configure use of hardware-based encryption for removable data drives
-
-If hardware-based encryption isn't available, BitLocker software-based encryption is used instead.
-
-> [!NOTE]
-> The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption.
-
-The encryption algorithm that is used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm that is configured on the drive to encrypt the drive. The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option of this setting enables restriction of the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm that is set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID), for example:
-
-- Advanced Encryption Standard (AES) 128 in Cipher Block Chaining (CBC) mode OID: 2.16.840.1.101.3.4.1.2
-- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
-
-### Enforce drive encryption type on fixed data drives
-
-This policy controls whether fixed data drives utilize Used Space Only encryption or Full encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page so no encryption selection displays to the user.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Fixed data drive|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
-|**Conflicts**|None|
-|**When enabled**|This policy defines the encryption type that BitLocker uses to encrypt drives, and the encryption type option isn't presented in the BitLocker Setup Wizard.|
-|**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
-
-#### Reference: Enforce drive encryption type on fixed data drives
-
-This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
-
-> [!NOTE]
-> This policy is ignored when a volume is being shrunk or expanded and the BitLocker drive uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.
-
-For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-
-### Enforce drive encryption type on operating system drives
-
-This policy controls whether operating system drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drive|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.|
-|**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
-
-#### Reference: Enforce drive encryption type on operating system drives
-
-This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
-
-> [!NOTE]
-> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that uses Full encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.
-
-For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-
-### Enforce drive encryption type on removable data drives
-
-This policy controls whether fixed data drives utilize Full encryption or Used Space Only encryption. Setting this policy also causes the BitLocker Setup Wizard to skip the encryption options page, so no encryption selection displays to the user.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured the encryption type that is used by BitLocker.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Removable data drive|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
-|**Conflicts**|None|
-|**When enabled**|The encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option isn't presented in the BitLocker Setup Wizard.|
-|**When disabled or not configured**|The BitLocker Setup Wizard asks the user to select the encryption type before turning on BitLocker.|
-
-#### Reference: Enforce drive encryption type on removable data drives
-
-This policy setting is applied when BitLocker is turned on. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose Full encryption to make it mandatory for the entire drive to be encrypted when BitLocker is turned on. Choose Used Space Only encryption to make it mandatory to encrypt only that portion of the drive that is used to store data when BitLocker is turned on.
-
-> [!NOTE]
-> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using Used Space Only encryption is expanded, the new free space isn't wiped as it would be for a drive that is using Full Encryption. The user could wipe the free space on a Used Space Only drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.
-
-For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-
-### Choose how BitLocker-protected operating system drives can be recovered
-
-This policy setting is used to configure recovery methods for operating system drives.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled how BitLocker-protected operating system drives are recovered in the absence of the required startup key information.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. When using data recovery agents, the **Provide the unique identifiers for your organization** policy setting must be enabled.|
-|**When enabled**|it can be controlled the methods that are available to users to recover data from BitLocker-protected operating system drives.|
-|**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.|
-
-#### Reference: Choose how BitLocker-protected operating system drives can be recovered
-
-This policy setting is applied when BitLocker is turned on.
-
-The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor.
-
-For more information about adding data recovery agents, see [BitLocker basic deployment](bitlocker-basic-deployment.md).
-
-In **Configure user storage of BitLocker recovery information**, select whether users are allowed, required, or not allowed to generate a 48-digit recovery password.
-
-Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This policy setting means that which recovery option to use when BitLocker is enabled can't be specified. Instead, BitLocker recovery options for the drive are determined by the policy setting.
-
-In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in Active Directory Domain Services (AD DS) for operating system drives. If **Store recovery password and key packages** is selected, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports the recovery of data from a drive that is physically corrupted. If **Store recovery password only** is selected, only the recovery password is stored in AD DS.
-
-Select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box if users need to be prevented from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
-
-> [!NOTE]
-> If the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** check box is selected, a recovery password is automatically generated.
-
-### Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
-
-This policy setting is used to configure recovery methods for BitLocker-protected drives on computers running Windows Server 2008 or Windows Vista.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled whether the BitLocker Setup Wizard can display and specify BitLocker recovery options.|
-|**Introduced**|Windows Server 2008 and Windows Vista|
-|**Drive type**|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
-|**Conflicts**|This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information. If the **Do not allow** option is chosen for both user recovery options, the **Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)** policy setting must be enabled to prevent a policy error.|
-|**When enabled**|The options that the BitLocker Setup Wizard displays to users for recovering BitLocker encrypted data can be configured.|
-|**When disabled or not configured**|The BitLocker Setup Wizard presents users with ways to store recovery options.|
-
-#### Reference: Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
-
-This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when BitLocker is turned on.
-
-Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. Users can type a 48-digit numerical recovery password, or they can insert a USB drive that contains a 256-bit recovery key.
-
-- Saving the recovery password to a USB drive stores the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file.
-- Saving the recovery password to a folder stores the 48-digit recovery password as a text file.
-- Printing the recovery password sends the 48-digit recovery password to the default printer.
-
-For example, not allowing the 48-digit recovery password prevents users from printing or saving recovery information to a folder.
-
-> [!IMPORTANT]
-> If TPM initialization is performed during the BitLocker setup, TPM owner information is saved or printed with the BitLocker recovery information.
-> The 48-digit recovery password isn't available in FIPS-compliance mode.
-
-> [!IMPORTANT]
-> To prevent data loss, there must be a way to recover BitLocker encryption keys. If both recovery options are not allowed, backup of BitLocker recovery information to AD DS must be enabled. Otherwise, a policy error occurs.
-
-### Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
-
-This policy setting is used to configure the storage of BitLocker recovery information in AD DS. This policy setting provides an administrative method of recovering data that is encrypted by BitLocker to prevent data loss due to lack of key information.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|This policy setting allows management of the AD DS backup of BitLocker Drive Encryption recovery information.|
-|**Introduced**|Windows Server 2008 and Windows Vista|
-|**Drive type**|Operating system drives and fixed data drives on computers running Windows Server 2008 and Windows Vista.|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
-|**Conflicts**|None|
-|**When enabled**|BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer.|
-|**When disabled or not configured**|BitLocker recovery information isn't backed up to AD DS.|
-
-#### Reference: Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
-
-This policy is only applicable to computers running Windows Server 2008 or Windows Vista.
-
-This policy setting is applied when BitLocker is turned on.
-
-BitLocker recovery information includes the recovery password and unique identifier data. A package that contains an encryption key for a BitLocker-protected drive can also be included. This key package is secured by one or more recovery passwords, and it can help perform specialized recovery when the disk is damaged or corrupted.
-
-If **Require BitLocker backup to AD DS** is selected, BitLocker can't be turned on unless the computer is connected to the domain, and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible.
-
-A recovery password is a 48-digit number that unlocks access to a BitLocker-protected drive. A key package contains a drive's BitLocker encryption key, which is secured by one or more recovery passwords. Key packages may help perform specialized recovery when the disk is damaged or corrupted.
-
-If the **Require BitLocker backup to AD DS** option isn't selected, AD DS backup is attempted, but network or other backup failures don't prevent the BitLocker setup. The Backup process isn't automatically retried, and the recovery password might not be stored in AD DS during BitLocker setup.
-TPM initialization might be needed during the BitLocker setup. Enable the **Turn on TPM backup to Active Directory Domain Services** policy setting in **Computer Configuration** > **Administrative Templates** > **System** > **Trusted Platform Module Services** to ensure that TPM information is also backed up.
-
-For more information about this setting, see [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings).
-
-### Choose default folder for recovery password
-
-This policy setting is used to configure the default folder for recovery passwords.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, the default path that is displayed when the BitLocker Setup Wizard prompts the user to enter the location of a folder in which to save the recovery password can be specified.|
-|**Introduced**|Windows Vista|
-|**Drive type**|All drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
-|**Conflicts**|None|
-|**When enabled**|The path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder can be specified. A fully qualified path can be specified. The target computer's environment variables can also be included in the path. If the path isn't valid, the BitLocker Setup Wizard displays the computer's top-level folder view.|
-|**When disabled or not configured**|The BitLocker Setup Wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.|
-
-#### Reference: Choose default folder for recovery password
-
-This policy setting is applied when BitLocker is turned on.
-
-> [!NOTE]
-> This policy setting doesn't prevent the user from saving the recovery password in another folder.
-
-### Choose how BitLocker-protected fixed drives can be recovered
-
-This policy setting is used to configure recovery methods for fixed data drives.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled how BitLocker-protected fixed data drives are recovered in the absence of the required credentials.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Fixed data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
-|**Conflicts**|The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. When using data recovery agents, the **Provide the unique identifiers for your organization** policy setting must be enabled.|
-|**When enabled**|it can be controlled the methods that are available to users to recover data from BitLocker-protected fixed data drives.|
-|**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.|
-
-#### Reference: Choose how BitLocker-protected fixed drives can be recovered
-
-This policy setting is applied when BitLocker is turned on.
-
-The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies**, which is located in the Group Policy Management Console (GPMC) or in the Local Group Policy Editor.
-
-In **Configure user storage of BitLocker recovery information**, select whether users can be allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
-
-Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This policy setting means that which recovery option to use when BitLocker is enabled can't be specified. Instead, BitLocker recovery options for the drive are determined by the policy setting.
-
-In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information to store in AD DS for fixed data drives. If **Backup recovery password and key package** is selected, the BitLocker recovery password and the key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. To recover this data, the `Repair-bde.exe` command-line tool can be used. If **Backup recovery password only** is selected, only the recovery password is stored in AD DS.
-
-For more information about the BitLocker repair tool, see [Repair-bde](/windows-server/administration/windows-commands/repair-bde).
-
-Select the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box if users should be prevented from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
-
-> [!NOTE]
-> If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
-
-### Choose how BitLocker-protected removable drives can be recovered
-
-This policy setting is used to configure recovery methods for removable data drives.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled how BitLocker-protected removable data drives are recovered in the absence of the required credentials.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Removable data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
-|**Conflicts**|The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled. When using data recovery agents, the **Provide the unique identifiers for your organization** policy setting must be enabled.|
-|**When enabled**|it can be controlled the methods that are available to users to recover data from BitLocker-protected removable data drives.|
-|**When disabled or not configured**|The default recovery options are supported for BitLocker recovery. By default, a data recovery agent is allowed, the recovery options can be specified by the user (including the recovery password and recovery key), and recovery information isn't backed up to AD DS.|
-
-#### Reference: Choose how BitLocker-protected removable drives can be recovered
-
-This policy setting is applied when BitLocker is turned on.
-
-The **Allow data recovery agent** check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from **Public Key Policies** , which is accessed using the GPMC or the Local Group Policy Editor.
-
-In **Configure user storage of BitLocker recovery information**, select whether users can be allowed, required, or not allowed to generate a 48-digit recovery password.
-
-Select **Omit recovery options from the BitLocker setup wizard** to prevent users from specifying recovery options when they enable BitLocker on a drive. This policy setting means that which recovery option to use when BitLocker is enabled can't be specified. Instead, BitLocker recovery options for the drive are determined by the policy setting.
-
-In **Save BitLocker recovery information to Active Directory Domain Services**, choose which BitLocker recovery information is to be stored in AD DS for removable data drives. If **Backup recovery password and key package** is selected, the BitLocker recovery password and the key package are stored in AD DS. If **Backup recovery password only** is selected, only the recovery password is stored in AD DS.
-
-Select the **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives** check box if users should be prevented from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
-
-> [!NOTE]
-> If the **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives** check box is selected, a recovery password is automatically generated.
-
-### Configure the pre-boot recovery message and URL
-
-This policy setting is used to configure the entire recovery message and to replace the existing URL that is displayed on the pre-boot recovery screen when the operating system drive is locked.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured the BitLocker recovery screen to display a customized message and URL.|
-|**Introduced**|Windows|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives* > *Configure pre-boot recovery message and URL*|
-|**Conflicts**|None|
-|**When enabled**|The customized message and URL are displayed on the pre-boot recovery screen. If a custom recovery message and URL has been previously enabled and the message and URL need to be reverted back to the default message and URL, the policy setting must be enabled and the **Use default recovery message and URL** option selected.|
-|**When disabled or not configured**|If the setting hasn't been previously enabled, then the default pre-boot recovery screen is displayed for BitLocker recovery. If the setting previously was enabled and is later disabled, then the last message in Boot Configuration Data (BCD) is displayed whether it was the default recovery message or the custom message.|
-
-#### Reference: Configure the pre-boot recovery message and URL
-
-Enabling the **Configure the pre-boot recovery message and URL** policy setting allows customization of the default recovery screen message and URL to assist customers in recovering their key.
-
-Once the setting is enabled, three options are available:
-
-- If the **Use default recovery message and URL** option is selected, the default BitLocker recovery message and URL will be displayed on the pre-boot recovery screen.
-- If the **Use custom recovery message** option is selected, enter the custom message in the **Custom recovery message option** text box. The message that is entered in the **Custom recovery message option** text box is displayed on the pre-boot recovery screen. If a recovery URL is available, include it in the message.
-- If the **Use custom recovery URL** option is selected, enter the custom message URL in the **Custom recovery URL option** text box. The URL that is entered in the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which is displayed on the pre-boot recovery screen.
-
-> [!IMPORTANT]
-> Not all characters and languages are supported in the pre-boot environment. It is strongly recommended to verify the correct appearance of the characters that are used for the custom message and URL on the pre-boot recovery screen.
-
-> [!IMPORTANT]
-> Because BCDEdit commands can be altered manually before Group Policy settings have been set, the policy setting can't be returned to the default setting by selecting the **Not Configured** option after this policy setting has been configured. To return to the default pre-boot recovery screen leave the policy setting enabled and select the **Use default message** options from the **Choose an option for the pre-boot recovery message** drop-down list box.
-
-### Allow Secure Boot for integrity validation
-
-This policy controls how BitLocker-enabled system volumes are handled with the Secure Boot feature. Enabling this feature forces Secure Boot validation during the boot process and verifies Boot Configuration Data (BCD) settings according to the Secure Boot policy.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|All drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|If **Allow Secure Boot for integrity validation** is enabled, make sure the Configure TPM platform validation profile for native UEFI firmware configurations Group Policy setting isn't enabled, or include PCR 7 to allow BitLocker to use Secure Boot for platform or BCD integrity validation.
For more information about PCR 7, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.|
-|**When enabled or not configured**|BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation.|
-|**When disabled**|BitLocker uses legacy platform integrity validation, even on systems that are capable of Secure Boot-based integrity validation.|
-
-#### Reference: Allow Secure Boot for integrity validation
-
-Secure boot ensures that the computer's pre-boot environment loads only firmware that is digitally signed by authorized software publishers. Secure boot also started providing more flexibility for managing pre-boot configurations than BitLocker integrity checks prior to Windows Server 2012 and Windows 8.
-
-When this policy is enabled and the hardware is capable of using secure boot for BitLocker scenarios, the **Use enhanced Boot Configuration Data validation profile** group policy setting is ignored, and secure boot verifies BCD settings according to the secure boot policy setting, which is configured separately from BitLocker.
-
-> [!WARNING]
-> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If this policy is disabled, suspend BitLocker prior to applying firmware updates.
-
-### Provide the unique identifiers for your organization
-
-This policy setting is used to establish an identifier that is applied to all drives that are encrypted in an organization.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, unique organizational identifiers can be associated to a new drive that is enabled with BitLocker.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|All drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
-|**Conflicts**|Identification fields are required to manage certificate-based data recovery agents on BitLocker-protected drives. BitLocker manages and updates certificate-based data recovery agents only when the identification field is present on a drive and it's identical to the value that is configured on the computer.|
-|**When enabled**|The identification field on the BitLocker-protected drive and any allowed identification field that is used by an organization can be configured.|
-|**When disabled or not configured**|The identification field isn't required.|
-
-#### Reference: Provide the unique identifiers for your organization
-
-These identifiers are stored as the identification field and the allowed identification field. The identification field allows association of a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives, and it can be updated on existing BitLocker-protected drives by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
-
-An identification field is required to manage certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLocker manages and updates data recovery agents only when the identification field on the drive matches the value that is configured in the identification field. In a similar manner, BitLocker updates the BitLocker To Go Reader only when the identification field's value on the drive matches the value that is configured for the identification field.
-
-For more information about the tool to manage BitLocker, see [Manage-bde](/windows-server/administration/windows-commands/manage-bde).
-
-The allowed identification field is used in combination with the **Deny write access to removable drives not protected by BitLocker** policy setting to help control the use of removable drives in an organization. It's a comma-separated list of identification fields from an internal organization or external organizations.
-
-The identification fields on existing drives can be configured by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool.
-
-When a BitLocker-protected drive is mounted on another BitLocker-enabled computer, the identification field and the allowed identification field are used to determine whether the drive is from an external organization.
-
-Multiple values separated by commas can be entered in the identification and allowed identification fields. The identification field can be any value upto 260 characters.
-
-### Prevent memory overwrite on restart
-
-This policy setting is used to control whether the computer's memory will be overwritten the next time the computer is restarted.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled computer restart performance at the risk of exposing BitLocker secrets.|
-|**Introduced**|Windows Vista|
-|**Drive type**|All drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption*|
-|**Conflicts**|None|
-|**When enabled**|The computer won't overwrite memory when it restarts. Preventing memory overwrite may improve restart performance, but it increases the risk of exposing BitLocker secrets.|
-|**When disabled or not configured**|BitLocker secrets are removed from memory when the computer restarts.|
-
-#### Reference: Prevent memory overwrite on restart
-
-This policy setting is applied when BitLocker is turned on. BitLocker secrets include key material that is used to encrypt data. This policy setting applies only when BitLocker protection is enabled.
-
-### Configure TPM platform validation profile for BIOS-based firmware configurations
-
-This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured how the computer's TPM security hardware secures the BitLocker encryption key.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|The boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
-|**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
-
-#### Reference: Configure TPM platform validation profile for BIOS-based firmware configurations
-
-This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been turned on with TPM protection.
-
-> [!IMPORTANT]
-> This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** Group Policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
-
-A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following PCRs:
-
-- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
-- Option ROM Code (PCR 2)
-- Master Boot Record (MBR) Code (PCR 4)
-- NTFS Boot Sector (PCR 8)
-- NTFS Boot Block (PCR 9)
-- Boot Manager (PCR 10)
-- BitLocker Access Control (PCR 11)
-
-> [!NOTE]
-> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
-
-The following list identifies all of the available PCRs:
-
-- PCR 0: Core root-of-trust for measurement, BIOS, and platform extensions
-- PCR 1: Platform and motherboard configuration and data.
-- PCR 2: Option ROM code
-- PCR 3: Option ROM data and configuration
-- PCR 4: Master Boot Record (MBR) code
-- PCR 5: Master Boot Record (MBR) partition table
-- PCR 6: State transition and wake events
-- PCR 7: Computer manufacturer-specific
-- PCR 8: NTFS boot sector
-- PCR 9: NTFS boot block
-- PCR 10: Boot manager
-- PCR 11: BitLocker access control
-- PCR 12-23: Reserved for future use
-
-### Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
-
-This policy setting determines what values the TPM measures when it validates early boot components before unlocking a drive on a computer running Windows Vista, Windows Server 2008, or Windows 7.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured how the computer's TPM security hardware secures the BitLocker encryption key.|
-|**Introduced**|Windows Server 2008 and Windows Vista|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|The boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
-|**When disabled or not configured**|The TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
-
-#### Reference: Configure TPM platform validation profile (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2)
-
-This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection.
-
-A platform validation profile consists of a set of PCR indices that range from 0 to 23. The default platform validation profile secures the encryption key against changes to the following PCRs:
-
-- Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0)
-- Option ROM Code (PCR 2)
-- Master Boot Record (MBR) Code (PCR 4)
-- NTFS Boot Sector (PCR 8)
-- NTFS Boot Block (PCR 9)
-- Boot Manager (PCR 10)
-- BitLocker Access Control (PCR 11)
-
-> [!NOTE]
-> The default TPM validation profile PCR settings for computers that use an Extensible Firmware Interface (EFI) are the PCRs 0, 2, 4, and 11 only.
-
-The following list identifies all of the available PCRs:
-
-- PCR 0: Core root-of-trust for measurement, EFI boot and run-time services, EFI drivers embedded in system ROM, ACPI static tables, embedded SMM code, and BIOS code
-- PCR 1: Platform and motherboard configuration and data. Hand-off tables and EFI variables that affect system configuration
-- PCR 2: Option ROM code
-- PCR 3: Option ROM data and configuration
-- PCR 4: Master Boot Record (MBR) code or code from other boot devices
-- PCR 5: Master Boot Record (MBR) partition table. Various EFI variables and the GPT table
-- PCR 6: State transition and wake events
-- PCR 7: Computer manufacturer-specific
-- PCR 8: NTFS boot sector
-- PCR 9: NTFS boot block
-- PCR 10: Boot manager
-- PCR 11: BitLocker access control
-- PCR 12 - 23: Reserved for future use
-
-> [!WARNING]
-> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
-
-### Configure TPM platform validation profile for native UEFI firmware configurations
-
-This policy setting determines what values the TPM measures when it validates early boot components before unlocking an operating system drive on a computer with native UEFI firmware configurations.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|Setting this policy with PCR 7 omitted overrides the **Allow Secure Boot for integrity validation** Group Policy setting, and it prevents BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
If an environment uses TPM and Secure Boot for platform integrity checks, this policy is configured.
For more information about PCR 7, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.|
-|**When enabled**|Before BitLocker is turned on, the boot components that the TPM validates before it unlocks access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.|
-|**When disabled or not configured**|BitLocker uses the default platform validation profile or the platform validation profile that is specified by the setup script.|
-
-#### Reference: Configure TPM platform validation profile for native UEFI firmware configurations
-
-This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker is already turned on with TPM protection.
-
-> [!IMPORTANT]
-> This group policy setting only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for BIOS-based firmware configurations** Group Policy setting to configure the TPM PCR profile for computers with BIOS configurations or for computers with UEFI firmware with a CSM enabled.
-
-A platform validation profile consists of a set of PCR indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11).
-
-The following list identifies all of the available PCRs:
-
-- PCR 0: Core System Firmware executable code
-- PCR 1: Core System Firmware data
-- PCR 2: Extended or pluggable executable code
-- PCR 3: Extended or pluggable firmware data
-- PCR 4: Boot Manager
-- PCR 5: GPT/Partition Table
-- PCR 6: Resume from S4 and S5 Power State Events
-- PCR 7: Secure Boot State
-
- For more information about this PCR, see [About the Platform Configuration Register (PCR)](#about-the-platform-configuration-register-pcr) in this article.
-
-- PCR 8: Initialized to 0 with no Extends (reserved for future use)
-- PCR 9: Initialized to 0 with no Extends (reserved for future use)
-- PCR 10: Initialized to 0 with no Extends (reserved for future use)
-- PCR 11: BitLocker access control
-- PCR 12: Data events and highly volatile events
-- PCR 13: Boot Module Details
-- PCR 14: Boot Authorities
-- PCR 15 - 23: Reserved for future use
-
-> [!WARNING]
-> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
-
-### Reset platform validation data after BitLocker recovery
-
-This policy setting determines if platform validation data should refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be controlled whether platform validation data is refreshed when Windows is started following a BitLocker recovery.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|None|
-|**When enabled**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.|
-|**When disabled**|Platform validation data isn't refreshed when Windows is started following a BitLocker recovery.|
-|**When not configured**|Platform validation data is refreshed when Windows is started following a BitLocker recovery.|
-
-#### Reference: Reset platform validation data after BitLocker recovery
-
-For more information about the recovery process, see the [BitLocker recovery guide](bitlocker-recovery-guide-plan.md).
-
-### Use enhanced Boot Configuration Data validation profile
-
-This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, Boot Configuration Data (BCD) settings to verify during platform validation can be specified.|
-|**Introduced**|Windows Server 2012 and Windows 8|
-|**Drive type**|Operating system drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Operating System Drives*|
-|**Conflicts**|When BitLocker is using Secure Boot for platform and Boot Configuration Data integrity validation, the **Use enhanced Boot Configuration Data validation profile** Group Policy setting is ignored (as defined by the **Allow Secure Boot for integrity validation** Group Policy setting).|
-|**When enabled**|Additional BCD settings can be added and specified BCD settings can be excluded. Also a customized BCD validation profile can be created by combining inclusion and exclusion lists. The customized BCD validation profile gives the ability to verify BCD settings.|
-|**When disabled**|The computer reverts to a BCD profile validation similar to the default BCD profile that is used by Windows 7.|
-|**When not configured**|The computer verifies the default BCD settings in Windows.|
-
-#### Reference: Use enhanced Boot Configuration Data validation profile
-
-> [!NOTE]
-> The setting that controls boot debugging (0x16000010) is always validated, and it has no effect if it's included in the inclusion or the exclusion list.
-
-### Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
-
-This policy setting is used to control whether access to drives is allowed by using the BitLocker To Go Reader, and whether BitLocker To Go Reader can be installed on the drive.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured whether fixed data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2).|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Fixed data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Fixed Data Drives*|
-|**Conflicts**|None|
-|**When enabled and When not configured**|Fixed data drives that are formatted with the FAT file system can be unlocked on computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.|
-|**When disabled**|Fixed data drives that are formatted with the FAT file system and are BitLocker-protected can't be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't installed.|
-
-#### Reference: Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
-
-> [!NOTE]
-> This policy setting doesn't apply to drives that are formatted with the NTFS file system.
-
-When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted fixed drives** check box to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user is prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the fixed drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.
-
-### Allow access to BitLocker-protected removable data drives from earlier versions of Windows
-
-This policy setting controls access to removable data drives that are using the BitLocker To Go Reader and whether the BitLocker To Go Reader can be installed on the drive.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|With this policy setting, it can be configured whether removable data drives that are formatted with the FAT file system can be unlocked and viewed on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2.|
-|**Introduced**|Windows Server 2008 R2 and Windows 7|
-|**Drive type**|Removable data drives|
-|**Policy path**|*Computer Configuration* > *Administrative Templates* > *Windows Components* > *BitLocker Drive Encryption* > *Removable Data Drives*|
-|**Conflicts**|None|
-|**When enabled and When not configured**|Removable data drives that are formatted with the FAT file system can be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These operating systems have Read-only access to BitLocker-protected drives.|
-|**When disabled**|Removable data drives that are formatted with the FAT file system that are BitLocker-protected can't be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2. BitLocker To Go Reader (bitlockertogo.exe) isn't installed.|
-
-#### Reference: Allow access to BitLocker-protected removable data drives from earlier versions of Windows
-
-> [!NOTE]
-> This policy setting doesn't apply to drives that are formatted with the NTFS file system.
-
-When this policy setting is enabled, select the **Do not install BitLocker To Go Reader on FAT formatted removable drives** check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that doesn't have an identification field specified, or if the drive has the same identification field as specified in the **Provide unique identifiers for your organization** policy setting, the user will be prompted to update BitLocker, and BitLocker To Go Reader is deleted from the drive. In this situation, for the removable drive to be unlocked on computers running Windows Vista, Windows XP with SP3, or Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this check box isn't selected, then BitLocker To Go Reader will be installed on the removable drive to enable users to unlock the drive on computers running Windows Vista or Windows XP that don't have BitLocker To Go Reader installed.
-
-## FIPS setting
-
-The Federal Information Processing Standard (FIPS) setting for FIPS compliance can be configured. As an effect of FIPS compliance, users can't create or save a BitLocker password for recovery or as a key protector. The use of a recovery key is permitted.
-
-| Item | Info |
-|:---|:---|
-|**Policy description**|Notes|
-|**Introduced**|Windows Server 2003 with SP1|
-|**Drive type**|System-wide|
-|**Policy path**|*Local Policies* > *Security Options* > *System cryptography*: **Use FIPS compliant algorithms for encryption, hashing, and signing**|
-|**Conflicts**|Some applications, such as Terminal Services, don't support FIPS-140 on all operating systems.|
-|**When enabled**|Users will be unable to save a recovery password to any location. This policy setting includes AD DS and network folders. Also, WMI or the BitLocker Drive Encryption Setup wizard can't be used to create a recovery password.|
-|**When disabled or not configured**|No BitLocker encryption key is generated|
-
-### Reference: FIPS setting
-
-This policy must be enabled before any encryption key is generated for BitLocker. When this policy is enabled, BitLocker prevents creating or using recovery passwords, so recovery keys should be used instead.
-
-The optional recovery key can be saved to a USB drive. Because recovery passwords can't be saved to AD DS when FIPS is enabled, an error is caused if AD DS backup is required by Group Policy.
-
-The FIPS setting can be edited by using the Security Policy Editor (`Secpol.msc`) or by editing the Windows registry. Only administrators can perform these procedures.
-
-For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md).
-
-## Power management group policy settings: Sleep and Hibernate
-
-PCs default power settings for a computer will cause the computer to enter Sleep mode frequently to conserve power when idle and to help extend the system's battery life. When a computer transitions to Sleep, open programs and documents are persisted in memory. When a computer resumes from Sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. Not needing to reauthenticate when resuming from Sleep might lead to conditions where data security is compromised.
-
-However, when a computer hibernates the drive is locked, and when it resumes from hibernation the drive is unlocked, which means that users will need to provide a PIN or a startup key if using multifactor authentication with BitLocker. Therefore, organizations that use BitLocker may want to use Hibernate instead of Sleep for improved security. This setting doesn't have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states.
-
-To disable all available sleep states, disable the Group Policy settings located in **Computer Configuration** > **Administrative Templates** > **System** > **Power Management** :
-
-- **Allow Standby States (S1-S3) When Sleeping (Plugged In)**
-- **Allow Standby States (S1-S3) When Sleeping (Battery)**
-
-## About the Platform Configuration Register (PCR)
-
-A platform validation profile consists of a set of PCR indices that range from 0 to 23. The scope of the values can be specific to the version of the operating system.
-
-Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
-
-### About PCR 7
-
-PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can use Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4, which have the measurements of the exact firmware and Bootmgr images loaded. This process reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides with greater flexibility to manage the preboot configuration.
-
-PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol).
-
-PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs), such as the Microsoft Surface RT. On such systems, if the TPM with PCR 7 measurement and secure boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default.
-
-## Related articles
-
-- [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview)
-- [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings)
-- [BitLocker frequently asked questions (FAQ)](faq.yml)
-- [BitLocker overview](index.md)
-- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
deleted file mode 100644
index 1c64084bcd..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+++ /dev/null
@@ -1,102 +0,0 @@
----
-title: BitLocker How to deploy on Windows Server
-description: This article for the IT professional explains how to deploy BitLocker and Windows Server
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# BitLocker: How to deploy on Windows Server
-
-This article explains how to deploy BitLocker on Windows Server. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed.
-
-## Installing BitLocker
-
-### To install BitLocker using server manager
-
-1. Open server manager by selecting the server manager icon or running `servermanager.exe`.
-1. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.**
-1. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown).
-1. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue.
-1. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed.
-1. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane.
- > [!NOTE]
- > Server roles and features are installed by using the same wizard in Server Manager.
-1. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features aren't needed and/or don't need to be installed, deselect the **Include management tools**.
- > [!NOTE]
- > The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
-1. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard.
-1. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete.
-1. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text.
-
-### To install BitLocker using Windows PowerShell
-
-Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism.exe` module. However, the `servermanager` and `dism.exe` modules don't always share feature name parity. Because of this mismatch of feature name parity, it's advisable to confirm the feature or role name prior to installation.
-
-> [!NOTE]
-> The server must be restarted to complete the installation of BitLocker.
-
-### Using the servermanager module to install BitLocker
-
-The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`.
-
-By default, installation of features in Windows PowerShell doesn't include optional subfeatures or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
-
-```powershell
-Install-WindowsFeature BitLocker -WhatIf
-```
-
-The results of this command show that only the BitLocker Drive Encryption feature is installed using this command.
-
-To see what would be installed with the BitLocker feature, including all available management tools and subfeatures, use the following command:
-
-```powershell
-Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
-```
-
-The result of this command displays the following list of all the administration tools for BitLocker, which would be installed along with the feature, including tools for use with Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS).
-
-- BitLocker Drive Encryption
-- BitLocker Drive Encryption Tools
-- BitLocker Drive Encryption Administration Utilities
-- BitLocker Recovery Password Viewer
-- AD DS Snap-Ins and Command-Line Tools
-- AD DS Tools
-- AD DS and AD LDS Tools
-
-The command to complete a full installation of the BitLocker feature with all available subfeatures and then to reboot the server at completion is:
-
-```powershell
-Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
-```
-
-> [!IMPORTANT]
-> Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.
-
-### Using the dism module to install BitLocker
-
-The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command lists all of the optional features in an online (running) operating system.
-
-```powershell
-Get-WindowsOptionalFeature -Online | ft
-```
-
-From this output, there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
-
-To install BitLocker using the `dism.exe` module, use the following command:
-
-```powershell
-Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
-```
-
-This command prompts the user for a reboot. The Enable-WindowsOptionalFeature cmdlet doesn't offer support for forcing a reboot of the computer. This command doesn't include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command:
-
-```powershell
-Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All
-```
-
-## Related articles
-
-- [BitLocker overview](index.md)
-- [BitLocker frequently asked questions (FAQ)](faq.yml)
-- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
-- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
deleted file mode 100644
index 11f7b07e86..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ /dev/null
@@ -1,453 +0,0 @@
----
-title: BitLocker - How to enable Network Unlock
-description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it.
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# BitLocker: How to enable Network Unlock
-
-This article describes how BitLocker Network Unlock works and how to configure it.
-
-Network Unlock is a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
-
-Network Unlock allows BitLocker-enabled systems that have a TPM+PIN and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the TPM+StartupKey at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
-
-## Network Unlock core requirements
-
-Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain-joined systems. These requirements include:
-
-- Currently supported Windows operating system
-- Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients
-- Network Unlock clients with a TPM chip and at least one TPM protector
-- A server running the Windows Deployment Services (WDS) role on any supported server operating system
-- BitLocker Network Unlock optional feature installed on any supported server operating system
-- A DHCP server, separate from the WDS server
-- Properly configured public/private key pairing
-- Network Unlock group policy settings configured
-- Network stack enabled in the UEFI firmware of client devices
-
-> [!NOTE]
-> To properly support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled.
-
-For Network Unlock to work reliably on computers, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP. This first network adapter must be used for Network Unlock. This configuration is especially worth noting when the device has multiple adapters, and some adapters are configured without DHCP, such as for use with a lights-out management protocol. This configuration is necessary because Network Unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails.
-
-The Network Unlock server component is installed on supported versions of Windows Server 2012 and later as a Windows feature that uses Server Manager or Windows PowerShell cmdlets. The feature name is BitLocker Network Unlock in Server Manager and BitLocker-NetworkUnlock in Windows PowerShell. This feature is a core requirement.
-
-Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation isn't required. However, the WDS service must be running on the server.
-
-The network key is stored on the system drive along with an AES 256 session key and encrypted with the 2048-bit RSA public key of the Unlock server certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key.
-
-## Network Unlock sequence
-
-The unlock sequence starts on the client side when the Windows boot manager detects the existence of Network Unlock protector. It uses the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate, as described above. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
-
-On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, the standard TPM+PIN unlock screen is presented to unlock the drive.
-
-The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and distributing the public key certificate to the clients. This certificate must be managed and deployed through the Group Policy editor directly on a domain controller with at least a Domain Functional Level of Windows Server 2012. This certificate is the public key that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM).
-
-Manage and deploy this certificate through the Group Policy editor directly on a domain controller that has a domain functional level of at least Windows Server 2012. This certificate is the public key that encrypts the intermediate network key. The intermediate network key is one of the two secrets that are required to unlock the drive; the other secret is stored in the TPM.
-
-
-
-The Network Unlock process follows these phases:
-
-1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration.
-
-2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address.
-
-3. The client computer broadcasts a vendor-specific DHCP request that contains:
-
- 1. A network key (a 256-bit intermediate key) that is encrypted by using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server.
-
- 2. An AES-256 session key for the reply.
-
-4. The Network Unlock provider on the WDS server recognizes the vendor-specific request.
-
-5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key.
-
-6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key.
-
-7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM.
-
-8. This combined key is used to create an AES-256 key that unlocks the volume.
-
-9. Windows continues the boot sequence.
-
-## Configure Network Unlock
-
-The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012.
-
-### Install the WDS server role
-
-The BitLocker Network Unlock feature installs the WDS role if it isn't already installed. WDS can be installed separately before BitLocker Network Unlock is installed by using **Server Manager** or **Windows PowerShell**. To install the role using Server Manager, select the **Windows Deployment Services** role in **Server Manager**.
-
-To install the role by using Windows PowerShell, use the following command:
-
-```powershell
-Install-WindowsFeature WDS-Deployment
-```
-
-The WDS server must be configured so that it can communicate with DHCP (and optionally AD DS) and the client computer. The WDS server can be configured using the WDS management tool, `wdsmgmt.msc`, which starts the Windows Deployment Services Configuration wizard.
-
-### Confirm the WDS service is running
-
-To confirm that the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm that the service is running in Services Management Console, open the console using `services.msc` and check the status of the Windows Deployment Services service.
-
-To confirm that the service is running using Windows PowerShell, use the following command:
-
-```powershell
-Get-Service WDSServer
-```
-
-### Install the Network Unlock feature
-
-To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
-
-To install the feature by using Windows PowerShell, use the following command:
-
-```powershell
-Install-WindowsFeature BitLocker-NetworkUnlock
-```
-
-### Create the certificate template for Network Unlock
-
-A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates.
-
-1. Open the Certificates Template snap-in (`certtmpl.msc`).
-
-2. Locate the User template, right-click the template name and select **Duplicate Template**.
-
-3. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2012 and Windows 8, respectively. Ensure that the **Show resulting changes** dialog box is selected.
-
-4. Select the **General** tab of the template. The **Template display name** and **Template name** should clearly identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option.
-
-5. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected.
-
-6. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, it is recommended to use **Microsoft Software Key Storage Provider**.
-
-7. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider selected, such as **Microsoft Software Key Storage Provider**.
-
-8. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears.
-
-9. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options.
-
-10. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**.
-
-11. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**.
-
-12. On the **Edit Application Policies Extension** dialog box, select **Add**.
-
-13. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then select **OK** to create the BitLocker Network Unlock application policy:
-
- - *Name:* **BitLocker Network Unlock**
- - *Object Identifier:* **1.3.6.1.4.1.311.67.1.1**
-
-14. Select the newly created **BitLocker Network Unlock** application policy and select **OK**.
-
-15. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog. Select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option.
-
-16. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission.
-
-17. Select **OK** to complete configuration of the template.
-
-To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
-
-After the Network Unlock template is added to the certificate authority, this certificate can be used to configure BitLocker Network Unlock.
-
-### Create the Network Unlock certificate
-
-Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate.
-
-To enroll a certificate from an existing certificate authority:
-
-1. On the WDS server, open Certificate Manager by using `certmgr.msc`.
-
-2. Under **Certificates - Current User**, right-click **Personal**.
-
-3. Select **All Tasks** > **Request New Certificate**.
-
-4. When the Certificate Enrollment wizard opens, select **Next**.
-
-5. Select **Active Directory Enrollment Policy**.
-
-6. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**.
-
-7. When prompted for more information, select **Subject Name** and provide a friendly name value. The friendly name should include information for the domain or organizational unit for the certificate. For example:
-
- *BitLocker Network Unlock Certificate for Contoso domain*
-
-8. Create the certificate. Ensure the certificate appears in the **Personal** folder.
-
-9. Export the public key certificate for Network Unlock:
-
- 1. Create a `.cer` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
-
- 2. Select **No, do not export the private key**.
-
- 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file.
-
- 4. Give the file a name such as BitLocker-NetworkUnlock.cer.
-
-10. Export the public key with a private key for Network Unlock.
-
- 1. Create a `.pfx` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**.
-
- 2. Select **Yes, export the private key**.
-
- 3. Complete the steps to create the `.pfx` file.
-
-To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq.exe`. For example:
-
-**Windows PowerShell:**
-
-```powershell
-New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
-```
-
-**certreq.exe:**
-
-1. Create a text file with an `.inf` extension, for example:
-
- ```cmd
- notepad.exe BitLocker-NetworkUnlock.inf
- ```
-
-2. Add the following contents to the previously created file:
-
- ```ini
- [NewRequest]
- Subject="CN=BitLocker Network Unlock certificate"
- ProviderType=0
- MachineKeySet=True
- Exportable=true
- RequestType=Cert
- KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
- KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG | NCRYPT_ALLOW_SIGNING_FLAG"
- KeyLength=2048
- SMIME=FALSE
- HashAlgorithm=sha512
- [Extensions]
- 1.3.6.1.4.1.311.21.10 = "{text}"
- _continue_ = "OID=1.3.6.1.4.1.311.67.1.1"
- 2.5.29.37 = "{text}"
- _continue_ = "1.3.6.1.4.1.311.67.1.1"
- ```
-
-3. Open an elevated command prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name:
-
- ```cmd
- certreq.exe -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
- ```
-
-4. Verify that certificate was properly created by the previous command by confirming that the `.cer` file exists.
-
-5. Launch the **Certificates - Local Computer** console by running `certlm.msc`.
-
-6. Create a `.pfx` file by following the below steps the **Certificates - Local Computer** console:
-
- 1. Navigate to **Certificates - Local Computer** > **Personal** > **Certificates**
-
- 2. Right-click the previously imported certificate, select **All Tasks**, and then select **Export**
-
- 3. Follow through the wizard to create the `.pfx` file.
-
-### Deploy the private key and certificate to the WDS server
-
-After creating the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates:
-
-1. On the WDS server, launch the **Certificates - Local Computer** console by running `certlm.msc`.
-
-2. Right-click **BitLocker Drive Encryption Network Unlock** item under **Certificates (Local Computer)**, select **All Tasks**, and then select **Import**.
-
-3. In the **File to Import** dialog, choose the `.pfx` file created previously.
-
-4. Enter the password used to create the `.pfx` and complete the wizard.
-
-### Configure group policy settings for Network Unlock
-
-With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to the desired computers that will use the Network Unlock key to unlock. Group policy settings for BitLocker can be found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
-
-The following steps describe how to enable the group policy setting that is a requirement for configuring Network Unlock.
-
-1. Open Group Policy Management Console (`gpmc.msc`).
-2. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**.
-3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers.
-
-The following steps describe how to deploy the required group policy setting:
-
-> [!NOTE]
-> The group policy settings **Allow Network Unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
-
-1. Copy the `.cer` file that was created for Network Unlock to the domain controller.
-
-2. On the domain controller, open Group Policy Management Console (`gpmc.msc`).
-
-3. Create a new Group Policy Object or modify an existing object to enable the **Allow Network Unlock at startup** setting.
-
-4. Deploy the public certificate to clients:
-
- 1. Within group policy management console, navigate to the following location:
-
- **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate**.
-
- 2. Right-click the folder and select **Add Network Unlock Certificate**.
-
- 3. Follow the wizard steps and import the `.cer` file that was copied earlier.
-
- > [!NOTE]
- > Only one Network Unlock certificate can be available at a time. If a new certificate is needed, delete the current certificate before deploying a new one. The Network Unlock certificate is located under the **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** registry key on the client computer.
-
-5. Reboot the clients after the Group Policy is deployed.
-
- > [!NOTE]
- > The **Network (Certificate Based)** protector will be added only after a reboot, with the policy enabled and a valid certificate present in the FVE_NKP store.
-
-### Subnet policy configuration files on the WDS server (optional)
-
-By default, all clients with the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the Network Unlock clients can use to unlock.
-
-The configuration file, called bde-network-unlock.ini, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
-
-The subnet policy configuration file must use a **\[SUBNETS\]** section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word **ENABLED** is disallowed for subnet names.
-
-```ini
-[SUBNETS]
-SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon
-SUBNET2=10.185.252.200/28
-SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
-SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
-```
-
-Following the **\[SUBNETS\]** section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate.
-
-> [!NOTE]
-> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint, the subnet configuration fails because the thumbprint will not be recognized as valid.
-
-Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate doesn't have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. For restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
-
-Subnet lists are created by putting the name of a subnet from the **\[SUBNETS\]** section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by commenting it out with a prepended semi-colon.
-
-```ini
-[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
-;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on.
-;This list shows this cert is allowed to unlock clients only on the SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
-SUBNET1
-;SUBNET2
-SUBNET3
-```
-
-To disallow the use of a certificate altogether, add a `DISABLED` line to its subnet list.
-
-## Turn off Network Unlock
-
-To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
-
-> [!NOTE]
-> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
-
-## Update Network Unlock certificates
-
-To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server, and then update the Network Unlock certificate group policy setting on the domain controller.
-
-> [!NOTE]
-> Servers that don't receive the Group Policy Object (GPO) will require a PIN when they boot. In such cases, find out why the server didn't receive the GPO to update the certificate.
-
-## Troubleshoot Network Unlock
-
-Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include:
-
-- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Verification can be done by checking that the firmware doesn't have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware doesn't appear to be in a BIOS-like mode.
-
-- All required roles and services are installed and started.
-
-- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** on the client computer.
-
-- Group policy for Network Unlock is enabled and linked to the appropriate domains.
-
-- Verify whether group policy is reaching the clients properly. Verification of group policy can be done using the `GPRESULT.exe` or `RSOP.msc` utilities.
-
-- Verify whether the clients were rebooted after applying the policy.
-
-- Verify whether the **Network (Certificate Based)** protector is listed on the client. Verification of the protector can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer:
-
- ```powershell
- manage-bde.exe -protectors -get C:
- ```
-
- > [!NOTE]
- > Use the output of `manage-bde.exe` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock.
-
-Gather the following files to troubleshoot BitLocker Network Unlock.
-
-- The Windows event logs. Specifically, get the BitLocker event logs and the Microsoft-Windows-Deployment-Services-Diagnostics-Debug log.
-
- Debug logging is turned off by default for the WDS server role. To retrieve WDS debug logs, the WDS debug logs first need to be enabled. Use either of the following two methods to turn on WDS debug logging.
-
- - Start an elevated command prompt, and then run the following command:
-
- ```cmd
- wevtutil.exe sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
- ```
-
- - Open **Event Viewer** on the WDS server:
-
- 1. In the left pane, navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**.
- 2. In the right pane, select **Enable Log**.
-
-- The DHCP subnet configuration file (if one exists).
-
-- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde.exe -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`.
-
-- The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address.
-
-
-
-## Related articles
-
-- [BitLocker overview](index.md)
-- [BitLocker frequently asked questions (FAQ)](faq.yml)
-- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
deleted file mode 100644
index e9c661179f..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ /dev/null
@@ -1,115 +0,0 @@
----
-title: BitLocker management
-description: Refer to relevant documentation, products, and services to learn about managing BitLocker and see recommendations for different computers.
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# BitLocker management
-
-The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1.
-
-Though much Windows [BitLocker documentation](index.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers.
-
-[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-management.md)]
-
-## Managing domain-joined computers and moving to cloud
-
-Companies that image their own computers using Configuration Manager can use an existing task sequence to [pre-provision BitLocker](/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). These steps during an operating system deployment can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use Configuration Manager to pre-set any desired [BitLocker Group Policy](bitlocker-group-policy-settings.md).
-
-Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](/lifecycle/products/?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201%2F) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Microsoft Entra ID.
-
-> [!IMPORTANT]
-> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities are offered through Configuration Manager BitLocker Management. See [Plan for BitLocker management](/mem/configmgr/protect/plan-design/bitlocker-management) in the Configuration Manager documentation for additional information.
-
-
-
-## Managing devices joined to Microsoft Entra ID
-
-Devices joined to Microsoft Entra ID are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Prior to Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
-
-Starting with Windows 10 version 1703, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones.
-
-For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Microsoft Entra ID. Microsoft Entra ID provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Microsoft Entra ID. This process and feature is applicable to Azure Hybrid AD as well.
-
-## Managing workplace-joined PCs and phones
-
-For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Microsoft Entra ID.
-
-## Managing servers
-
-Servers are often installed, configured, and deployed using PowerShell; therefore, the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server; therefore, follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
-
-The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](/windows-server/get-started/getting-started-with-server-core/) installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) and [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features).
-
-If a server is being installed manually, such as a stand-alone server, then choosing [Server with Desktop Experience](/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because it avoids performing the steps to add a GUI to Server Core.
-
- Additionally, lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
- For more information, see the BitLocker FAQs article and other useful links in [Related Articles](#related-articles).
-
-## PowerShell examples
-
-For Microsoft Entra joined computers, including virtual machines, the recovery password should be stored in Microsoft Entra ID.
-
-**Example**: *Use PowerShell to add a recovery password and back it up to Microsoft Entra ID before enabling BitLocker*
-
-```powershell
-Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
-
-$BLV = Get-BitLockerVolume -MountPoint "C:"
-
-BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
-```
-
-For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS).
-
-**Example**: *Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
-
-```powershell
-Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
-
-$BLV = Get-BitLockerVolume -MountPoint "C:"
-
-Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
-```
-
-PowerShell can then be used to enable BitLocker:
-
-**Example**: *Use PowerShell to enable BitLocker with a TPM protector*
-
-```powershell
-Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
-```
-
-**Example**: *Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
-
-```powershell
-$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
-
-Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
-```
-
-## Related Articles
-
-- [BitLocker: FAQs](faq.yml)
-- [Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)
-- [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
-- [BitLocker Group Policy Reference](bitlocker-group-policy-settings.md)
-- [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
-*(Overview)*
-- [Configuration Settings Providers](/windows/client-management/mdm/policy-configuration-service-provider)
-*(Policy CSP: See [Security-RequireDeviceEncryption](/windows/client-management/mdm/policy-csp-security#security-policies))*
-- [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/)
-
-### Windows Server setup tools
-
-- [Windows Server Installation Options](/windows-server/get-started-19/install-upgrade-migrate-19/)
-- [How to update local source media to add roles and features](/archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features)
-- [How to add or remove optional components on Server Core](/archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images) *(Features on Demand)*
-- [How to deploy BitLocker on Windows Server](bitlocker-how-to-deploy-on-windows-server.md)
-- [How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-- [Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
-
-### PowerShell
-
-- [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
deleted file mode 100644
index a2bf3f755c..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ /dev/null
@@ -1,979 +0,0 @@
----
-title: BitLocker recovery guide
-description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
-ms.collection:
- - highpri
- - tier1
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# BitLocker recovery guide
-
-This article describes how to recover BitLocker keys from AD DS.
-
-Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment.
-
-This article assumes that it's understood how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
-
-This article doesn't detail how to configure AD DS to store the BitLocker recovery information.
-
-## What is BitLocker recovery?
-
-BitLocker recovery is the process by which access can be restored to a BitLocker-protected drive if the drive can't be unlocked normally. In a recovery scenario, the following options to restore access to the drive are available:
-
-- **The user can supply the recovery password.** If the organization allows users to print or store recovery passwords, the users can enter in the 48-digit recovery password that they printed or stored on a USB drive or with a Microsoft account online. Saving a recovery password with a Microsoft account online is only allowed when BitLocker is used on a PC that isn't a member of a domain.
-
-- **Data recovery agents can use their credentials to unlock the drive.** If the drive is an operating system drive, the drive must be mounted as a data drive on another computer for the data recovery agent to unlock it.
-
-- **A domain administrator can obtain the recovery password from AD DS and use it to unlock the drive.** Storing recovery passwords in AD DS is recommended to provide a way for IT professionals to be able to obtain recovery passwords for drives in an organization if needed. This method makes it mandatory to enable this recovery method in the BitLocker group policy setting **Choose how BitLocker-protected operating system drives can be recovered** located at **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** in the Local Group Policy Editor. For more information, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-
-### What causes BitLocker recovery?
-
-The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
-
-- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
-
-- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 don't start BitLocker recovery in this case. TPM 2.0 doesn't consider a firmware change of boot device order as a security threat because the OS Boot Loader isn't compromised.
-
-- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
-
-- Failing to boot from a network drive before booting from the hard drive.
-
-- Docking or undocking a portable computer. In some instances (depending on the computer manufacturer and the BIOS), the docking condition of the portable computer is part of the system measurement and must be consistent to validate the system status and unlock BitLocker. So if a portable computer is connected to its docking station when BitLocker is turned on, then it might also need to be connected to the docking station when it's unlocked. Conversely, if a portable computer isn't connected to its docking station when BitLocker is turned on, then it might need to be disconnected from the docking station when it's unlocked.
-
-- Changes to the NTFS partition table on the disk including creating, deleting, or resizing a primary partition.
-
-- Entering the personal identification number (PIN) incorrectly too many times so that the anti-hammering logic of the TPM is activated. Anti-hammering logic is software or hardware methods that increase the difficulty and cost of a brute force attack on a PIN by not accepting PIN entries until after a certain amount of time has passed.
-
-- Turning off the support for reading the USB device in the pre-boot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM.
-
-- Turning off, disabling, deactivating, or clearing the TPM.
-
-- Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade, causing the related boot measurements to change.
-
-- Forgetting the PIN when PIN authentication has been enabled.
-
-- Updating option ROM firmware.
-
-- Upgrading TPM firmware.
-
-- Adding or removing hardware; for example, inserting a new card in the computer, including some PCMIA wireless cards.
-
-- Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
-
-- Changes to the master boot record on the disk.
-
-- Changes to the boot manager on the disk.
-
-- Hiding the TPM from the operating system. Some BIOS or UEFI settings can be used to prevent the enumeration of the TPM to the operating system. When implemented, this option can make the TPM hidden from the operating system. When the TPM is hidden, BIOS and UEFI secure startup are disabled, and the TPM doesn't respond to commands from any software.
-
-- Using a different keyboard that doesn't correctly enter the PIN or whose keyboard map doesn't match the keyboard map assumed by the pre-boot environment. This problem can prevent the entry of enhanced PINs.
-
-- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile. For example, including **PCR\[1\]** would result in BitLocker measuring most changes to BIOS settings, causing BitLocker to enter recovery mode even when non-boot critical BIOS settings change.
-
- > [!NOTE]
- > Some computers have BIOS settings that skip measurements to certain PCRs, such as **PCR\[2\]**. Changing this setting in the BIOS would cause BitLocker to enter recovery mode because the PCR measurement will be different.
-
-- Moving the BitLocker-protected drive into a new computer.
-
-- Upgrading the motherboard to a new one with a new TPM.
-
-- Losing the USB flash drive containing the startup key when startup key authentication has been enabled.
-
-- Failing the TPM self-test.
-
-- Having a BIOS, UEFI firmware, or an option ROM component that isn't compliant with the relevant Trusted Computing Group standards for a client computer. For example, a non-compliant implementation may record volatile data (such as time) in the TPM measurements, causing different measurements on each startup and causing BitLocker to start in recovery mode.
-
-- Changing the usage authorization for the storage root key of the TPM to a non-zero value.
-
- > [!NOTE]
- > The BitLocker TPM initialization process sets the usage authorization value to zero, so another user or process must explicitly have changed this value.
-
-- Disabling the code integrity check or enabling test signing on Windows Boot Manager (Bootmgr).
-
-- Pressing the F8 or F10 key during the boot process.
-
-- Adding or removing add-in cards (such as video or network cards), or upgrading firmware on add-in cards.
-
-- Using a BIOS hot key during the boot process to change the boot order to something other than the hard drive.
-
-> [!NOTE]
-> Before beginning recovery, it is recommend to determine what caused recovery. This might help prevent the problem from occurring again in the future. For instance, if it is determined that an attacker has modified the computer by obtaining physical access, new security policies can be created for tracking who has physical presence. After the recovery password has been used to recover access to the PC, BitLocker reseals the encryption key to the current values of the measured components.
-
-For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Because suspending BitLocker leaves the drive fully encrypted, the administrator can quickly resume BitLocker protection after the planned task has been completed. Using suspend and resume also reseals the encryption key without requiring the entry of the recovery key.
-
-> [!NOTE]
-> If suspended BitLocker will automatically resume protection when the PC is rebooted, unless a reboot count is specified using the manage-bde command line tool.
-
-If software maintenance requires the computer to be restarted and two-factor authentication is being used, the BitLocker network unlock feature can be enabled to provide the secondary authentication factor when the computers don't have an on-premises user to provide the additional authentication method.
-
-Recovery has been described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When desktop or laptop computers are redeployed to other departments or employees in the enterprise, BitLocker can be forced into recovery before the computer is given to a new user.
-
-## Testing recovery
-
-Before a thorough BitLocker recovery process is created, it's recommended to test how the recovery process works for both end users (people who call the helpdesk for the recovery password) and administrators (people who help the end user get the recovery password). The `-forcerecovery` command of `manage-bde.exe` is an easy way to step through the recovery process before users encounter a recovery situation.
-
-**To force a recovery for the local computer:**
-
-1. Select the **Start** button and type in **cmd**
-
-2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**.
-
-3. At the command prompt, enter the following command:
-
- ```cmd
- manage-bde.exe -forcerecovery
- ```
-
-**To force recovery for a remote computer:**
-
-1. Select the **Start** button and type in **cmd**
-
-2. Right select on **cmd.exe** or **Command Prompt** and then select **Run as administrator**.
-
-3. At the command prompt, enter the following command:
-
- ```cmd
- manage-bde.exe -ComputerName -forcerecovery
- ```
-
- > [!NOTE]
- > Recovery triggered by `-forcerecovery` persists for multiple restarts until a TPM protector is added or protection is suspended by the user. When using Modern Standby devices (such as Surface devices), the `-forcerecovery` option is not recommended because BitLocker will have to be unlocked and disabled manually from the WinRE environment before the OS can boot up again. For more information, see [BitLocker Troubleshooting: Continuous reboot loop with BitLocker recovery on a slate device](https://social.technet.microsoft.com/wiki/contents/articles/18671.bitlocker-troubleshooting-continuous-reboot-loop-with-bitlocker-recovery-on-a-slate-device.aspx).
-
-## Planning the recovery process
-
-When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example: How does the enterprise handle lost Windows passwords? How does the organization perform smart card PIN resets? These best practices and related resources (people and tools) can be used to help formulate a BitLocker recovery model.
-
-Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 11, Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
-
-After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for the organization.
-
-When the recovery process is determined:
-
-- Become familiar with how a recovery password can be retrieved. See:
-
- - [Self-recovery](#self-recovery)
- - [Recovery password retrieval](#recovery-password-retrieval)
-
-- Determine a series of steps for post-recovery, including analyzing why the recovery occurred and resetting the recovery password. See:
-
- - [Post-recovery analysis](#post-recovery-analysis)
-
-### Self-recovery
-
-In some cases, users might have the recovery password in a printout or a USB flash drive and can perform self-recovery. It's recommended that the organization creates a policy for self-recovery. If self-recovery includes using a password or recovery key stored on a USB flash drive, the users must be warned not to store the USB flash drive in the same place as the PC, especially during travel. For example, if both the PC and the recovery items are in the same bag it would be easy for access to be gained to the PC by an unauthorized user. Another policy to consider is having users contact the Helpdesk before or after performing self-recovery so that the root cause can be identified.
-
-### Recovery password retrieval
-
-If the user doesn't have a recovery password printed or on a USB flash drive, the user will need to be able to retrieve the recovery password from an online source. If the PC is a member of a domain, the recovery password can be backed up to AD DS. **However, back up of the recovery password to AD DS does not happen by default.** Backup of the recovery password to AD DS has to be configured via the appropriate group policy settings **before** BitLocker was enabled on the PC. BitLocker group policy settings can be found in the Local Group Policy Editor or the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive if an authentication method fails or is unable to be used.
-
-- **Choose how BitLocker-protected operating system drives can be recovered**
-
-- **Choose how BitLocker-protected fixed drives can be recovered**
-
-- **Choose how BitLocker-protected removable drives can be recovered**
-
-In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Check the **Do not enable BitLocker until recovery information is stored in AD
-DS** check box if it's desired to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information for the drive to AD DS succeeds.
-
-> [!NOTE]
-> If the PCs are part of a workgroup, users are advised to save their BitLocker recovery password with their Microsoft account online. Having an online copy of the BitLocker recovery password is recommended to help ensure access to data is not lost in the event of a recovery being required.
-
-The BitLocker Recovery Password Viewer for Active Directory Users and Computers tool allows domain administrators to view BitLocker recovery passwords for specific computer objects in Active Directory.
-
-The following list can be used as a template for creating a recovery process for recovery password retrieval. This sample process uses the BitLocker Recovery Password Viewer for Active Directory Users and Computers tool.
-
-- [Record the name of the user's computer](#record-the-name-of-the-users-computer)
-- [Verify the user's identity](#verify-the-users-identity)
-- [Locate the recovery password in AD DS](#locate-the-recovery-password-in-ad-ds)
-- [Gather information to determine why recovery occurred](#gather-information-to-determine-why-recovery-occurred)
-- [Give the user the recovery password](#give-the-user-the-recovery-password)
-
-### Record the name of the user's computer
-
-The name of the user's computer can be used to locate the recovery password in AD DS. If the user doesn't know the name of the computer, ask the user to read the first word of the **Drive Label** in the **BitLocker Drive Encryption Password Entry** user interface. This word is the computer name when BitLocker was enabled and is probably the current name of the computer.
-
-### Verify the user's identity
-
-The person who is asking for the recovery password should be verified as the authorized user of that computer. It should also be verified whether the computer for which the user provided the name belongs to the user.
-
-### Locate the recovery password in AD DS
-
-Locate the computer object with the matching name in AD DS. Because computer object names are listed in the AD DS global catalog, the object should be able to be located even if it's a multi-domain forest.
-
-### Multiple recovery passwords
-
-If multiple recovery passwords are stored under a computer object in AD DS, the name of the BitLocker recovery information object includes the date on which the password was created.
-
-To make sure the correct password is provided and/or to prevent providing the incorrect password, ask the user to read the eight character password ID that is displayed in the recovery console.
-
-Since the password ID is a unique value that is associated with each recovery password stored in AD DS, running a query using this ID finds the correct password to unlock the encrypted volume.
-
-### Gather information to determine why recovery occurred
-
-Before giving the user the recovery password, information should be gatherer that will help determine why the recovery was needed. This information can be used to analyze the root cause during the post-recovery analysis. For more information about post-recovery analysis, see [Post-recovery analysis](#post-recovery-analysis).
-
-### Give the user the recovery password
-
-Because the recovery password is 48 digits long, the user may need to record the password by writing it down or typing it on a different computer. If using MBAM or Configuration Manager BitLocker Management, the recovery password will be regenerated after it's recovered from the MBAM or Configuration Manager database to avoid the security risks associated with an uncontrolled password.
-
-> [!NOTE]
-> Because the 48-digit recovery password is long and contains a combination of digits, the user might mishear or mistype the password. The boot-time recovery console uses built-in checksum numbers to detect input errors in each 6-digit block of the 48-digit recovery password, and offers the user the opportunity to correct such errors.
-
-### Post-recovery analysis
-
-When a volume is unlocked using a recovery password, an event is written to the event log, and the platform validation measurements are reset in the TPM to match the current configuration. Unlocking the volume means that the encryption key has been released and is ready for on-the-fly encryption when data is written to the volume, and on-the-fly decryption when data is read from the volume. After the volume is unlocked, BitLocker behaves the same way, regardless of how the access was granted.
-
-If it's noticed that a computer is having repeated recovery password unlocks, an administrator might want to perform post-recovery analysis to determine the root cause of the recovery, and refresh BitLocker platform validation so that the user no longer needs to enter a recovery password each time that the computer starts up. For more information, see:
-
-- [Determine the root cause of the recovery](#determine-the-root-cause-of-the-recovery)
-- [Resolve the root cause](#resolve-the-root-cause)
-
-### Determine the root cause of the recovery
-
-If a user needed to recover the drive, it's important to determine the root cause that initiated the recovery as soon as possible. Properly analyzing the state of the computer and detecting tampering may reveal threats that have broader implications for enterprise security.
-
-While an administrator can remotely investigate the cause of recovery in some cases, the end user might need to bring the computer that contains the recovered drive on site to analyze the root cause further.
-
-Review and answer the following questions for the organization:
-
-1. Which BitLocker protection mode is in effect (TPM, TPM + PIN, TPM + startup key, startup key only)? Which PCR profile is in use on the PC?
-
-2. Did the user merely forget the PIN or lose the startup key? If a token was lost, where might the token be?
-
-3. If TPM mode was in effect, was recovery caused by a boot file change?
-
-4. If recovery was caused by a boot file change, is the boot file change due to an intended user action (for example, BIOS upgrade), or a malicious software?
-
-5. When was the user last able to start the computer successfully, and what might have happened to the computer since then?
-
-6. Might the user have encountered malicious software or left the computer unattended since the last successful startup?
-
-To help answer these questions, use the BitLocker command-line tool to view the current configuration and protection mode:
-
-```cmd
-manage-bde.exe -status
-```
-
-Scan the event log to find events that help indicate why recovery was initiated (for example, if a boot file change occurred). Both of these capabilities can be performed remotely.
-
-### Resolve the root cause
-
-After it has been identified what caused recovery, BitLocker protection can be reset to avoid recovery on every startup.
-
-The details of this reset can vary according to the root cause of the recovery. If root cause can't be determined, or if a malicious software or a rootkit might have infected the computer, Helpdesk should apply best-practice virus policies to react appropriately.
-
-> [!NOTE]
-> BitLocker validation profile reset can be performed by suspending and resuming BitLocker.
-
-- [Unknown PIN](#unknown-pin)
-- [Lost startup key](#lost-startup-key)
-- [Changes to boot files](#changes-to-boot-files)
-
-### Unknown PIN
-
-If a user has forgotten the PIN, the PIN must be reset while signed on to the computer in order to prevent BitLocker from initiating recovery each time the computer is restarted.
-
-#### To prevent continued recovery due to an unknown PIN
-
-1. Unlock the computer using the recovery password.
-
-2. Reset the PIN:
-
- 1. Select and hold the drive and then select **Change PIN**
-
- 2. In the BitLocker Drive Encryption dialog, select **Reset a forgotten PIN**. If the signed in account isn't an administrator account, administrative credentials must be provided at this time.
-
- 3. In the PIN reset dialog, provide and confirm the new PIN to be used and then select **Finish**.
-
-3. The new PIN can be used the next time the drive needs to be unlocked.
-
-### Lost startup key
-
-If the USB flash drive that contains the startup key has been lost, then drive must be unlocked by using the recovery key. A new startup can then be created.
-
-#### To prevent continued recovery due to a lost startup key
-
-1. Sign in as an administrator to the computer that has its startup key lost.
-
-2. Open Manage BitLocker.
-
-3. Select **Duplicate start up key**, insert the clean USB drive where the key will be written, and then select **Save**.
-
-### Changes to boot files
-
-This error occurs if the firmware is updated. As a best practice, BitLocker should be suspended before making changes to the firmware. Protection should then be resumed after the firmware update has completed. Suspending BitLocker prevents the computer from going into recovery mode. However, if changes were made when BitLocker protection was on, the recovery password can be used to unlock the drive and the platform validation profile will be updated so that recovery won't occur the next time.
-
-## Windows RE and BitLocker Device Encryption
-
-Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair automatically starts. When Startup Repair is launched automatically due to boot failures, it executes only operating system and driver file repairs if the boot logs or any available crash dump points to a specific corrupted file. In Windows 8.1 and later versions, devices that include firmware to support specific TPM measurements for PCR\[7\] **the TPM** can validate that Windows RE is a trusted operating environment and unlock any BitLocker-protected drives if Windows RE hasn't been modified. If the Windows RE environment has been modified, for example, the TPM has been disabled, the drives stay locked until the BitLocker recovery key is provided. If Startup Repair isn't able to run automatically from the PC and instead, Windows RE is manually started from a repair disk, the BitLocker recovery key must be provided to unlock the BitLocker-protected drives.
-
-Windows RE will also ask for a BitLocker recovery key when a **Remove everything** reset from Windows RE is started on a device that uses **TPM + PIN** or **Password for OS drive** protectors. If BitLocker recovery is started on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After the key is entered, Windows RE troubleshooting tools can be accessed, or Windows can be started normally.
-
-The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help enter the BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
-
-To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**. To activate the on-screen keyboard, tap on a text input control.
-
-:::image type="content" source="images/bl-narrator.png" alt-text="A screenshot of the BitLocker recovery screen showing Narrator activated.":::
-
-## BitLocker recovery screen
-
-During BitLocker recovery, Windows displays a custom recovery message and a few hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery.
-
-### Custom recovery message
-
-BitLocker Group Policy settings starting in Windows 10, version 1511, allows configuring a custom recovery message and URL on the BitLocker recovery screen. The custom recovery message and URL can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
-
-This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**.
-
-It can also be configured using mobile device management (MDM), including in Intune, using the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp):
-
-**`./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage`**
-
-
-
-Example of a customized recovery screen:
-
-
-
-### BitLocker recovery key hints
-
-BitLocker metadata has been enhanced starting in Windows 10, version 1903, to include information about when and where the BitLocker recovery key was backed up. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. The hints apply to both the boot manager recovery screen and the WinRE unlock screen.
-
-
-
-> [!IMPORTANT]
-> It is not recommend to print recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Microsoft Entra ID and Microsoft account.
-
-There are rules governing which hint is shown during the recovery (in the order of processing):
-
-1. Always display custom recovery message if it has been configured (using GPO or MDM).
-
-2. Always display generic hint: `For more information, go to https://aka.ms/recoverykeyfaq.`
-
-3. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key.
-
-4. Prioritize keys with successful backup over keys that have never been backed up.
-
-5. Prioritize backup hints in the following order for remote backup locations: **Microsoft Account > Microsoft Entra ID > Active Directory**.
-
-6. If a key has been printed and saved to file, display a combined hint, "Look for a printout or a text file with the key," instead of two separate hints.
-
-7. If multiple backups of the same type (remove vs. local) have been performed for the same recovery key, prioritize backup info with latest backed-up date.
-
-8. There's no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, "Contact your organization's help desk," is displayed.
-
-9. If two recovery keys are present on the disk, but only one has been successfully backed up, the system asks for a key that has been backed up, even if another key is newer.
-
-#### Example 1 (single recovery key with single backup)
-
-| Custom URL | Yes |
-|----------------------|------------|
-| Saved to Microsoft Account | Yes |
-| Saved to Microsoft Entra ID | No |
-| Saved to Active Directory | No |
-| Printed | No |
-| Saved to file | No |
-
-**Result:** The hints for the Microsoft account and custom URL are displayed.
-
-
-
-#### Example 2 (single recovery key with single backup)
-
-| Custom URL | Yes |
-|----------------------|------------|
-| Saved to Microsoft Account | No |
-| Saved to Microsoft Entra ID | No |
-| Saved to Active Directory | Yes |
-| Printed | No |
-| Saved to file | No |
-
-**Result:** Only the custom URL is displayed.
-
-
-
-#### Example 3 (single recovery key with multiple backups)
-
-| Custom URL | No |
-|----------------------|------------|
-| Saved to Microsoft Account | Yes |
-| Saved to Microsoft Entra ID | Yes |
-| Saved to Active Directory | No |
-| Printed | Yes |
-| Saved to file | Yes |
-
-**Result:** Only the Microsoft Account hint is displayed.
-
-
-
-#### Example 4 (multiple recovery passwords)
-
-| Custom URL | No |
-|----------------------|-----------------|
-| Saved to Microsoft Account | No |
-| Saved to Microsoft Entra ID | No |
-| Saved to Active Directory | No |
-| Printed | No |
-| Saved to file | Yes |
-| Creation time | **1PM** |
-| Key ID | A564F193 |
-
-
-
-
-| Custom URL | No |
-|----------------------|-----------------|
-| Saved to Microsoft Account | No |
-| Saved to Microsoft Entra ID | No |
-| Saved to Active Directory | No |
-| Printed | No |
-| Saved to file | No |
-| Creation time | **3PM** |
-| Key ID | T4521ER5 |
-
-**Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
-
-
-
-#### Example 5 (multiple recovery passwords)
-
-| Custom URL | No |
-|----------------------|-----------------|
-| Saved to Microsoft Account | Yes |
-| Saved to Microsoft Entra ID | Yes |
-| Saved to Active Directory | No |
-| Printed | No |
-| Saved to file | No |
-| Creation time | **1PM** |
-| Key ID | 99631A34 |
-
-| Custom URL | No |
-|----------------------|-----------------|
-| Saved to Microsoft Account | No |
-| Saved to Microsoft Entra ID | Yes |
-| Saved to Active Directory | No |
-| Printed | No |
-| Saved to file | No |
-| Creation time | **3PM** |
-| Key ID | 9DF70931 |
-
-**Result:** The hint for the most recent key is displayed.
-
-
-
-## Using additional recovery information
-
-Besides the 48-digit BitLocker recovery password, other types of recovery information are stored in Active Directory. This section describes how this additional information can be used.
-
-### BitLocker key package
-
-If the recovery methods discussed earlier in this document don't unlock the volume, the BitLocker Repair tool can be used to decrypt the volume at the block level. The tool uses the BitLocker key package to help recover encrypted data from severely damaged drives. The recovered data can then be used to salvage encrypted data, even after the correct recovery password has failed to unlock the damaged volume. It's recommended to still save the recovery password. A key package can't be used without the corresponding recovery password.
-
-> [!NOTE]
-> The BitLocker Repair tool `repair-bde.exe` must be used to use the BitLocker key package.
-
-The BitLocker key package isn't saved by default. To save the package along with the recovery password in AD DS, the **Backup recovery password and key package** option must be selected in the group policy settings that control the recovery method. The key package can also be exported from a working volume. For more information on how to export key packages, see [Retrieving the BitLocker Key Package](#retrieving-the-bitlocker-key-package).
-
-## Resetting recovery passwords
-
-It's recommended to invalidate a recovery password after it has been provided and used. The recovery password can be invalidated when it has been provided and used or for any other valid reason.
-
-The recovery password and be invalidated and reset in two ways:
-
-- **Use `manage-bde.exe`**: `manage-bde.exe` can be used to remove the old recovery password and add a new recovery password. The procedure identifies the command and the syntax for this method.
-
-- **Run a script**: A script can be run to reset the password without decrypting the volume. The sample script in the procedure illustrates this functionality. The sample script creates a new recovery password and invalidates all other passwords.
-
-### Resetting a recovery password using `manage-bde.exe`
-
-1. Remove the previous recovery password.
-
- ```cmd
- `manage-bde.exe` -protectors -delete C: -type RecoveryPassword
- ```
-
-2. Add the new recovery password.
-
- ```cmd
- `manage-bde.exe` -protectors -add C: -RecoveryPassword
- ```
-
-3. Get the ID of the new recovery password. From the screen, copy the ID of the recovery password.
-
- ```cmd
- `manage-bde.exe` -protectors -get C: -Type RecoveryPassword
- ```
-
-4. Back up the new recovery password to AD DS.
-
- ```cmd
- `manage-bde.exe` -protectors -adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692}
- ```
-
- > [!WARNING]
- > The braces `{}` must be included in the ID string.
-
-### Running the sample recovery password script to reset the recovery passwords
-
-1. Save the following sample script in a VBScript file. For example:
-
- `ResetPassword.vbs`.
-
-2. At the command prompt, enter the following command::
-
- ```cmd
- cscript.exe ResetPassword.vbs
- ```
-
- > [!IMPORTANT]
- > This sample script is configured to work only for the C volume. If necessary, customize the script to match the volume where the password reset needs to be tested.
-
-> [!NOTE]
-> To manage a remote computer, specify the remote computer name rather than the local computer name.
-
-The following sample VBScript can be used to reset the recovery passwords:
-
-
-
- Expand to view sample recovery password VBscript to reset the recovery passwords
-
-```vb
-' Target drive letter
-strDriveLetter = "c:"
-' Target computer name
-' Use "." to connect to the local computer
-strComputerName = "."
-' --------------------------------------------------------------------------------
-' Connect to the BitLocker WMI provider class
-' --------------------------------------------------------------------------------
-strConnectionStr = "winmgmts:" _
- & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
- & strComputerName _
- & "\root\cimv2\Security\MicrosoftVolumeEncryption"
-
-
-On Error Resume Next 'handle permission errors
-Set objWMIService = GetObject(strConnectionStr)
-If Err.Number <> 0 Then
- WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
- Wscript.Echo "Ensure that you are running with administrative privileges."
- WScript.Quit -1
-End If
-On Error GoTo 0
-strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
-Set colTargetVolumes = objWMIService.ExecQuery(strQuery)
-If colTargetVolumes.Count = 0 Then
- WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on computer " & strComputerName & "."
- WScript.Quit -1
-End If
-' there should only be one volume found
-For Each objFoundVolume in colTargetVolumes
- set objVolume = objFoundVolume
-Next
-' objVolume is now our found BitLocker-capable disk volume
-' --------------------------------------------------------------------------------
-' Perform BitLocker WMI provider functionality
-' --------------------------------------------------------------------------------
-' Add a new recovery password, keeping the ID around so it doesn't get deleted later
-' ----------------------------------------------------------------------------------
-nRC = objVolume.ProtectKeyWithNumericalPassword("Recovery Password Refreshed By Script", , sNewKeyProtectorID)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: ProtectKeyWithNumericalPassword failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-' Removes the other, "stale", recovery passwords
-' ----------------------------------------------------------------------------------
-nKeyProtectorTypeIn = 3 ' type associated with "Numerical Password" protector
-nRC = objVolume.GetKeyProtectors(nKeyProtectorTypeIn, aKeyProtectorIDs)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-' Delete those key protectors other than the one we just added.
-For Each sKeyProtectorID In aKeyProtectorIDs
-If sKeyProtectorID <> sNewKeyProtectorID Then
-nRC = objVolume.DeleteKeyProtector(sKeyProtectorID)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: DeleteKeyProtector on ID " & sKeyProtectorID & " failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-Else
-' no output
-'WScript.Echo "SUCCESS: Key protector with ID " & sKeyProtectorID & " deleted"
-End If
-End If
-Next
-WScript.Echo "A new recovery password has been added. Old passwords have been removed."
-' - some advanced output (hidden)
-'WScript.Echo ""
-'WScript.Echo "Type ""manage-bde.exe -protectors -get " & strDriveLetter & " -type recoverypassword"" to view existing passwords."
-```
-
-
-
-## Retrieving the BitLocker key package
-
-Two methods can be used to retrieve the key package as described in [Using Additional Recovery Information](#using-additional-recovery-information):
-
-- **Export a previously saved key package from AD DS.** Read access is required to BitLocker recovery passwords that are stored in AD DS.
-
-- **Export a new key package from an unlocked, BitLocker-protected volume.** Local administrator access to the working volume is required before any damage occurred to the volume.
-
-### Running the sample key package retrieval script that exports all previously saved key packages from AD DS
-
-The following steps and sample script exports all previously saved key packages from AD DS.
-
-1. Save the following sample script in a VBScript file. For example: `GetBitLockerKeyPackageADDS.vbs`.
-
-2. At the command prompt, enter a command similar to the following sample script:
-
- ```cmd
- cscript.exe GetBitLockerKeyPackageADDS.vbs -?
- ```
-
-The following sample script can be used to create a VBScript file to retrieve the BitLocker key package from AD DS:
-
-
-
- Expand to view sample key package retrieval VBscript that exports all previously saved key packages from AD DS
-
-```vb
-' --------------------------------------------------------------------------------
-' Usage
-' --------------------------------------------------------------------------------
-Sub ShowUsage
- Wscript.Echo "USAGE: GetBitLockerKeyPackageADDS [Path To Save Key Package] [Optional Computer Name]"
- Wscript.Echo "If no computer name is specified, the local computer is assumed."
- Wscript.Echo
- Wscript.Echo "Example: GetBitLockerKeyPackageADDS E:\bitlocker-ad-key-package mycomputer"
- WScript.Quit
-End Sub
-' --------------------------------------------------------------------------------
-' Parse Arguments
-' --------------------------------------------------------------------------------
-Set args = WScript.Arguments
-Select Case args.Count
- Case 1
- If args(0) = "/?" Or args(0) = "-?" Then
- ShowUsage
- Else
- strFilePath = args(0)
- ' Get the name of the local computer
- Set objNetwork = CreateObject("WScript.Network")
- strComputerName = objNetwork.ComputerName
- End If
-
- Case 2
- If args(0) = "/?" Or args(0) = "-?" Then
- ShowUsage
- Else
- strFilePath = args(0)
- strComputerName = args(1)
- End If
- Case Else
- ShowUsage
-End Select
-' --------------------------------------------------------------------------------
-' Get path to Active Directory computer object associated with the computer name
-' --------------------------------------------------------------------------------
-Function GetStrPathToComputer(strComputerName)
- ' Uses the global catalog to find the computer in the forest
- ' Search also includes deleted computers in the tombstone
- Set objRootLDAP = GetObject("LDAP://rootDSE")
- namingContext = objRootLDAP.Get("defaultNamingContext") ' e.g. string dc=fabrikam,dc=com
- strBase = ""
-
- Set objConnection = CreateObject("ADODB.Connection")
- Set objCommand = CreateObject("ADODB.Command")
- objConnection.Provider = "ADsDSOOBject"
- objConnection.Open "Active Directory Provider"
- Set objCommand.ActiveConnection = objConnection
- strFilter = "(&(objectCategory=Computer)(cn=" & strComputerName & "))"
- strQuery = strBase & ";" & strFilter & ";distinguishedName;subtree"
- objCommand.CommandText = strQuery
- objCommand.Properties("Page Size") = 100
- objCommand.Properties("Timeout") = 100
- objCommand.Properties("Cache Results") = False
- ' Enumerate all objects found.
- Set objRecordSet = objCommand.Execute
- If objRecordSet.EOF Then
- WScript.echo "The computer name '" & strComputerName & "' cannot be found."
- WScript.Quit 1
- End If
- ' Found object matching name
- Do Until objRecordSet.EOF
- dnFound = objRecordSet.Fields("distinguishedName")
- GetStrPathToComputer = "LDAP://" & dnFound
- objRecordSet.MoveNext
- Loop
- ' Clean up.
- Set objConnection = Nothing
- Set objCommand = Nothing
- Set objRecordSet = Nothing
-End Function
-' --------------------------------------------------------------------------------
-' Securely access the Active Directory computer object using Kerberos
-' --------------------------------------------------------------------------------
-Set objDSO = GetObject("LDAP:")
-strPathToComputer = GetStrPathToComputer(strComputerName)
-WScript.Echo "Accessing object: " + strPathToComputer
-Const ADS_SECURE_AUTHENTICATION = 1
-Const ADS_USE_SEALING = 64 '0x40
-Const ADS_USE_SIGNING = 128 '0x80
-' --------------------------------------------------------------------------------
-' Get all BitLocker recovery information from the Active Directory computer object
-' --------------------------------------------------------------------------------
-' Get all the recovery information child objects of the computer object
-Set objFveInfos = objDSO.OpenDSObject(strPathToComputer, vbNullString, vbNullString, _
- ADS_SECURE_AUTHENTICATION + ADS_USE_SEALING + ADS_USE_SIGNING)
-objFveInfos.Filter = Array("msFVE-RecoveryInformation")
-' Iterate through each recovery information object and saves any existing key packages
-nCount = 1
-strFilePathCurrent = strFilePath & nCount
-For Each objFveInfo in objFveInfos
- strName = objFveInfo.Get("name")
- strRecoveryPassword = objFveInfo.Get("msFVE-RecoveryPassword")
- strKeyPackage = objFveInfo.Get("msFVE-KeyPackage")
- WScript.echo
- WScript.echo "Recovery Object Name: " + strName
- WScript.echo "Recovery Password: " + strRecoveryPassword
- ' Validate file path
- Set fso = CreateObject("Scripting.FileSystemObject")
- If (fso.FileExists(strFilePathCurrent)) Then
- WScript.Echo "The file " & strFilePathCurrent & " already exists. Please use a different path."
-WScript.Quit -1
- End If
- ' Save binary data to the file
- SaveBinaryDataText strFilePathCurrent, strKeyPackage
-
- WScript.echo "Related key package successfully saved to " + strFilePathCurrent
- ' Update next file path using base name
- nCount = nCount + 1
- strFilePathCurrent = strFilePath & nCount
-Next
-'----------------------------------------------------------------------------------------
-' Utility functions to save binary data
-'----------------------------------------------------------------------------------------
-Function SaveBinaryDataText(FileName, ByteArray)
- 'Create FileSystemObject object
- Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
-
- 'Create text stream object
- Dim TextStream
- Set TextStream = FS.CreateTextFile(FileName)
-
- 'Convert binary data To text And write them To the file
- TextStream.Write BinaryToString(ByteArray)
-End Function
-Function BinaryToString(Binary)
- Dim I, S
- For I = 1 To LenB(Binary)
- S = S & Chr(AscB(MidB(Binary, I, 1)))
- Next
- BinaryToString = S
-End Function
-WScript.Quit
-```
-
-
-
-### Running the sample key package retrieval script that exports a new key package from an unlocked, encrypted volume
-
-The following steps and sample script exports a new key package from an unlocked, encrypted volume.
-
-1. Save the following sample script in a VBScript file. For example: `GetBitLockerKeyPackage.vbs`
-
-2. Open an administrator command prompt, and then enter a command similar to the following sample script:
-
- ```cmd
- cscript.exe GetBitLockerKeyPackage.vbs -?
- ```
-
-
-
- Expand to view sample VBscript that exports a new key package from an unlocked, encrypted volume
-
-```vb
-' --------------------------------------------------------------------------------
-' Usage
-' --------------------------------------------------------------------------------
-Sub ShowUsage
- Wscript.Echo "USAGE: GetBitLockerKeyPackage [VolumeLetter/DriveLetter:] [Path To Save Key Package]"
- Wscript.Echo
- Wscript.Echo "Example: GetBitLockerKeyPackage C: E:\bitlocker-backup-key-package"
- WScript.Quit
-End Sub
-' --------------------------------------------------------------------------------
-' Parse Arguments
-' --------------------------------------------------------------------------------
-Set args = WScript.Arguments
-Select Case args.Count
- Case 2
- If args(0) = "/?" Or args(0) = "-?" Then
- ShowUsage
- Else
- strDriveLetter = args(0)
- strFilePath = args(1)
- End If
- Case Else
- ShowUsage
-End Select
-' --------------------------------------------------------------------------------
-' Other Inputs
-' --------------------------------------------------------------------------------
-' Target computer name
-' Use "." to connect to the local computer
-strComputerName = "."
-' Default key protector ID to use. Specify "" to let the script choose.
-strDefaultKeyProtectorID = ""
-' strDefaultKeyProtectorID = "{001298E0-870E-4BA0-A2FF-FC74758D5720}" ' sample
-' --------------------------------------------------------------------------------
-' Connect to the BitLocker WMI provider class
-' --------------------------------------------------------------------------------
-strConnectionStr = "winmgmts:" _
- & "{impersonationLevel=impersonate,authenticationLevel=pktPrivacy}!\\" _
- & strComputerName _
- & "\root\cimv2\Security\MicrosoftVolumeEncryption"
-
-
-On Error Resume Next 'handle permission errors
-Set objWMIService = GetObject(strConnectionStr)
-If Err.Number <> 0 Then
- WScript.Echo "Failed to connect to the BitLocker interface (Error 0x" & Hex(Err.Number) & ")."
- Wscript.Echo "Ensure that you are running with administrative privileges."
- WScript.Quit -1
-End If
-On Error GoTo 0
-strQuery = "Select * from Win32_EncryptableVolume where DriveLetter='" & strDriveLetter & "'"
-Set colTargetVolumes = objWMIService.ExecQuery(strQuery)
-If colTargetVolumes.Count = 0 Then
- WScript.Echo "FAILURE: Unable to find BitLocker-capable drive " & strDriveLetter & " on computer " & strComputerName & "."
- WScript.Quit -1
-End If
-' there should only be one volume found
-For Each objFoundVolume in colTargetVolumes
- set objVolume = objFoundVolume
-Next
-' objVolume is now our found BitLocker-capable disk volume
-' --------------------------------------------------------------------------------
-' Perform BitLocker WMI provider functionality
-' --------------------------------------------------------------------------------
-' Collect all possible valid key protector ID's that can be used to get the package
-' ----------------------------------------------------------------------------------
-nNumericalKeyProtectorType = 3 ' type associated with "Numerical Password" protector
-nRC = objVolume.GetKeyProtectors(nNumericalKeyProtectorType, aNumericalKeyProtectorIDs)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-nExternalKeyProtectorType = 2 ' type associated with "External Key" protector
-nRC = objVolume.GetKeyProtectors(nExternalKeyProtectorType, aExternalKeyProtectorIDs)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: GetKeyProtectors failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-' Get first key protector of the type "Numerical Password" or "External Key", if any
-' ----------------------------------------------------------------------------------
-if strDefaultKeyProtectorID = "" Then
-' Save first numerical password, if exists
-If UBound(aNumericalKeyProtectorIDs) <> -1 Then
-strDefaultKeyProtectorID = aNumericalKeyProtectorIDs(0)
-End If
-' No numerical passwords exist, save the first external key
-If strDefaultKeyProtectorID = "" and UBound(aExternalKeyProtectorIDs) <> -1 Then
-strDefaultKeyProtectorID = aExternalKeyProtectorIDs(0)
-End If
-' Fail case: no recovery key protectors exist.
-If strDefaultKeyProtectorID = "" Then
-WScript.Echo "FAILURE: Cannot create backup key package because no recovery passwords or recovery keys exist. Check that BitLocker protection is on for this drive."
-WScript.Echo "For help adding recovery passwords or recovery keys, enter ""manage-bde.exe -protectors -add -?""."
-WScript.Quit -1
-End If
-End If
-' Get some information about the chosen key protector ID
-' ----------------------------------------------------------------------------------
-' is the type valid?
-nRC = objVolume.GetKeyProtectorType(strDefaultKeyProtectorID, nDefaultKeyProtectorType)
-If Hex(nRC) = "80070057" Then
-WScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " is not valid."
-WScript.Echo "This ID value may have been provided by the script writer."
-ElseIf nRC <> 0 Then
-WScript.Echo "FAILURE: GetKeyProtectorType failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-' what's a string that can be used to describe it?
-strDefaultKeyProtectorType = ""
-Select Case nDefaultKeyProtectorType
- Case nNumericalKeyProtectorType
- strDefaultKeyProtectorType = "recovery password"
- Case nExternalKeyProtectorType
- strDefaultKeyProtectorType = "recovery key"
- Case Else
- WScript.Echo "The key protector ID " & strDefaultKeyProtectorID & " does not refer to a valid recovery password or recovery key."
- WScript.Echo "This ID value may have been provided by the script writer."
-End Select
-' Save the backup key package using the chosen key protector ID
-' ----------------------------------------------------------------------------------
-nRC = objVolume.GetKeyPackage(strDefaultKeyProtectorID, oKeyPackage)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: GetKeyPackage failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-' Validate file path
-Set fso = CreateObject("Scripting.FileSystemObject")
-If (fso.FileExists(strFilePath)) Then
-WScript.Echo "The file " & strFilePath & " already exists. Please use a different path."
-WScript.Quit -1
-End If
-Dim oKeyPackageByte, bKeyPackage
-For Each oKeyPackageByte in oKeyPackage
- 'WScript.echo "key package byte: " & oKeyPackageByte
- bKeyPackage = bKeyPackage & ChrB(oKeyPackageByte)
-Next
-' Save binary data to the file
-SaveBinaryDataText strFilePath, bKeyPackage
-' Display helpful information
-' ----------------------------------------------------------------------------------
-WScript.Echo "The backup key package has been saved to " & strFilePath & "."
-WScript.Echo "IMPORTANT: To use this key package, the " & strDefaultKeyProtectorType & " must also be saved."
-' Display the recovery password or a note about saving the recovery key file
-If nDefaultKeyProtectorType = nNumericalKeyProtectorType Then
-nRC = objVolume.GetKeyProtectorNumericalPassword(strDefaultKeyProtectorID, sNumericalPassword)
-If nRC <> 0 Then
-WScript.Echo "FAILURE: GetKeyProtectorNumericalPassword failed with return code 0x" & Hex(nRC)
-WScript.Quit -1
-End If
-WScript.Echo "Save this recovery password: " & sNumericalPassword
-ElseIf nDefaultKeyProtectorType = nExternalKeyProtectorType Then
-WScript.Echo "The saved key file is named " & strDefaultKeyProtectorID & ".BEK"
-WScript.Echo "For help re-saving this external key file, enter ""manage-bde.exe -protectors -get -?"""
-End If
-'----------------------------------------------------------------------------------------
-' Utility functions to save binary data
-'----------------------------------------------------------------------------------------
-Function SaveBinaryDataText(FileName, ByteArray)
- 'Create FileSystemObject object
- Dim FS: Set FS = CreateObject("Scripting.FileSystemObject")
-
- 'Create text stream object
- Dim TextStream
- Set TextStream = FS.CreateTextFile(FileName)
-
- 'Convert binary data To text And write them To the file
- TextStream.Write BinaryToString(ByteArray)
-End Function
-Function BinaryToString(Binary)
- Dim I, S
- For I = 1 To LenB(Binary)
- S = S & Chr(AscB(MidB(Binary, I, 1)))
- Next
- BinaryToString = S
-End Function
-```
-
-
-
-## Related articles
-
-- [BitLocker overview](index.md)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
deleted file mode 100644
index cde89fc313..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ /dev/null
@@ -1,228 +0,0 @@
----
-title: How to use the BitLocker drive encryption tools to manage BitLocker
-description: Learn how to use tools to manage BitLocker.
-ms.collection:
- - tier1
-ms.topic: how-to
-ms.date: 07/25/2023
----
-
-# How to use the BitLocker drive encryption tools to manage BitLocker
-
-BitLocker drive encryption tools include the command-line tools *manage-bde.exe*, *repair-bde.exe*, and the cmdlets for Windows PowerShell.
-
-The tools can be used to perform any tasks that can be accomplished through the BitLocker control panel and are appropriate to use for automated deployments and other scripting scenarios.
-
-## Manage-bde
-
-Manage-bde is a command-line tool that can be used for scripting BitLocker operations. Manage-bde offers additional options not displayed in the BitLocker control panel. For a complete list of the `manage-bde.exe` options, see the [Manage-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)) command-line reference.
-
-Manage-bde includes fewer default settings and requires greater customization for configuring BitLocker. For example, using just the `manage-bde.exe -on` command on a data volume will fully encrypt the volume without any authenticating protectors. A volume encrypted in this manner still requires user interaction to turn on BitLocker protection, even though the command successfully completed because an authentication method needs to be added to the volume for it to be fully protected. The following sections provide examples of common usage scenarios for manage-bde.
-
-### Using manage-bde with operating system volumes
-
-Listed below are examples of basic valid commands for operating system volumes. In general, using only the `manage-bde.exe -on ` command will encrypt the operating system volume with a TPM-only protector and no recovery key. However, many environments require more secure protectors such as passwords or PIN and expect information recovery with a recovery key. It's recommended to add at least one primary protector plus a recovery protector to an operating system volume.
-
-A good practice when using `manage-bde.exe` is to determine the volume status on the target system. Use the following command to determine volume status:
-
-```cmd
-manage-bde.exe -status
-```
-
-This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
-
-
-
-The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, the startup key needed for BitLocker must be created and saved to a USB drive. When BitLocker is enabled for the operating system volume, BitLocker will need to access the USB flash drive to obtain the encryption key. In this example, the drive letter E represents the USB drive. Once the commands are run, it will prompt to reboot the computer to complete the encryption process.
-
-```cmd
-manage-bde.exe -protectors -add C: -startupkey E:
-manage-bde.exe -on C:
-```
-
-> [!NOTE]
-> After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
-
-An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, the protectors are added first. To add the protectors, enter the following command:
-
-```cmd
-manage-bde.exe -protectors -add C: -pw -sid
-```
-
-The above command will require the password protector to be entered and confirmed before adding them to the volume. With the protectors enabled on the volume, BitLocker can then be turned on.
-
-On computers with a TPM, it's possible to encrypt the operating system volume without defining any protectors using `manage-bde.exe`. To enable BitLocker on a computer with a TPM without defining any protectors, enter the following command:
-
-```cmd
-manage-bde.exe -on C:
-```
-
-The above command encrypts the drive using the TPM as the default protector. If verify if a TPM protector is available, the list of protectors available for a volume can be listed by running the following command:
-
-```cmd
- manage-bde.exe -protectors -get
-```
-
-### Using manage-bde with data volumes
-
-Data volumes use the same syntax for encryption as operating system volumes but they don't require protectors for the operation to complete. Encrypting data volumes can be done using the base command:
-
-`manage-bde.exe -on `
-
-or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume.
-
-A common protector for a data volume is the password protector. In the example below, a password protector is added to the volume and then BitLocker is turned on.
-
-```cmd
-manage-bde.exe -protectors -add -pw C:
-manage-bde.exe -on C:
-```
-
-## BitLocker Repair Tool
-
-Hard disk areas on which BitLocker stores critical information could be damaged, for example, when a hard disk fails or if Windows exits unexpectedly.
-
-The BitLocker Repair Tool (*repair-bde.exe*) is useful for disaster recovery scenarios, in which a BitLocker protected drive can't be unlocked normally or using the recovery console.
-
-The Repair Tool can reconstruct critical parts of the drive and salvage recoverable data, as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive is corrupt, the backup key package in addition to the recovery password or recovery key must be supplied. The key package is backed up in Active Directory Domain Services (AD DS) if the default settings for AD DS backup are used. With the key package and either the recovery password or recovery key, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. The BitLocker Recovery Password Viewer can be used to obtain this key package from AD DS.
-
-> [!TIP]
-> If recovery information is not backed up to AD DS or if key packages need to be saved in an alternative way, use the following command to generate a key package for a volume:
->
-> `manage-bde.exe -KeyPackage`
-
-The Repair Tool is intended for use when the operating system doesn't start or when the BitLocker Recovery Console can't be started. Use Repair-bde in the following conditions:
-
-- The drive is encrypted using BitLocker Drive Encryption
-- Windows doesn't start, or the BitLocker recovery console can't start
-- There isn't a backup copy of the data that is contained on the encrypted drive
-
-> [!NOTE]
-> Damage to the drive may not be related to BitLocker. Therefore, it is recommended to try other tools to help diagnose and resolve the problem with the drive before using the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
-
-The following limitations exist for Repair-bde:
-
-- The Repair-bde command-line tool can't repair a drive that failed during the encryption or decryption process.
-
-- The Repair-bde command-line tool assumes that if the drive has any encryption, then the drive has been fully encrypted.
-
-For more information about using repair-bde, see [Repair-bde](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829851(v=ws.11)).
-
-## BitLocker cmdlets for Windows PowerShell
-
-Windows PowerShell cmdlets provide a new way for administrators to use when working with BitLocker. Using Windows PowerShell's scripting capabilities, administrators can integrate BitLocker options into existing scripts with ease. The list below displays the available BitLocker cmdlets.
-
-|Name|Parameters|
-|--- |--- |
-|**Add-BitLockerKeyProtector**|
ADAccountOrGroup
ADAccountOrGroupProtector
Confirm
MountPoint
Password
PasswordProtector
Pin
RecoveryKeyPath
RecoveryKeyProtector
RecoveryPassword
RecoveryPasswordProtector
Service
StartupKeyPath
StartupKeyProtector
TpmAndPinAndStartupKeyProtector
TpmAndPinProtector
TpmAndStartupKeyProtector
TpmProtector
WhatIf|
-|**Backup-BitLockerKeyProtector**|
Confirm
KeyProtectorId
MountPoint
WhatIf|
-|**Disable-BitLocker**|
Confirm
MountPoint
WhatIf|
-|**Disable-BitLockerAutoUnlock**|
Confirm
MountPoint
WhatIf|
-|**Enable-BitLocker**|
AdAccountOrGroup
AdAccountOrGroupProtector
Confirm
EncryptionMethod
HardwareEncryption
Password
PasswordProtector
Pin
RecoveryKeyPath
RecoveryKeyProtector
RecoveryPassword
RecoveryPasswordProtector
Service
SkipHardwareTest
StartupKeyPath
StartupKeyProtector
TpmAndPinAndStartupKeyProtector
TpmAndPinProtector
TpmAndStartupKeyProtector
TpmProtector
UsedSpaceOnly
WhatIf|
-|**Enable-BitLockerAutoUnlock**|
Confirm
MountPoint
WhatIf|
-|**Get-BitLockerVolume**|
MountPoint|
-|**Lock-BitLocker**|
Confirm
ForceDismount
MountPoint
WhatIf|
-|**Remove-BitLockerKeyProtector**|
Confirm
KeyProtectorId
MountPoint
WhatIf|
-|**Resume-BitLocker**|
Confirm
MountPoint
WhatIf|
-|**Suspend-BitLocker**|
Confirm
MountPoint
RebootCount
WhatIf|
-|**Unlock-BitLocker**|
AdAccountOrGroup
Confirm
MountPoint
Password
RecoveryKeyPath
RecoveryPassword
RecoveryPassword
WhatIf|
-
-Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they're encrypting prior to running Windows PowerShell cmdlets.
-
-A good initial step is to determine the current state of the volume(s) on the computer. Determining the current state of the volume(s) can be done using the `Get-BitLockerVolume` cmdlet.
-
-The `Get-BitLockerVolume` cmdlet output gives information on the volume type, protectors, protection status, and other details.
-
-> [!TIP]
-> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If all of the protectors for a volume are not seen, use the Windows PowerShell pipe command (|) to format a full listing of the protectors:
->
-> `Get-BitLockerVolume C: | fl`
-
-To remove the existing protectors prior to provisioning BitLocker on the volume, use the `Remove-BitLockerKeyProtector` cmdlet. Running this cmdlet requires the GUID associated with the protector to be removed.
-
-A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below:
-
-```powershell
-$vol = Get-BitLockerVolume
-$keyprotectors = $vol.KeyProtector
-```
-
-By using this script, the information in the $keyprotectors variable can be displayed to determine the GUID for each protector.
-
-By using this information, the key protector for a specific volume can be removed using the command:
-
-```powershell
-Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}"
-```
-
-> [!NOTE]
-> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
-
-### Using the BitLocker Windows PowerShell cmdlets with operating system volumes
-
-Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them in BitLocker Windows PowerShell.
-
-The following example shows how to enable BitLocker on an operating system drive using only the TPM protector:
-
-```powershell
-Enable-BitLocker C:
-```
-
-In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot.
-
-```powershell
-Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest
-```
-
-### Using the BitLocker Windows PowerShell cmdlets with data volumes
-
-Data volume encryption using Windows PowerShell is the same as for operating system volumes. Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a
-SecureString value to store the user-defined password.
-
-```powershell
-$pw = Read-Host -AsSecureString
-
-Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
-```
-
-### Using an AD Account or Group protector in Windows PowerShell
-
-The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2012, is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over to and become unlocked by any member computer of the cluster.
-
-> [!WARNING]
-> The **ADAccountOrGroup** protector requires the use of an additional protector for use (such as TPM, PIN, or recovery key) when used on operating system volumes
-
-To add an **ADAccountOrGroup** protector to a volume, use either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G.
-
-```powershell
-Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
-```
-
-For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command:
-
-> [!NOTE]
-> Use of this command requires the RSAT-AD-PowerShell feature.
-
-```powershell
-get-aduser -filter {samaccountname -eq "administrator"}
-```
-
-> [!TIP]
-> In addition to the PowerShell command above, information about the locally logged on user and group membership can be found using: WHOAMI /ALL. This doesn't require the use of additional features.
-
-The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account:
-
-```powershell
-Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500
-```
-
-> [!NOTE]
-> Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes.
-
-## Related articles
-
-- [BitLocker overview](index.md)
-- [BitLocker frequently asked questions (FAQ)](faq.yml)
-- [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)
-- [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md)
-- [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
deleted file mode 100644
index 322c07dbd6..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+++ /dev/null
@@ -1,45 +0,0 @@
----
-title: How to use BitLocker Recovery Password Viewer
-description: Learn how to use the BitLocker Recovery Password Viewer tool.
-ms.collection:
- - tier1
-ms.topic: how-to
-ms.date: 07/25/2023
----
-
-# How to use BitLocker Recovery Password Viewer
-
-BitLocker Recovery Password Viewer is an optional tool included with the *Remote Server Administration Tools (RSAT)*. With Recovery Password Viewer you can view the BitLocker recovery passwords that are stored in Active Directory Domain Services (AD DS). The tool is an extension for the *Active Directory Users and Computers Microsoft Management Console (MMC)* snap-in.
-
-With BitLocker Recovery Password Viewer you can:
-
-- Check the Active Directory computer object's properties to find the associated BitLocker recovery passwords
-- Search Active Directory for BitLocker recovery password across all the domains in the Active Directory forest. Passwords can also be searched by password identifier (ID)
-
-## Requirements
-
-To complete the procedures in this scenario, the following requirements must be met:
-
-- Domain administrator credentials
-- Devices must be joined to the domain
-- On the domain-joined devices, BitLocker must be enabled
-
-The following procedures describe the most common tasks performed by using the BitLocker Recovery Password Viewer.
-
-## View the recovery passwords for a computer object
-
-1. In **Active Directory Users and Computers**, locate and then select the container in which the computer is located
-1. Right-click the computer object and select **Properties**
-1. In the **Properties** dialog box, select the **BitLocker Recovery** tab to view the BitLocker recovery passwords that are associated with the computer
-
-## Copy the recovery passwords for a computer object
-
-1. Follow the steps in the previous procedure to view the BitLocker recovery passwords
-1. On the **BitLocker Recovery** tab of the **Properties** dialog box, right-click the BitLocker recovery password that needs to be copied, and then select **Copy Details**
-1. Press CTRL+V to paste the copied text to a destination location, such as a text file or spreadsheet
-
-## Locate a recovery password by using a password ID
-
-1. In Active Directory Users and Computers, right-click the domain container and select **Find BitLocker Recovery Password**
-1. In the **Find BitLocker Recovery Password** dialog box, type the first eight characters of the recovery password in the **Password ID (first 8 characters)** box, and select **Search**
-1. Once the recovery password is located, you can use the previous procedure to copy it
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/configure.md b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
new file mode 100644
index 0000000000..2440fda840
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/configure.md
@@ -0,0 +1,196 @@
+---
+title: Configure BitLocker
+description: Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO).
+ms.topic: how-to
+ms.date: 10/30/2023
+---
+
+# Configure BitLocker
+
+To configure BitLocker, you can use one of the following options:
+
+- Configuration Service Provider (CSP): this option is commonly used for devices managed by a Mobile Device Management (MDM) solution, like Microsoft Intune. The [BitLocker CSP][WIN-1] is used to configure BitLocker, and to report the status of different BitLocker functions to the MDM solution. With Microsoft Intune, you can use the BitLocker status in [compliance policies][INT-1], combining them with [Conditional Access][ENTRA-1]. Conditional Access can prevent or grant access to services like Exchange Online and SharePoint Online, based on the status of BitLocker. To learn more about the Intune options to configure and monitor BitLocker, check the following articles:
+
+ - [Manage BitLocker policy for Windows devices with Intune][INT-2]
+ - [Monitor device encryption with Intune][INT-3]
+ - [Use compliance policies to set rules for devices you manage with Intune][INT-4]
+
+- Group policy (GPO): this option can be used for devices that are joined to an Active Directory domain and aren't managed by a device management solution. Group policy can also be used for devices that aren't joined to an Active Directory domain, using the local group policy editor
+- Microsoft Configuration Manager: this option can be used for devices that are managed by Microsoft Configuration Manager using the BitLocker management agent. To learn more about options to configure BitLocker via Microsoft Configuration Manager, see [Deploy BitLocker management][MCM-1]
+
+> [!NOTE]
+> Windows Server doesn't support the configuration of BitLocker using CSP or Microsoft Configuration Manager. Use GPO instead.
+
+While many of the BitLocker policy settings can be configured using both CSP and GPO, there are some settings that are only available using one of the options. To learn about the policy settings available for both CSP and GPO, review the section [BitLocker policy settings](#bitlocker-policy-settings).
+
+[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-management.md)]
+
+## BitLocker policy settings
+
+This section describes the policy settings to configure BitLocker via configuration service provider (CSP) and group policy (GPO).
+
+> [!IMPORTANT]
+> Most of the BitLocker policy settings are enforced when BitLocker is initially turned on for a drive. Encryption isn't restarted if settings change.
+
+### Policy settings list
+
+The list of settings is sorted alphabetically and organized in four categories:
+
+- **Common settings**: settings applicable to all BitLocker-protected drives
+- **Operating system drive**: settings applicable to the drive where Windows is installed
+- **Fixed data drives**: settings applicable to any local drives, except the operating system drive
+- **Removable data drives**: settings applicable to any removable drives
+
+Select one of the tabs to see the list of available settings:
+
+#### [:::image type="icon" source="images/locked-drive.svg"::: **Common settings**](#tab/common)
+
+The following table lists the BitLocker policies applicable to all drive types, indicating if they're applicable via configuration service provider (CSP) and/or group policy (GPO). Select the policy name for more details.
+
+|Policy name| CSP | GPO |
+|-|-|-|
+|[Allow standard user encryption](#allow-standard-user-encryption)|✅|❌|
+|[Choose default folder for recovery password](#choose-default-folder-for-recovery-password)|❌|✅|
+|[Choose drive encryption method and cipher strength](#choose-drive-encryption-method-and-cipher-strength)|✅|✅|
+|[Configure recovery password rotation](#configure-recovery-password-rotation)|✅|❌|
+|[Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)|❌|✅|
+|[Prevent memory overwrite on restart](#prevent-memory-overwrite-on-restart)|❌|✅|
+|[Provide the unique identifiers for your organization](#provide-the-unique-identifiers-for-your-organization)|✅|✅|
+|[Require device encryption](#require-device-encryption)|✅|❌|
+|[Validate smart card certificate usage rule compliance](#validate-smart-card-certificate-usage-rule-compliance)|❌|✅|
+
+[!INCLUDE [allow-standard-user-encryption](includes/allow-standard-user-encryption.md)]
+[!INCLUDE [choose-default-folder-for-recovery-password](includes/choose-default-folder-for-recovery-password.md)]
+[!INCLUDE [choose-drive-encryption-method-and-cipher-strength](includes/choose-drive-encryption-method-and-cipher-strength.md)]
+[!INCLUDE [configure-recovery-password-rotation](includes/configure-recovery-password-rotation.md)]
+[!INCLUDE [disable-new-dma-devices-when-this-computer-is-locked](includes/disable-new-dma-devices-when-this-computer-is-locked.md)]
+[!INCLUDE [prevent-memory-overwrite-on-restart](includes/prevent-memory-overwrite-on-restart.md)]
+[!INCLUDE [provide-the-unique-identifiers-for-your-organization](includes/provide-the-unique-identifiers-for-your-organization.md)]
+[!INCLUDE [require-device-encryption](includes/require-device-encryption.md)]
+[!INCLUDE [validate-smart-card-certificate-usage-rule-compliance](includes/validate-smart-card-certificate-usage-rule-compliance.md)]
+
+#### [:::image type="icon" source="images/os-drive.svg"::: **Operating system drive**](#tab/os)
+
+|Policy name| CSP | GPO |
+|-|-|-|
+|[Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN](#allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-preboot-pin)|✅|✅|
+|[Allow enhanced PINs for startup](#allow-enhanced-pins-for-startup)|✅|✅|
+|[Allow network unlock at startup](#allow-network-unlock-at-startup)|❌|✅|
+|[Allow Secure Boot for integrity validation](#allow-secure-boot-for-integrity-validation)|❌|✅|
+|[Allow Warning For Other Disk Encryption](#allow-warning-for-other-disk-encryption)|✅|❌|
+|[Choose how BitLocker-protected operating system drives can be recovered](#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)|✅|✅|
+|[Configure minimum PIN length for startup](#configure-minimum-pin-length-for-startup)|✅|✅|
+|[Configure pre-boot recovery message and URL](#configure-preboot-recovery-message-and-url)|✅|✅|
+|[Configure TPM platform validation profile for BIOS-based firmware configurations](#configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations)|❌|✅|
+|[Configure TPM platform validation profile for native UEFI firmware configurations](#configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations)|❌|✅|
+|[Configure use of hardware-based encryption for operating system drives](#configure-use-of-hardware-based-encryption-for-operating-system-drives)|❌|✅|
+|[Configure use of passwords for operating system drives](#configure-use-of-passwords-for-operating-system-drives)|❌|✅|
+|[Disallow standard users from changing the PIN or password](#disallow-standard-users-from-changing-the-pin-or-password)|✅|✅|
+|[Enable use of BitLocker authentication requiring preboot keyboard input on slates](#enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates)|✅|✅|
+|[Enforce drive encryption type on operating system drives](#enforce-drive-encryption-type-on-operating-system-drives)|✅|✅|
+|[Require additional authentication at startup](#require-additional-authentication-at-startup)|✅|✅|
+|[Reset platform validation data after BitLocker recovery](#reset-platform-validation-data-after-bitlocker-recovery)|❌|✅|
+|[Use enhanced Boot Configuration Data validation profile](#use-enhanced-boot-configuration-data-validation-profile)|❌|✅|
+
+[!INCLUDE [allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin](includes/allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin.md)]
+[!INCLUDE [allow-enhanced-pins-for-startup](includes/allow-enhanced-pins-for-startup.md)]
+[!INCLUDE [allow-network-unlock-at-startup](includes/allow-network-unlock-at-startup.md)]
+[!INCLUDE [allow-secure-boot-for-integrity-validation](includes/allow-secure-boot-for-integrity-validation.md)]
+[!INCLUDE [allow-warning-for-other-disk-encryption](includes/allow-warning-for-other-disk-encryption.md)]
+[!INCLUDE [choose-how-bitlocker-protected-operating-system-drives-can-be-recovered](includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md)]
+[!INCLUDE [configure-minimum-pin-length-for-startup](includes/configure-minimum-pin-length-for-startup.md)]
+[!INCLUDE [configure-pre-boot-recovery-message-and-url](includes/configure-pre-boot-recovery-message-and-url.md)]
+[!INCLUDE [configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations](includes/configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations.md)]
+[!INCLUDE [configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations](includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md)]
+[!INCLUDE [configure-use-of-hardware-based-encryption-for-operating-system-drives](includes/configure-use-of-hardware-based-encryption-for-operating-system-drives.md)]
+[!INCLUDE [configure-use-of-passwords-for-operating-system-drives](includes/configure-use-of-passwords-for-operating-system-drives.md)]
+[!INCLUDE [disallow-standard-users-from-changing-the-pin-or-password](includes/disallow-standard-users-from-changing-the-pin-or-password.md)]
+[!INCLUDE [enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates](includes/enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates.md)]
+[!INCLUDE [enforce-drive-encryption-type-on-operating-system-drives](includes/enforce-drive-encryption-type-on-operating-system-drives.md)]
+[!INCLUDE [require-additional-authentication-at-startup](includes/require-additional-authentication-at-startup.md)]
+[!INCLUDE [reset-platform-validation-data-after-bitlocker-recovery](includes/reset-platform-validation-data-after-bitlocker-recovery.md)]
+[!INCLUDE [use-enhanced-boot-configuration-data-validation-profile](includes/use-enhanced-boot-configuration-data-validation-profile.md)]
+
+#### [:::image type="icon" source="images/unlocked-drive.svg"::: **Fixed data drives**](#tab/fixed)
+
+|Policy name| CSP | GPO |
+|-|-|-|
+|[Choose how BitLocker-protected fixed drives can be recovered](#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)|✅|✅|
+|[Configure use of hardware-based encryption for fixed data drives](#configure-use-of-hardware-based-encryption-for-fixed-data-drives)|❌|✅|
+|[Configure use of passwords for fixed data drives](#configure-use-of-passwords-for-fixed-data-drives)|❌|✅|
+|[Configure use of smart cards on fixed data drives](#configure-use-of-smart-cards-on-fixed-data-drives)|❌|✅|
+|[Deny write access to fixed drives not protected by BitLocker](#deny-write-access-to-fixed-drives-not-protected-by-bitlocker)|✅|✅|
+|[Enforce drive encryption type on fixed data drives](#enforce-drive-encryption-type-on-fixed-data-drives)|✅|✅|
+
+[!INCLUDE [choose-how-bitlocker-protected-fixed-drives-can-be-recovered](includes/choose-how-bitlocker-protected-fixed-drives-can-be-recovered.md)]
+[!INCLUDE [configure-use-of-hardware-based-encryption-for-fixed-data-drives](includes/configure-use-of-hardware-based-encryption-for-fixed-data-drives.md)]
+[!INCLUDE [configure-use-of-passwords-for-fixed-data-drives](includes/configure-use-of-passwords-for-fixed-data-drives.md)]
+[!INCLUDE [configure-use-of-smart-cards-on-fixed-data-drives](includes/configure-use-of-smart-cards-on-fixed-data-drives.md)]
+[!INCLUDE [deny-write-access-to-fixed-drives-not-protected-by-bitlocker](includes/deny-write-access-to-fixed-drives-not-protected-by-bitlocker.md)]
+[!INCLUDE [enforce-drive-encryption-type-on-fixed-data-drives](includes/enforce-drive-encryption-type-on-fixed-data-drives.md)]
+
+#### [:::image type="icon" source="images/unlocked-drive.svg"::: **Removable data drives**](#tab/removable)
+
+|Policy name| CSP | GPO |
+|-|-|-|
+|[Choose how BitLocker-protected removable drives can be recovered](#choose-how-bitlocker-protected-removable-drives-can-be-recovered)|❌|✅|
+|[Configure use of hardware-based encryption for removable data drives](#configure-use-of-hardware-based-encryption-for-removable-data-drives)|❌|✅|
+|[Configure use of passwords for removable data drives](#configure-use-of-passwords-for-removable-data-drives)|❌|✅|
+|[Configure use of smart cards on removable data drives](#configure-use-of-smart-cards-on-removable-data-drives)|❌|✅|
+|[Control use of BitLocker on removable drives](#control-use-of-bitlocker-on-removable-drives)|✅|✅|
+|[Deny write access to removable drives not protected by BitLocker](#deny-write-access-to-removable-drives-not-protected-by-bitlocker)|✅|✅|
+|[Enforce drive encryption type on removable data drives](#enforce-drive-encryption-type-on-removable-data-drives)|✅|✅|
+|[Removable Drives Excluded From Encryption](#removable-drives-excluded-from-encryption)|✅|❌|
+
+[!INCLUDE [choose-how-bitlocker-protected-removable-drives-can-be-recovered](includes/choose-how-bitlocker-protected-removable-drives-can-be-recovered.md)]
+[!INCLUDE [configure-use-of-hardware-based-encryption-for-removable-data-drives](includes/configure-use-of-hardware-based-encryption-for-removable-data-drives.md)]
+[!INCLUDE [configure-use-of-passwords-for-removable-data-drives](includes/configure-use-of-passwords-for-removable-data-drives.md)]
+[!INCLUDE [configure-use-of-smart-cards-on-removable-data-drives](includes/configure-use-of-smart-cards-on-removable-data-drives.md)]
+[!INCLUDE [control-use-of-bitlocker-on-removable-drives](includes/control-use-of-bitlocker-on-removable-drives.md)]
+[!INCLUDE [deny-write-access-to-removable-drives-not-protected-by-bitlocker](includes/deny-write-access-to-removable-drives-not-protected-by-bitlocker.md)]
+[!INCLUDE [enforce-drive-encryption-type-on-removable-data-drives](includes/enforce-drive-encryption-type-on-removable-data-drives.md)]
+[!INCLUDE [removable-drives-excluded-from-encryption](includes/removable-drives-excluded-from-encryption.md)]
+
+---
+
+## BitLocker and policy settings compliance
+
+If a device isn't compliant with the configured policy settings, BitLocker might not be turned on, or BitLocker configuration might be modified until the device is in a compliant state. When a drive becomes out of compliance with policy settings, only changes to the BitLocker configuration that will bring it into compliance are allowed. Such scenario could occur, for example, if a previously encrypted drive becomes noncompliant by a policy setting change.
+
+If multiple changes are necessary to bring the drive into compliance, BitLocker protection might need to be suspended, the necessary changes made, and then protection resumed. Such situation could occur, for example, if a removable drive is initially configured for unlock with a password, and then policy settings are changed to require smart cards. In this scenario, BitLocker protection needs to be suspended, delete the password unlock method, and add the smart card method. After this process is complete, BitLocker is compliant with the policy setting, and BitLocker protection on the drive can be resumed.
+
+In other scenarios, to bring the drive into compliance with a change in policy settings, BitLocker might need to be disabled and the drive decrypted followed by re-enabling BitLocker and then re-encrypting the drive. An example of this scenario is when the BitLocker encryption method or cipher strength is changed.
+
+To learn more how to manage BitLocker, review the [BitLocker operations guide](operations-guide.md).
+
+## Configure and manage servers
+
+Servers are often deployed, configured, and managed using PowerShell. The recommendation is to use group policy settings to configure BitLocker on servers, and to manage BitLocker using PowerShell.
+
+BitLocker is an optional component in Windows Server. Follow the directions in [Install BitLocker on Windows Server](install-server.md) to add the BitLocker optional component.
+
+The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core][WIN-2] installation, the necessary GUI components must be added first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images][ARC-1] and [How to update local source media to add roles and features][ARC-2]. If a server is installed manually, then choosing [Server with Desktop Experience][WIN-3] is the easiest path because it avoids performing the steps to add a GUI to Server Core.
+
+ Lights-out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [Network Unlock](network-unlock.md).
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Review the BitLocker operations guide to learn how to use different tools to manage and operate BitLocker.
+>
+>
+> [BitLocker operations guide >](operations-guide.md)
+
+
+
+[ARC-1]: /archive/blogs/server_core/using-features-on-demand-with-updated-systems-and-patched-images
+[ARC-2]: /archive/blogs/joscon/how-to-update-local-source-media-to-add-roles-and-features
+[ENTRA-1]: /entra/identity/conditional-access/overview
+[INT-1]: /mem/intune/protect/compliance-policy-create-windows#encryption
+[INT-2]: /mem/intune/protect/encrypt-devices#rotate-bitlocker-recovery-keys
+[INT-3]: /mem/intune/protect/encryption-monitor
+[INT-4]: /mem/intune/protect/device-compliance-get-started
+[MCM-1]: /mem/configmgr/protect/deploy-use/bitlocker/deploy-management-agent
+[WIN-1]: /windows/client-management/mdm/bitlocker-csp
+[WIN-2]: /windows-server/get-started/getting-started-with-server-core/
+[WIN-3]: /windows-server/get-started/getting-started-with-server-with-desktop-experience/
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
new file mode 100644
index 0000000000..62dbc91a63
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/countermeasures.md
@@ -0,0 +1,152 @@
+---
+title: BitLocker countermeasures
+description: Learn about technologies and features to protect against attacks on the BitLocker encryption key.
+ms.topic: concept-article
+ms.date: 10/30/2023
+---
+
+# BitLocker countermeasures
+
+Windows uses hardware solutions and security features that protect BitLocker encryption keys against attacks. These technologies include *Trusted Platform Module (TPM)*, *Secure Boot*, and *Measured Boot*.
+
+## Protection before startup
+
+Before Windows starts, security features implemented as part of the device hardware and firmware must be relied on, including TPM and secure boot:
+
+- a *TPM* is a chip designed to provide basic security-related functions, primarily involving encryption keys. BitLocker binds encryption keys with the TPM to ensure that the device hasn't been tampered with while the system is offline. For more information about TPM, see [Trusted Platform Module][WIN-1]
+- *Unified Extensible Firmware Interface (UEFI)* is a programmable boot environment that initializes devices and starts the operating system's bootloader. The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../system-security/secure-the-windows-10-boot-process.md)
+- *Secure Boot* blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key
+
+### BitLocker and reset attacks
+
+To defend against malicious reset attacks, BitLocker uses the *TCG Reset Attack Mitigation*, also known as *MOR bit* (Memory Overwrite Request), before extracting keys into memory.
+
+## Security policies
+
+Preboot authentication and DMA policies provide extra protection for BitLocker.
+
+### Preboot authentication
+
+Preboot authentication with BitLocker can require the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible.
+
+BitLocker accesses and stores the encryption keys in memory only after preboot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing preboot authentication is entering the *recovery key*.
+
+Preboot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor. This feature helps mitigate DMA and memory remanence attacks.
+
+On devices with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
+
+- **TPM-only**: this option doesn't require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign-in experience is the same as a standard sign-in. If the TPM is missing or changed, or if BitLocker detects changes to the BIOS or UEFI configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode. The user must then enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor
+- **TPM with startup key**: in addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a *startup key*. Data on the encrypted volume can't be accessed without the startup key
+- **TPM with PIN**: in addition to the protection that the TPM provides, BitLocker requires that the user enters a PIN. Data on the encrypted volume can't be accessed without entering the PIN. TPMs also have [anti-hammering protection][WIN-2] that is designed to prevent brute force attacks that attempt to determine the PIN
+- **TPM with startup key and PIN**: in addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it can't be used for access to the drive, because the PIN is also required
+
+Preboot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. Preboot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
+
+On the other hand, Preboot authentication-prompts can be inconvenient to users. In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization's support team to obtain a recovery key. Preboot authentication can also make it more difficult to update unattended or remotely administered devices because a PIN must be entered when a device reboots or resumes from hibernation.
+
+To address these issues, [BitLocker Network Unlock](network-unlock.md) can be deployed. Network Unlock allows systems that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention. It requires direct ethernet connectivity to a Windows Deployment Services (WDS) server.
+
+To learn more, see the policy setting [Require additional authentication at startup](configure.md?tabs=os#require-additional-authentication-at-startup).
+
+### Protect DMA ports
+
+It's important to protect DMA ports, as external peripherals might gain unauthorized access to memory. Depending on the device capabilities, there are different options to protect DMA ports. To learn more, see the policy setting [Disable new DMA devices when this computer is locked](configure.md?tabs=common#disable-new-dma-devices-when-this-computer-is-locked).
+
+## Attack countermeasures
+
+This section covers countermeasures for specific types of attacks.
+
+### Bootkits and rootkits
+
+A physically present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys. The TPM should observe this installation via PCR measurements, and the BitLocker key isn't released.
+
+> [!NOTE]
+> BitLocker protects against this attack by default.
+
+A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that might weaken the BitLocker security promise. Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks. Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows device][WIN-3].
+
+### Brute force attacks against a PIN
+
+Require TPM + PIN for anti-hammering protection.
+
+### DMA attacks
+
+See [Protect DMA ports](#protect-dma-ports) earlier in this article.
+
+### Paging file, crash dump, and Hyberfil.sys attacks
+
+These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives. It also blocks automatic or manual attempts to move the paging file.
+
+### Memory remanence
+
+Enable secure boot and mandatorily use a password to change BIOS settings. For scenarios requiring protection against these advanced attacks, configure a `TPM+PIN` protector, disable *standby* power management, and shut down or hibernate the device before it leaves the control of an authorized user.
+
+The Windows default power settings cause devices to enter *sleep mode* when idle. When a device transitions to sleep, running programs and documents are persisted in memory. When a device resumes from sleep, users aren't required to reauthenticate with a PIN or USB startup key to access encrypted data. This scenario might lead to conditions where data security is compromised.
+
+When a device *hibernates*, the drive is locked. When the device resumes from hibernation, the drive is unlocked, which means that users must provide a PIN or a startup key if using multifactor authentication with BitLocker.
+
+Therefore, organizations that use BitLocker might want to use Hibernate instead of Sleep for improved security.
+
+> [!NOTE]
+> This setting doesn't have an impact on TPM-only mode, because it provides a transparent user experience at startup and when resuming from the Hibernate states.
+
+### Tricking BitLocker to pass the key to a rogue operating system
+
+An attacker might modify the boot manager configuration database (BCD), which is stored on a nonencrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code makes sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5.
+
+An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This can't succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0. To successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key.
+
+## Attacker countermeasures
+
+The following sections cover mitigations for different types of attackers.
+
+### Attacker without much skill or with limited physical access
+
+Physical access might be limited in a form factor that doesn't expose buses and memory. For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard.
+
+This attacker of opportunity doesn't use destructive methods or sophisticated forensics hardware/software.
+
+Mitigation:
+
+- Preboot authentication set to TPM only (the default)
+
+### Attacker with skill and lengthy physical access
+
+Targeted attack with plenty of time; the attacker opens the case, solder, and uses sophisticated hardware or software.
+
+Mitigation:
+
+- Preboot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN [enhanced pin] to help the TPM anti-hammering mitigation).
+
+ -And-
+
+- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This configuration can be set using the following policy settings:
+
+ - **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **File Explorer** > **Show hibernate in the power options menu**
+ - **Computer Configuration** > **Policies** > **Administrative Templates** > **Power Management** > **Sleep Settings** >
+ - **Allow standby states (S1-S3) when sleeping (plugged in)**
+ - **Allow standby states (S1-S3) when sleeping (on battery)**
+
+> [!IMPORTANT]
+> These settings are **not configured** by default.
+
+For some systems, bypassing TPM-only might require opening the case and require soldering, but can be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. To learn more about the policy setting, see [Allow enhanced PINs for startup](configure.md?tabs=os#allow-enhanced-pins-for-startup).
+
+For secure administrative workstations, it's recommended to:
+
+- use a TPM with PIN protector
+- disable standby power management
+- shut down or hibernate the device before it leaves the control of an authorized user
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Learn how to plan for a BitLocker deployment in your organization:
+>
+> [BitLocker planning guide >](planning-guide.md)
+
+
+
+[WIN-1]: /windows/device-security/tpm/trusted-platform-module-overview
+[WIN-2]: /windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering
+[WIN-3]: /windows-hardware/design/device-experiences/oem-highly-secure
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
similarity index 84%
rename from windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
rename to windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
index fd2168f6bb..6eac3ac628 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/csv-san.md
@@ -1,33 +1,31 @@
---
-title: Protecting cluster shared volumes and storage area networks with BitLocker
-description: This article for IT pros describes how to protect CSVs and SANs with BitLocker.
-ms.topic: conceptual
-ms.date: 11/08/2022
+title: Protect cluster shared volumes and storage area networks with BitLocker
+description: Learn how to protect cluster shared volumes (CSV) and storage area networks (SAN) with BitLocker.
+ms.topic: how-to
+ms.date: 10/30/2023
+appliesto:
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
---
-# Protecting cluster shared volumes and storage area networks with BitLocker
+# Protect cluster shared volumes and storage area networks with BitLocker
-**Applies to:**
+This article describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) with BitLocker.
-- Windows Server 2016 and above
+BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume.
-This article describes the procedure to protect cluster shared volumes (CSVs) and storage area networks (SANs) by using BitLocker.
+## Configure BitLocker on cluster shared volumes
-BitLocker protects both physical disk resources and cluster shared volumes version 2.0 (CSV2.0). BitLocker on clustered volumes provides an extra layer of protection that can be used by administrators wishing to protect sensitive, highly available data. The administrators use this extra layer of protection to increase the security to resources. Only certain user accounts provided access to unlock the BitLocker volume.
-
-## Configuring BitLocker on Cluster Shared Volumes
-
-### Using BitLocker with clustered volumes
-
-Volumes within a cluster are managed with the help of BitLocker based on how the cluster service "views" the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a SAN or network attached storage (NAS).
+Volumes within a cluster are managed with the help of BitLocker based on how the cluster service *sees* the volume to be protected. The volume can be a physical disk resource such as a logical unit number (LUN) on a SAN, or network attached storage (NAS).
> [!IMPORTANT]
-> SANs used with BitLocker must have obtained Windows Hardware Certification. For more info, see [Windows Hardware Lab Kit](/windows-hardware/drivers/).
+> SANs used with BitLocker must have obtained Windows Hardware Certification. For more information, check [Windows Hardware Lab Kit](/windows-hardware/drivers/).
-Instead, the volume can be a cluster-shared volume. Windows Server 2012 expanded the CSV architecture, now known as CSV2.0, to enable support for BitLocker. The volumes that are designated for a cluster must do the following tasks:
+The volumes that are designated for a cluster must do the following tasks:
-- It must turn on BitLocker—only after this task is done, can the volumes be added to the storage pool.
-- It must put the resource into maintenance mode before BitLocker operations are completed.
+- turn on BitLocker: only after this task is done, the volumes can be added to the storage pool
+- must put the resource into maintenance mode before BitLocker operations are completed.
Windows PowerShell or the `manage-bde.exe` command-line tool is the preferred method to manage BitLocker on CSV2.0 volumes. This method is recommended over the BitLocker Control Panel item because CSV2.0 volumes are mount points. Mount points are an NTFS object that is used to provide an entry point to other volumes. Mount points don't require the use of a drive letter. Volumes that lack drive letters don't appear in the BitLocker Control Panel item. Additionally, the new Active Directory-based protector option required for cluster disk resource or CSV2.0 resources isn't available in the Control Panel item.
@@ -60,7 +58,7 @@ An Active Directory Domain Services (AD DS) protector can also be used for prote
BitLocker encryption is available for disks before these disks are added to a cluster storage pool.
> [!NOTE]
-> The advantage of The Bitlocker encryption can even be made available for disks after they are added to a cluster storage pool.
+> The advantage of The BitLocker encryption can even be made available for disks after they are added to a cluster storage pool.
The advantage of encrypting volumes prior to adding them to a cluster is that the disk resource need not be suspended to complete the operation.
To turn on BitLocker for a disk before adding it to a cluster:
@@ -92,27 +90,19 @@ To turn on BitLocker for a disk before adding it to a cluster:
When the cluster service owns a disk resource already, the disk resource needs to be set into maintenance mode before BitLocker can be enabled. To turn on the BitLocker for a clustered disk using Windows PowerShell, perform the following steps:
1. Install the BitLocker drive encryption feature if it isn't already installed.
-
2. Check the status of the cluster disk using Windows PowerShell.
-
```powershell
Get-ClusterResource "Cluster Disk 1"
```
-
3. Put the physical disk resource into maintenance mode using Windows PowerShell.
-
```powershell
Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource
```
-
4. Identify the name of the cluster with Windows PowerShell.
-
```powershell
Get-Cluster
```
-
5. Enable BitLocker a volume with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as:
-
```powershell
Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$
```
@@ -133,17 +123,14 @@ When the cluster service owns a disk resource already, the disk resource needs t
**`Manage-bde.exe`** can also be used to enable BitLocker on clustered volumes. The steps needed to add a physical disk resource or CSV2.0 volume to an existing cluster are:
1. Verify that the BitLocker drive encryption feature is installed on the computer.
-
2. Ensure new storage is formatted as NTFS.
-
-3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a command prompt window. For example:
+3. Encrypt the volume, add a recovery key and add the cluster administrator as a protector key using **`manage-bde.exe`** in a Command Prompt window. For example:
```cmd
manage-bde.exe -on -used -RP -sid domain\CNO$ -sync
```
1. BitLocker will check to see if the disk is already part of a cluster. If it is, administrators will encounter a hard block. Otherwise, the encryption continues.
-
2. Using the -sync parameter is optional. However, using the -sync parameter has the advantage of ensuring the command waits until the encryption for the volume is completed. The volume is then released for use in the cluster storage pool.
4. Open the Failover Cluster Manager snap-in or cluster PowerShell cmdlets to enable the disk to be clustered.
@@ -153,7 +140,6 @@ When the cluster service owns a disk resource already, the disk resource needs t
5. During the resource online operation, cluster checks whether the disk is BitLocker encrypted.
1. If the volume isn't BitLocker enabled, traditional cluster online operations occur.
-
2. If the volume is BitLocker enabled, BitLocker checks if the volume is **locked**. If the volume is **locked**, BitLocker impersonates the CNO and unlocks the volume using the CNO protector. If these actions by BitLocker fail, an event is logged. The logged event will state that the volume couldn't be unlocked and the online operation has failed.
6. Once the disk is online in the storage pool, it can be added to a CSV by right-clicking the disk resource, and choosing "**Add to cluster shared volumes**".
@@ -196,16 +182,10 @@ In the case where a physical disk resource experiences a failover event during c
Some other considerations to take into account for BitLocker on clustered storage include:
-- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume.
-
-- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. The CSV can be added back to the cluster while waiting for decryption to complete.
-
-- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode.
-
-- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster.
-
-- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster.
-
-- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance.
-
-- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode.
+- BitLocker volumes have to be initialized and begin encryption before they're available to add to a CSV2.0 volume
+- If an administrator needs to decrypt a CSV volume, remove the volume from the cluster or put it into disk maintenance mode. The CSV can be added back to the cluster while waiting for decryption to complete
+- If an administrator needs to start encrypting a CSV volume, remove the volume from the cluster or put it into maintenance mode
+- If conversion is paused with encryption in progress and the CSV volume is offline from the cluster, the cluster thread (health check) automatically resumes conversion when the volume is online to the cluster
+- If conversion is paused with encryption in progress and a physical disk resource volume is offline from the cluster, the BitLocker driver automatically resumes conversion when the volume is online to the cluster
+- If conversion is paused with encryption in progress, while the CSV volume is in maintenance mode, the cluster thread (health check) automatically resumes conversion when moving the volume back from maintenance
+- If conversion is paused with encryption in progress, while the disk resource volume is in maintenance mode, the BitLocker driver automatically resumes conversion when the volume is moved back from maintenance mode
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
index 7f560a14b9..e67401c81a 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
+++ b/windows/security/operating-system-security/data-protection/bitlocker/faq.yml
@@ -1,11 +1,9 @@
### YamlMime:FAQ
metadata:
title: BitLocker FAQ
- description: Learn more about BitLocker by reviewing the frequently asked questions.
- ms.collection:
- - tier1
+ description: Learn more about BitLocker by reviewing the frequently asked questions.
ms.topic: faq
- ms.date: 07/25/2023
+ ms.date: 10/30/2023
title: BitLocker FAQ
summary: Learn more about BitLocker by reviewing the frequently asked questions.
@@ -14,55 +12,29 @@ sections:
### YamlMime:FAQ
- name: Overview and requirements
questions:
- - question: How does BitLocker work?
- answer: |
- **How BitLocker works with operating system drives**
-
- BitLocker Can be used to mitigate unauthorized data access on lost or stolen computers by encrypting all user files and system files on the operating system drive, including the swap files and hibernation files, and checking the integrity of early boot components and boot configuration data.
-
- **How BitLocker works with fixed and removable data drives**
-
- BitLocker can be used to encrypt the entire contents of a data drive. Group Policy can be used to require BitLocker be enabled on a drive before the computer can write data to the drive. BitLocker can be configured with various unlock methods for data drives, and a data drive supports multiple unlock methods.
-
- question: Does BitLocker support multifactor authentication?
answer: Yes, BitLocker supports multifactor authentication for operating system drives. If BitLocker is enabled on a computer that has a TPM version 1.2 or later, additional forms of authentication can be used with the TPM protection.
- - question: What are the BitLocker hardware and software requirements?
- answer: |
- For requirements, see [System requirements](index.md#system-requirements).
-
- > [!NOTE]
- > Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker.
-
- - question: Why are two partitions required? Why does the system drive have to be so large?
+ - question: Why are two partitions required?
answer: Two partitions are required to run BitLocker because pre-startup authentication and system integrity verification must occur on a separate partition from the encrypted operating system drive. This configuration helps protect the operating system and the information in the encrypted drive.
- - question: Which Trusted Platform Modules (TPMs) does BitLocker support?
- answer: |
- BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device.
-
- > [!NOTE]
- > TPM 2.0 isn't supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security, enable the Secure Boot feature.
- >
- > Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode that will prepare the OS and the disk to support UEFI.
-
- question: How can I tell if a computer has a TPM?
- answer: Beginning with Windows 10, version 1803, the TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. [**Get-TPM**](/powershell/module/trustedplatformmodule/get-tpm?view=windowsserver2019-ps)** can also be run in PowerShell to get more details about the TPM on the current computer.
+ answer: The TPM status can be checked in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
- question: Can I use BitLocker on an operating system drive without a TPM?
answer: |
- Yes, BitLocker can be enabled on an operating system drive without a TPM version 1.2 or higher, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. BitLocker won't unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs won't be able to use the system integrity verification that BitLocker can also provide.
+ Yes, BitLocker can be enabled on an operating system drive without a TPM, if the BIOS or UEFI firmware has the ability to read from a USB flash drive in the boot environment. BitLocker won't unlock the protected drive until BitLocker's own volume master key is first released by either the computer's TPM or by a USB flash drive containing the BitLocker startup key for that computer. However, computers without TPMs won't be able to use the system integrity verification that BitLocker can also provide.
To help determine whether a computer can read from a USB device during the boot process, use the BitLocker system check as part of the BitLocker setup process. This system check performs tests to confirm that the computer can properly read from the USB devices at the appropriate time and that the computer meets other BitLocker requirements.
- question: How do I obtain BIOS support for the TPM on my computer?
answer: |
Contact the computer manufacturer to request a Trusted Computing Group (TCG)-compliant BIOS or UEFI boot firmware that meets the following requirements:
- - It's compliant with the TCG standards for a client computer.
- - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer.
+ - It's compliant with the TCG standards for a client computer
+ - It has a secure update mechanism to help prevent a malicious BIOS or boot firmware from being installed on the computer
- - question: What credentials are required to use BitLocker?
- answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership in the local **Administrators** group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
+ - question: What user rights are required to use BitLocker?
+ answer: To turn on, turn off, or change configurations of BitLocker on operating system and fixed data drives, membership to the local *Administrators* group is required. Standard users can turn on, turn off, or change configurations of BitLocker on removable data drives.
- question: What is the recommended boot order for computers that are going to be BitLocker-protected?
answer: The computer's startup options should be configured to have the hard disk drive first in the boot order, before any other drives such as CD/DVD drives or USB drives. If the hard disk isn't first and the computer typically boots from the hard disk, then a boot order change may be detected or assumed when removable media is found during boot. The boot order typically affects the system measurement that is verified by BitLocker and a change in boot order will cause a prompt for the BitLocker recovery key. For the same reason, if a laptop is used with a docking station, ensure that the hard disk drive is first in the boot order both when the laptop is docked and undocked.
@@ -70,16 +42,16 @@ sections:
- name: BitLocker and Windows upgrade
questions:
- question: |
- Can I upgrade to Windows 10 with BitLocker enabled?
+ Can I upgrade Windows versions with BitLocker enabled?
answer: |
Yes.
- question: |
What is the difference between suspending and decrypting BitLocker?
answer: |
- **Decrypt** completely removes BitLocker protection and fully decrypts the drive.
+ *Decrypt* completely removes BitLocker protection and fully decrypts the drive.
- **Suspend** keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the **Suspend** option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
+ *Suspend* keeps the data encrypted but encrypts the BitLocker volume master key with a clear key. The clear key is a cryptographic key stored unencrypted and unprotected on the disk drive. By storing this key unencrypted, the *Suspend* option allows for changes or upgrades to the computer without the time and cost of decrypting and re-encrypting the entire drive. After the changes are made and BitLocker is again enabled, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade, the volume master key is changed, the protectors are updated to match and the clear key is erased.
- question: |
Do I have to suspend BitLocker protection to download and install system updates and upgrades?
@@ -87,25 +59,22 @@ sections:
No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](/windows/deployment/update/waas-quick-start).
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
- - Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection.
- - Non-Microsoft application updates that modify the UEFI\BIOS configuration.
- - Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation).
- - Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates).
- - BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it will be report **Uses Secure Boot for integrity validation**.
+ - Some TPM firmware updates if these updates clear the TPM outside of the Windows API. Not every TPM firmware update will clear the TPM. Users don't have to suspend BitLocker if the TPM firmware update uses Windows API to clear the TPM because in this case, BitLocker will be automatically suspended. It's recommended that users test their TPM firmware updates if they don't want to suspend BitLocker protection
+ - Non-Microsoft application updates that modify the UEFI\BIOS configuration
+ - Manual or third-party updates to secure boot databases (only if BitLocker uses Secure Boot for integrity validation)
+ - Updates to UEFI\BIOS firmware, installation of additional UEFI drivers, or UEFI applications without using the Windows update mechanism (only if BitLocker doesn't use Secure Boot for integrity validation during updates)
+ - BitLocker can be checked if it uses Secure Boot for integrity validation with the command line `manage-bde.exe -protectors -get C:`. If Secure Boot for integrity validation is being used, it reports **Uses Secure Boot for integrity validation**
> [!NOTE]
- > If BitLocker has been suspended, BitLocker protection can be resumed after the upgrade or update has been installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
+ > If BitLocker is suspended, you can resume BitLocker protection after the upgrade or update is installed. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, the computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
- name: Deployment and administration
questions:
- question: Can BitLocker deployment be automated in an enterprise environment?
answer: |
- Yes, the deployment and configuration of both BitLocker and the TPM can be automated using either WMI or Windows PowerShell scripts. Which method is chosen to implement the automation depends on the environment. `Manage-bde.exe` can also be used to locally or remotely configure BitLocker. For more info about writing scripts that use the BitLocker WMI providers, see [BitLocker Drive Encryption Provider](/windows/win32/secprov/bitlocker-drive-encryption-provider). For more info about using Windows PowerShell cmdlets with BitLocker Drive Encryption, see [BitLocker Cmdlets in Windows PowerShell](/powershell/module/bitlocker/index?view=win10-ps).
+ Yes, the deployment and configuration BitLocker can be automated using either Windows PowerShell or with the `manage-bde.exe` command. For more information about common BitLocker management commands, check the [BitLocker operations guide](operations-guide.md).
- - question: Can BitLocker encrypt more than just the operating system drive?
- answer: Yes.
-
- question: Is there a noticeable performance impact when BitLocker is enabled on a computer?
answer: Typically, there's a small performance overhead, often in single-digit percentages, which is relative to the throughput of the storage operations on which it needs to operate.
@@ -121,39 +90,41 @@ sections:
- question: Does BitLocker encrypt and decrypt the entire drive all at once when reading and writing data?
answer: No, BitLocker doesn't encrypt and decrypt the entire drive when reading and writing data. The encrypted sectors in the BitLocker-protected drive are decrypted only as they're requested from system read operations. Blocks that are written to the drive are encrypted before the system writes them to the physical disk. No unencrypted data is ever stored on a BitLocker-protected drive.
- - question: How can I prevent users on a network from storing data on an unencrypted drive?
+ - question: How can I prevent users from storing data on an unencrypted drive?
answer: |
- Group Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+ Policy settings can be configured to require that data drives be BitLocker-protected before a BitLocker-protected computer can write data to them. For more info, see [BitLocker policy settings](configure.md).
When these policy settings are enabled, the BitLocker-protected operating system will mount any data drives that aren't protected by BitLocker as read-only.
- - question: What is Used Disk Space Only encryption?
+ - question: |
+ What is Used Disk Space Only encryption?
answer: |
- BitLocker in Windows 10 lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](bitlocker-device-encryption-overview-windows-10.md#used-disk-space-only-encryption).
+ BitLocker lets users choose to encrypt just their data. Although it's not the most secure way to encrypt a drive, this option can reduce encryption time by more than 99 percent, depending on how much data that needs to be encrypted. For more information, see [Used Disk Space Only encryption](planning-guide.md#used-disk-space-only-encryption).
- - question: What system changes would cause the integrity check on my operating system drive to fail?
+ - question: |
+ What system changes would cause the integrity check on the OS drive to fail?
answer: |
The following types of system changes can cause an integrity check failure and prevent the TPM from releasing the BitLocker key to decrypt the protected operating system drive:
- - Moving the BitLocker-protected drive into a new computer.
- - Installing a new motherboard with a new TPM.
- - Turning off, disabling, or clearing the TPM.
- - Changing any boot configuration settings.
- - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data.
+ - Moving the BitLocker-protected drive into a new computer
+ - Installing a new motherboard with a new TPM
+ - Turning off, disabling, or clearing the TPM
+ - Changing any boot configuration settings
+ - Changing the BIOS, UEFI firmware, master boot record, boot sector, boot manager, option ROM, or other early boot components or boot configuration data
- question: What causes BitLocker to start into recovery mode when attempting to start the operating system drive?
answer: |
Because BitLocker is designed to protect computers from numerous attacks, there are numerous reasons why BitLocker could start in recovery mode.
For example:
- - Changing the BIOS boot order to boot another drive in advance of the hard drive.
- - Adding or removing hardware, such as inserting a new card in the computer.
- - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer.
+ - Changing the BIOS boot order to boot another drive in advance of the hard drive
+ - Adding or removing hardware, such as inserting a new card in the computer
+ - Removing, inserting, or completely depleting the charge on a smart battery on a portable computer
In BitLocker, recovery consists of decrypting a copy of the volume master key using either a recovery key stored on a USB flash drive or a cryptographic key derived from a recovery password.
The TPM isn't involved in any recovery scenarios, so recovery is still possible if the TPM fails boot component validation, malfunctions, or is removed.
- question: What can prevent BitLocker from binding to PCR 7?
- answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot isn't available to the device, either because it has been disabled or the hardware doesn't support it.
+ answer: BitLocker can be prevented from binding to PCR 7 if a non-Windows OS booted prior to Windows, or if Secure Boot isn't available to the device, either because it's disabled or the hardware doesn't support it.
- question: Can I swap hard disks on the same computer if BitLocker is enabled on the operating system drive?
answer: Yes, multiple hard disks can be swapped on the same computer if BitLocker is enabled, but only if the hard disks were BitLocker-protected on the same computer. The BitLocker keys are unique to the TPM and the operating system drive. If a backup operating system or data drive needs to be prepared in case of a disk failure, make sure that they were matched with the correct TPM. Different hard drives can also be configured for different operating systems and then enable BitLocker on each one with different authentication methods (such as one with TPM-only and one with TPM+PIN) without any conflicts.
@@ -161,57 +132,79 @@ sections:
- question: Can I access my BitLocker-protected drive if I insert the hard disk into a different computer?
answer: Yes, if the drive is a data drive, it can be unlocked from the **BitLocker Drive Encryption** Control Panel item by using a password or smart card. If the data drive was configured for automatic unlock only, it will need to be unlocked by using the recovery key. The encrypted hard disk can be unlocked by a data recovery agent (if one was configured) or it can be unlocked by using the recovery key.
- - question: Why is **Turn BitLocker on** not available when I right-click a drive?
+ - question: Why isn't the "Turn BitLocker on" option available when I right-click a drive?
answer: Some drives can't be encrypted with BitLocker. Reasons a drive can't be encrypted include insufficient disk size, an incompatible file system, if the drive is a dynamic disk, or a drive is designated as the system partition. By default, the system drive (or system partition) is hidden from display. However, if it isn't created as a hidden drive when the operating system was installed due to a custom installation process, that drive might be displayed but can't be encrypted.
- question: What type of disk configurations are supported by BitLocker?
answer: Any number of internal, fixed data drives can be protected with BitLocker. On some versions ATA and SATA-based, direct-attached storage devices are also supported.
- name: Key Management
- questions:
+ questions:
- question: How can I authenticate or unlock my removable data drive?
answer: |
- Removable data drives can be unlocked using a password or a smart card. An SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users including password complexity and minimum length requirements. To unlock by using a SID protector, use `manage-bde.exe`:
+ Removable data drives can be unlocked using a password or a smart card. A SID protector can also be configured to unlock a drive by using user domain credentials. After encryption has started, the drive can also be automatically unlocked on a specific computer for a specific user account. System administrators can configure which options are available for users including password complexity and minimum length requirements. To unlock by using a SID protector, use `manage-bde.exe`:
```cmd
- Manage-bde.exe -protectors -add e: -sid domain\username
+ Manage-bde.exe -protectors -add e: -sid domain\username
```
- - question: What is the difference between a recovery password, recovery key, PIN, enhanced PIN, and startup key?
+ - question: What is the difference between a TPM owner password, recovery password, recovery key, PIN, enhanced PIN, and startup key?
answer: |
- For tables that list and describe elements such as a recovery password, recovery key, and PIN, see [BitLocker key protectors](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-key-protectors) and [BitLocker authentication methods](prepare-your-organization-for-bitlocker-planning-and-policies.md#bitlocker-authentication-methods).
+ There are multiple keys that can be generated and used by BitLocker. Some keys are required and some are optional protectors you can choose to use depending on the level of security you require.
+
+ **TPM owner password**
+
+ Prior to enabling BitLocker on a computer with a TPM version 1.2, you must initialize the TPM. The initialization process generates a TPM owner password, which is a password set on the TPM. You must be able to supply the TPM owner password to change the state of the TPM, such as when enabling or disabling the TPM or resetting the TPM lockout.
+
+ **Recovery password and recovery key**
+
+ When you set up BitLocker, you must choose how access to BitLocker-protected drives can be recovered in the event that the specified unlock method cannot be used (such as if the TPM cannot validate the boot components, the personal identification number (PIN) is forgotten, or the password is forgotten). In these situations, you must be able to supply either the recovery key or the recovery password to unlock the encrypted data on the drive. When you supply the recovery information, you can use either of the following formats:
+
+ - A recovery password consisting of 48 digits divided into eight groups. During recovery, you need to type this password into the BitLocker recovery console by using the function keys on your keyboard
+ - A key file on a USB flash drive that is read directly by the BitLocker recovery console. During recovery, you need to insert this USB device
+
+ **PIN and enhanced PIN**
+ For a higher level of security with the TPM, you can configure BitLocker with a personal identification number (PIN). The PIN is a user-created value that must be entered each time the computer starts or resumes from hibernation. The PIN can consist of 4 to 20 digits as specified by the *Configure minimum PIN length for startup* policy setting and is stored internally as a 256-bit hash of the entered Unicode characters. This value is never displayed to the user. The PIN is used to provide another factor of authentication in conjunction with TPM authentication.\
+ For an even higher level of security with the TPM, you can configure BitLocker to use enhanced PINs. Enhanced PINs are PINs that use the full keyboard character set in addition to the numeric set to allow for more possible PIN combinations and are between 4 and 20 characters in length. To use enhanced PINs, you must enable the *Allow enhanced PINs for startup* policy setting before adding the PIN to the drive. By enabling this policy, all PINs created can utilize full keyboard characters.
+
+ **Startup key**
+
+ Configuring a startup key is another method to enable a higher level of security with the TPM. The startup key is a key stored on a USB flash drive, and the USB flash drive must be inserted every time the computer starts. The startup key is used to provide another factor of authentication in conjunction with TPM authentication. To use a USB flash drive as a startup key, the USB flash drive must be formatted by using the NTFS, FAT, or FAT32 file system.
+
+ >[!IMPORTANT]
+ > You must have a startup key to use BitLocker on a non-TPM computer.
+
- question: How can the recovery password and recovery key be stored?
answer: |
The recovery password and recovery key for an operating system drive or a fixed data drive can be saved to a folder, saved to one or more USB devices, saved to a Microsoft Account, or printed.
For removable data drives, the recovery password and recovery key can be saved to a folder, saved to a Microsoft Account, or printed. By default, a recovery key for a removable drive can't be stored on a removable drive.
- A domain administrator can also configure Group Policy to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) for any BitLocker-protected drive.
+ A domain administrator can also configure policy settings to automatically generate recovery passwords and store them in Active Directory Domain Services (AD DS) or Microsoft Entra ID for any BitLocker-protected drive.
- question: Is it possible to add an additional method of authentication without decrypting the drive if I only have the TPM authentication method enabled?
answer: |
- The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated command prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN:
+ The `Manage-bde.exe` command-line tool can be used to replace TPM-only authentication mode with a multifactor authentication mode. For example, if BitLocker is enabled with TPM authentication only and PIN authentication needs to be added, use the following commands from an elevated Command Prompt, replacing *4-20 digit numeric PIN* with the desired numeric PIN:
```cmd
manage-bde.exe -protectors -delete %systemdrive% -type tpm
-
+
manage-bde.exe -protectors -add %systemdrive% -tpmandpin <4-20 digit numeric PIN>
```
-
-
+
- question: When should an additional method of authentication be considered?
answer: |
New hardware that meets [Windows Hardware Compatibility Program](/windows-hardware/design/compatibility/) requirements make a PIN less critical as a mitigation, and having a TPM-only protector is likely sufficient when combined with policies like device lockout. For example, Surface Pro and Surface Book don't have external DMA ports to attack.
- For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](bitlocker-group-policy-settings.md#allow-enhanced-pins-for-startup) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers.
+ For older hardware, where a PIN may be needed, it's recommended to enable [enhanced PINs](configure.md) that allow non-numeric characters such as letters and punctuation marks, and to set the PIN length based on the risk tolerance and the hardware anti-hammering capabilities available to the TPMs on the computers.
- question: If I lose my recovery information, will the BitLocker-protected data be unrecoverable?
answer: |
BitLocker is designed to make the encrypted drive unrecoverable without the required authentication. When in recovery mode, the user needs the recovery password or recovery key to unlock the encrypted drive.
> [!IMPORTANT]
- > Store the recovery information in AD DS, along with in a Microsoft Account, or another safe location.
-
+ > Store the recovery information in Microsoft Entra ID, AD DS, Microsoft Account, or another safe location.
+
- question: Can the USB flash drive that is used as the startup key also be used to store the recovery key?
answer: While using a USB flash drive as both the startup key and for storage of the recovery key is technically possible, it isn't a best practice to use one USB flash drive to store both keys. If the USB flash drive that contains the startup key is lost or stolen, the recovery key will also be lost. In addition, inserting this key would cause the computer to automatically boot from the recovery key even if TPM-measured files have changed, which circumvents the TPM's system integrity check.
@@ -247,7 +240,7 @@ sections:
It's possible that a personal identification number (PIN) can be discovered by an attacker performing a brute force attack. A brute force attack occurs when an attacker uses an automated tool to try different PIN combinations until the correct one is discovered. For BitLocker-protected computers, this type of attack, also known as a dictionary attack, requires that the attacker has physical access to the computer.
The TPM has the built-in ability to detect and react to these types of attacks. Because different manufacturers' TPMs may support different PIN and attack mitigations, contact the TPM's manufacturer to determine how the computer's TPM mitigates PIN brute force attacks.
- After the TPM's manufacturer has been determined, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
+ After the TPM's manufacturer is determined, contact the manufacturer to gather the TPM's vendor-specific information. Most manufacturers use the PIN authentication failure count to exponentially increase lockout time to the PIN interface. However, each manufacturer has different policies regarding when and how the failure counter is decreased or reset.
- question: How can I determine the manufacturer of my TPM?
answer: The TPM manufacturer can be determined in **Windows Defender Security Center** > **Device Security** > **Security processor details**.
@@ -260,11 +253,15 @@ sections:
- What is the algorithm for determining the duration of a lockout based on the number of failed attempts and any other relevant parameters?
- What actions can cause the failure count and lockout duration to be decreased or reset?
- - question: Can PIN length and complexity be managed with Group Policy?
+ - question: Can PIN length and complexity be managed with policy settings?
answer: |
- Yes and No. The minimum personal identification number (PIN) length can be configured by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** Group Policy setting. However, PIN complexity can't be required via Group Policy.
+ The minimum personal identification number (PIN) length can be configured by using the **Configure minimum PIN length for startup** Group Policy setting and allow the use of alphanumeric PINs by enabling the **Allow enhanced PINs for startup** policy setting. PIN complexity can't be required via policy settings.
- For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+ For more info, see [BitLocker policy settings](configure.md).
+
+ - question: How are the PIN and TPM used to derive the volume master key?
+ answer: |
+ BitLocker hashes the user-specified personal identification number (PIN) by using SHA-256, and the first 160 bits of the hash are used as authorization data sent to the TPM to seal the volume master key. The volume master key is now protected by both the TPM and the PIN. To unseal the volume master key, you are required to enter the PIN each time the computer restarts or resumes from hibernation.
- name: BitLocker To Go
questions:
@@ -288,34 +285,23 @@ sections:
answer: |
Stored information | Description
-------------------|------------
- Hash of the TPM owner password | Beginning with Windows 10, the password hash isn't stored in AD DS by default. The password hash can be stored only if the TPM is owned and the ownership was taken by using components of Windows 8.1 or earlier, such as the BitLocker Setup Wizard or the TPM snap-in.
BitLocker recovery password | The recovery password allows unlocking of and access to the drive after a recovery incident. Domain administrators can view the BitLocker recovery password by using the BitLocker Recovery Password Viewer. For more information about this tool, see [BitLocker: Use BitLocker Recovery Password Viewer](bitlocker-use-bitlocker-recovery-password-viewer.md).
BitLocker key package | The key package helps to repair damage to the hard disk that would otherwise prevent standard recovery. Using the key package for recovery requires the BitLocker Repair Tool, `Repair-bde`.
- question: |
- What if BitLocker is enabled on a computer before the computer has joined the domain?
+ What if BitLocker is enabled on a computer before the computer joins the domain?
answer: |
- If BitLocker is enabled on a drive before Group Policy has been applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when Group Policy is subsequently applied. However, the Group Policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS.
+ If BitLocker is enabled on a drive before policy settings are applied to enforce a backup, the recovery information won't be automatically backed up to AD DS when the computer joins the domain or when the policy settings are subsequently applied. However, the policy settings **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed drives can be recovered**, and **Choose how BitLocker-protected removable drives can be recovered** can be chosen to require the computer to be connected to a domain before BitLocker can be enabled to help ensure that recovery information for BitLocker-protected drives in the organization is backed up to AD DS.
- For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
-
- The BitLocker Windows Management Instrumentation (WMI) interface does allow administrators to write a script to back up or synchronize an online client's existing recovery information. However, BitLocker doesn't automatically manage this process. The `manage-bde.exe` command-line tool can also be used to manually back up recovery information to AD DS. For example, to back up all of the recovery information for the `$env:SystemDrive` to AD DS, the following command script can be used from an elevated command prompt:
-
- ```powershell
- $BitLocker = Get-BitLockerVolume -MountPoint $env:SystemDrive
- $RecoveryProtector = $BitLocker.KeyProtector | Where-Object { $_.KeyProtectorType -eq 'RecoveryPassword' }
-
- Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
- BackupToAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId $RecoveryProtector.KeyProtectorID
- ```
+ For more information how to back up the recovery password to AD DS or Microsoft Entra ID, review the [BitLocker operations guide](operations-guide.md).
> [!IMPORTANT]
- > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy).
+ > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled with policy settings).
- question: |
- Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup?
+ Is there an event log entry recorded on the client computer to indicate the success or failure of the Microsoft Entra ID or Active Directory backup?
answer: |
- Yes, an event log entry that indicates the success or failure of an Active Directory backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it's also possible that the log entry could be spoofed.
+ Yes, an event log entry that indicates the success or failure of a backup is recorded on the client computer. However, even if an event log entry says "Success," the information could have been subsequently removed from AD DS, or BitLocker could have been reconfigured in such a way that the Active Directory information can no longer unlock the drive (such as by removing the recovery password key protector). In addition, it's also possible that the log entry could be spoofed.
Ultimately, determining whether a legitimate backup exists in AD DS requires querying AD DS with domain administrator credentials by using the BitLocker password viewer tool.
@@ -329,28 +315,28 @@ sections:
answer: |
If the backup initially fails, such as when a domain controller is unreachable at the time when the BitLocker setup wizard is run, BitLocker doesn't try again to back up the recovery information to AD DS.
- When an administrator selects the **Require BitLocker backup to AD DS** check box of the **Store BitLocker recovery information in Active Directory Domain Service (Windows 2008 and Windows Vista)** policy setting, or the equivalent **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
+ When an administrator selects the **Do not enable BitLocker until recovery information is stored in AD DS for (operating system | fixed data | removable data) drives** check box in any of the **Choose how BitLocker-protected operating system drives can be recovered**, **Choose how BitLocker-protected fixed data drives can be recovered**, and **Choose how BitLocker-protected removable data drives can be recovered** policy settings, users can't enable BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. With these settings configured if the backup fails, BitLocker can't be enabled, ensuring that administrators will be able to recover BitLocker-protected drives in the organization.
- For more info, see [BitLocker Group Policy settings](bitlocker-group-policy-settings.md).
+ For more info, see [BitLocker policy settings](configure.md).
- When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer has joined the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-has-joined-the-domain-) to capture the information after connectivity is restored.
+ When an administrator clears these check boxes, the administrator is allowing a drive to be BitLocker-protected without having the recovery information successfully backed up to AD DS; however, BitLocker won't automatically retry the backup if it fails. Instead, administrators can create a backup script, as described earlier in [What if BitLocker is enabled on a computer before the computer joins the domain?](#what-if-bitlocker-is-enabled-on-a-computer-before-the-computer-joins-the-domain-) to capture the information after connectivity is restored.
- name: Security
questions:
- question: |
What form of encryption does BitLocker use? Is it configurable?
answer: |
- BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using Group Policy.
+ BitLocker uses Advanced Encryption Standard (AES) as its encryption algorithm with configurable key lengths of 128 bits or 256 bits. The default encryption setting is AES-128, but the options are configurable by using policy settings.
- question: |
What is the best practice for using BitLocker on an operating system drive?
answer: |
- The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher, and a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware implementation, along with a PIN. By requiring a PIN that was set by the user in addition to the TPM validation, a malicious user that has physical access to the computer can't start the computer.
+ The recommended practice for BitLocker configuration on an operating system drive is to implement BitLocker on a computer with a TPM version 1.2 or higher.
- question: |
What are the implications of using the sleep or hibernate power management options?
answer: |
- BitLocker on operating system drives in its basic configuration (with a TPM but without other startup authentication) provides extra security for the hibernate mode. However, BitLocker provides greater security when it's configured to use another startup authentication factor (TPM+PIN, TPM+USB, or TPM+PIN+USB) with the hibernate mode. This method is more secure because returning from hibernation requires authentication. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode and to use TPM+PIN for the authentication method. Startup authentication can be configured by using [Group Policy](./bitlocker-group-policy-settings.md) or Mobile Device Management with the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp).
+ BitLocker on operating system drives in its basic configuration provides extra security for the hibernate mode. In sleep mode, the computer is vulnerable to direct memory access attacks, since unprotected data remains in RAM. Therefore, for improved security, it's recommended to disable sleep mode. Startup authentication can be configured by using a [policy setting](configure.md).
- question: |
What are the advantages of a TPM?
@@ -363,9 +349,9 @@ sections:
- name: Network Unlock
questions:
- question: |
- BitLocker Network Unlock FAQ
+ What is BitLocker Network Unlock?
answer: |
- BitLocker Network Unlock enables easier management for BitLocker-enabled desktops and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
+ BitLocker Network Unlock enables easier management for BitLocker-enabled clients and servers that use the TPM+PIN protection method in a domain environment. When a computer that is connected to a wired corporate network is rebooted, Network Unlock allows the PIN entry prompt to be bypassed. It automatically unlocks BitLocker-protected operating system volumes by using a trusted key that is provided by the Windows Deployment Services server as its secondary authentication method.
To use Network Unlock, a PIN must be configured for the computer. When the computer isn't connected to the network, a PIN will need to be provided to unlock it.
@@ -373,7 +359,7 @@ sections:
Network Unlock uses two protectors - the TPM protector and the protector provided by the network or by the PIN. Automatic unlock uses a single protector - the one stored in the TPM. If the computer is joined to a network without the key protector, it will prompt to enter a PIN. If the PIN isn't available, the recovery key will need to be used to unlock the computer if it can't be connected to the network.
- For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
+ For more info, see [BitLocker: How to enable Network Unlock](network-unlock.md).
- name: Use BitLocker with other programs
questions:
@@ -412,13 +398,13 @@ sections:
answer: |
The system check is designed to ensure the computer's BIOS or UEFI firmware is compatible with BitLocker and that the TPM is working correctly. The system check can fail for several reasons:
- - The computer's BIOS or UEFI firmware can't read USB flash drives.
- - The computer's BIOS, uEFI firmware, or boot menu doesn't have reading USB flash drives enabled.
- - There are multiple USB flash drives inserted into the computer.
- - The PIN wasn't entered correctly.
- - The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment.
- - The startup key was removed before the computer finished rebooting.
- - The TPM has malfunctioned and fails to unseal the keys.
+ - The computer's BIOS or UEFI firmware can't read USB flash drives
+ - The computer's BIOS, uEFI firmware, or boot menu doesn't have reading USB flash drives enabled
+ - There are multiple USB flash drives inserted into the computer
+ - The PIN wasn't entered correctly
+ - The computer's BIOS or UEFI firmware only supports using the function keys (F1-F10) to enter numerals in the pre-boot environment
+ - The startup key was removed before the computer finished rebooting
+ - The TPM has malfunctioned and fails to unseal the keys
- question: |
What can I do if the recovery key on my USB flash drive can't be read?
@@ -466,11 +452,11 @@ sections:
answer: |
BitLocker should work like any specific physical machine within its hardware limitations as long as the environment (physical or virtual) meets Windows Operating System requirements to run.
- With TPM: Yes, it's supported.
- - Without TPM: Yes, it's supported (with password protector).
+ - Without TPM: Yes, it's supported (with password protector).
- BitLocker is also supported on data volume VHDs, such as those used by clusters, if running Windows 10, Windows 8.1, Windows 8, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.
+ BitLocker is also supported on data volume VHDs, such as those used by clusters.
- question: |
Can I use BitLocker with virtual machines (VMs)?
answer: |
- Yes. Password protectors and virtual TPMs can be used with BitLocker to protect virtual machines. VMs can be domain joined, Microsoft Entra joined, or workplace-joined (via **Settings** > **Accounts** > **Access work or school** > **Connect**) to receive policy. Encryption can be enabled either while creating the VM or by using other existing management tools such as the BitLocker CSP, or even by using a startup script or sign-in script delivered by Group Policy. Windows Server 2016 also supports [Shielded VMs and guarded fabric](/windows-server/virtualization/guarded-fabric-shielded-vm/guarded-fabric-and-shielded-vms-top-node) to protect VMs from malicious administrators.
+ Yes, BitLocker can be used with virtual machines (VMs) if the environment meets BitLocker's hardware and software requirements.
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/bitlockernetworkunlocksequence.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bitlockernetworkunlocksequence.png
deleted file mode 100644
index fe459be8e0..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/bitlockernetworkunlocksequence.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-intune-custom-url.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-intune-custom-url.png
deleted file mode 100644
index a563d3153f..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-intune-custom-url.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png
deleted file mode 100644
index 223d0bc3b6..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint1.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint1.png
deleted file mode 100644
index 864e84c6e9..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint1.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png
deleted file mode 100644
index 01a5f08c42..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/cmd.svg b/windows/security/operating-system-security/data-protection/bitlocker/images/cmd.svg
new file mode 100644
index 0000000000..0cddf31701
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/cmd.svg
@@ -0,0 +1,9 @@
+
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/controlpanel.svg b/windows/security/operating-system-security/data-protection/bitlocker/images/controlpanel.svg
new file mode 100644
index 0000000000..3f526ed38d
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/controlpanel.svg
@@ -0,0 +1,9 @@
+
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/drive.svg b/windows/security/operating-system-security/data-protection/bitlocker/images/drive.svg
new file mode 100644
index 0000000000..fdd0ac46fd
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/drive.svg
@@ -0,0 +1,75 @@
+
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png b/windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png
deleted file mode 100644
index 297809afdc..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/locked-drive.svg b/windows/security/operating-system-security/data-protection/bitlocker/images/locked-drive.svg
new file mode 100644
index 0000000000..9c1d764581
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/locked-drive.svg
@@ -0,0 +1,351 @@
+
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png b/windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png
deleted file mode 100644
index 321b1fa052..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.png b/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.png
new file mode 100644
index 0000000000..f158bc4c67
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/network-unlock-diagram.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/os-drive.svg b/windows/security/operating-system-security/data-protection/bitlocker/images/os-drive.svg
new file mode 100644
index 0000000000..4b4f7f766f
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/os-drive.svg
@@ -0,0 +1,129 @@
+
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/powershell.svg b/windows/security/operating-system-security/data-protection/bitlocker/images/powershell.svg
new file mode 100644
index 0000000000..f70257047f
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/powershell.svg
@@ -0,0 +1,9 @@
+
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png b/windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png
deleted file mode 100644
index 94d0720c76..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-password.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-password.png
new file mode 100644
index 0000000000..9115227ef0
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-password.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-pin.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-pin.png
new file mode 100644
index 0000000000..45ad90684c
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-pin.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-message.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-message.png
new file mode 100644
index 0000000000..b1e915eb1f
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-message.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-url-single-backup.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-url-single-backup.png
new file mode 100644
index 0000000000..31006f4dd9
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-url-single-backup.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-url.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-url.png
new file mode 100644
index 0000000000..a9278ab408
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-custom-url.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-hint.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-hint.png
new file mode 100644
index 0000000000..accaf93bcd
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-hint.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-key.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-key.png
new file mode 100644
index 0000000000..7c07a09892
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-key.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-multiple-backups.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-multiple-backups.png
new file mode 100644
index 0000000000..a57f22d76d
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-multiple-backups.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-multiple-passwords-multiple-backups.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-multiple-passwords-multiple-backups.png
new file mode 100644
index 0000000000..10229caf37
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery-multiple-passwords-multiple-backups.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery.png
new file mode 100644
index 0000000000..bb19b32966
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-recovery.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-startup-key.png b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-startup-key.png
new file mode 100644
index 0000000000..4bf99844c2
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/preboot-startup-key.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example1.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example1.png
deleted file mode 100644
index 1c9b7bc560..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example1.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example2.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example2.png
deleted file mode 100644
index eee52f9c54..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example2.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example3.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example3.png
deleted file mode 100644
index ed1158c2a1..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example3.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example4.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example4.png
deleted file mode 100644
index 8cd88812bc..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example4.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example5.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example5.png
deleted file mode 100644
index 7a588bdd67..0000000000
Binary files a/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example5.png and /dev/null differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/settings-device-encryption.png b/windows/security/operating-system-security/data-protection/bitlocker/images/settings-device-encryption.png
new file mode 100644
index 0000000000..67da6f68d1
Binary files /dev/null and b/windows/security/operating-system-security/data-protection/bitlocker/images/settings-device-encryption.png differ
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/images/unlocked-drive.svg b/windows/security/operating-system-security/data-protection/bitlocker/images/unlocked-drive.svg
new file mode 100644
index 0000000000..94f06bf78b
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/images/unlocked-drive.svg
@@ -0,0 +1,125 @@
+
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin.md
new file mode 100644
index 0000000000..522ed7d429
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-devices-compliant-with-instantgo-or-hsti-to-opt-out-of-pre-boot-pin.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+
+### Allow devices compliant with InstantGo or HSTI to opt out of preboot PIN
+
+This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not have a PIN for preboot authentication.
+
+The policy overrides the *Require startup PIN with TPM* and *Require startup key and PIN with TPM* options of the [*Require additional authentication at startup*](#require-additional-authentication-at-startup) policy on compliant hardware.
+
+- If you enable this policy setting, users on InstantGo and HSTI compliant devices can turn on BitLocker without preboot authentication
+- If the policy is disabled or not configured, the options of [*Require additional authentication at startup*](#require-additional-authentication-at-startup) policy apply
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesEnablePreBootPinExceptionOnDECapableDevice](/windows/client-management/mdm/bitlocker-csp#systemdrivesenableprebootpinexceptionondecapabledevice) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-enhanced-pins-for-startup.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-enhanced-pins-for-startup.md
new file mode 100644
index 0000000000..458c6d1e88
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-enhanced-pins-for-startup.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Allow enhanced PINs for startup
+
+This setting permits the use of enhanced PINs when an unlock method that includes a PIN is used.
+
+Enhanced startup PINs permit the use of characters (including uppercase and lowercase letters, symbols, numbers, and spaces).
+
+> [!IMPORTANT]
+> Not all computers support enhanced PIN characters in the preboot environment. It's strongly recommended that users perform a system check during the BitLocker setup to verify that enhanced PIN characters can be used.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesEnhancedPIN](/windows/client-management/mdm/bitlocker-csp#systemdrivesenhancedpin) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-network-unlock-at-startup.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-network-unlock-at-startup.md
new file mode 100644
index 0000000000..87d69aff1e
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-network-unlock-at-startup.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Allow network unlock at startup
+
+This policy setting controls whether a BitLocker-protected device that is connected to a trusted wired Local Area Network (LAN) can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.
+
+If you enable this policy, devices configured with a *BitLocker Network Unlock certificate* can create and use Network Key Protectors. To use a Network Key Protector to unlock the computer, both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key Protectors, and protects the information exchanged with the server to unlock the computer.
+
+The Group Policy setting **Computer Configuration** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate** can be used on the domain controller to distribute this certificate to computers in the organization. This unlock method uses the TPM on the computer, so computers that don't have a TPM can't create Network Key Protectors to automatically unlock with Network Unlock.
+
+If you disable or don't configure this policy setting, BitLocker clients won't be able to create and use Network Key Protectors.
+
+> [!NOTE]
+> For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server at startup.
+
+For more information about Network Unlock feature, see [BitLocker: How to enable Network Unlock](../network-unlock.md)
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-secure-boot-for-integrity-validation.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-secure-boot-for-integrity-validation.md
new file mode 100644
index 0000000000..853270403b
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-secure-boot-for-integrity-validation.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Allow Secure Boot for integrity validation
+
+This policy setting allows you to configure whether Secure Boot is allowed as the platform integrity provider for BitLocker operating system drives.
+
+Secure Boot ensures that the device's preboot environment only loads firmware that is digitally signed by authorized software publishers.
+
+- If you enable or don't configure this policy setting, BitLocker uses Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity validation
+- If you disable this policy setting, BitLocker uses legacy platform integrity validation, even on systems capable of Secure Boot-based integrity validation
+
+When this policy is enabled and the hardware is capable of using Secure Boot for BitLocker scenarios, the *[Use enhanced Boot Configuration Data validation profile](../configure.md?tabs=os#use-enhanced-boot-configuration-data-validation-profile)* policy setting is ignored and Secure Boot verifies BCD settings according to the Secure Boot policy setting, which is configured separately from BitLocker.
+
+> [!NOTE]
+> If the policy setting *[Configure TPM platform validation profile for native UEFI firmware configurations](../configure.md?tabs=os#configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations)* is enabled and has PCR 7 omitted, BitLocker is prevented from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
+
+> [!WARNING]
+> Disabling this policy might result in BitLocker recovery when manufacturer-specific firmware is updated. If this policy is disabled, suspend BitLocker prior to applying firmware updates.
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-standard-user-encryption.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-standard-user-encryption.md
new file mode 100644
index 0000000000..4ee204fa87
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-standard-user-encryption.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Allow standard user encryption
+
+With this policy you can enforce the [*Require device encryption*](../configure.md?tabs=os#require-device-encryption) policy for scenarios where the policy is applied while the current logged-on user doesn't have administrative rights.
+
+> [!IMPORTANT]
+> The [Allow warning for other disk encryption](../configure.md?tabs=os#allow-warning-for-other-disk-encryption) policy must be disabled to allow standard user encryption.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowStandardUserEncryption](/windows/client-management/mdm/bitlocker-csp#allowstandarduserencryption)|
+| **GPO** | Not available |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-warning-for-other-disk-encryption.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-warning-for-other-disk-encryption.md
new file mode 100644
index 0000000000..4463d21b87
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/allow-warning-for-other-disk-encryption.md
@@ -0,0 +1,39 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Allow warning for other disk encryption
+
+With this policy you can disable all notification for encryption, warning prompt for other disk encryption, and turn on encryption silently.
+
+> [!IMPORTANT]
+> This policy applies to Microsoft Entra joined devices only.
+
+This policy takes effect only if [Require device encryption](../configure.md?tabs=os#require-device-encryption) policy is enabled.
+
+> [!WARNING]
+> When you enable BitLocker on a device with third party encryption, it may render the device unusable and will require reinstallation of Windows.
+
+The expected values for this policy are:
+
+- Enabled (default): warning prompt and encryption notification is allowed
+- Disabled: warning prompt and encryption notification are suppressed. Windows will attempt to silently enable BitLocker
+
+> [!NOTE]
+> When you disable the warning prompt, the OS drive's recovery key will back up to the user's Microsoft Entra ID account. When you allow the warning prompt, the user who receives the prompt can select where to back up the OS drive's recovery key.
+>
+> The endpoint for a fixed data drive's backup is chosen in the following order:
+>
+> 1. The user's Windows Server Active Directory Domain Services account
+> 2. The user's Microsoft Entra ID account
+> 3. The user's personal OneDrive (MDM/MAM only)
+>
+> Encryption will wait until one of these three locations backs up successfully.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[AllowWarningForOtherDiskEncryption](/windows/client-management/mdm/bitlocker-csp#allowwarningforotherdiskencryption) |
+| **GPO** | Not available |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-default-folder-for-recovery-password.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-default-folder-for-recovery-password.md
new file mode 100644
index 0000000000..5a19c8397b
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-default-folder-for-recovery-password.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Choose default folder for recovery password
+
+Specify the default path that is displayed when the *BitLocker Drive Encryption setup wizard* prompts the user to enter the location of a folder in which to save the recovery password. You can specify either a fully qualified path or include the target computer's environment variables in the path:
+
+- If the path isn't valid, the BitLocker setup wizard displays the computer's top-level folder view
+- If you disable or don't configure this policy setting, the BitLocker setup wizard displays the computer's top-level folder view when the user chooses the option to save the recovery password in a folder
+
+> [!NOTE]
+> This policy setting does not prevent the user from saving the recovery password in another folder.
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-drive-encryption-method-and-cipher-strength.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-drive-encryption-method-and-cipher-strength.md
new file mode 100644
index 0000000000..fdda90d046
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-drive-encryption-method-and-cipher-strength.md
@@ -0,0 +1,25 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Choose drive encryption method and cipher strength
+
+With this policy, you can configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually.
+
+Recommended settings: `XTS-AES` algorithm for all drives. The choice of key size, 128 bit or 256 bit depends on the performance of the device. For more performant hard drives and CPU, choose 256-bit key, for less performant ones use 128.
+
+> [!IMPORTANT]
+> Key size might be required by regulators or industry.
+
+If you disable or don't configure this policy setting, BitLocker uses the default encryption method of `XTS-AES 128-bit`.
+
+> [!NOTE]
+> This policy doesn't apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[EncryptionMethodByDriveType](/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype)|
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-fixed-drives-can-be-recovered.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-fixed-drives-can-be-recovered.md
new file mode 100644
index 0000000000..7b7748c000
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-fixed-drives-can-be-recovered.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Choose how BitLocker-protected fixed drives can be recovered
+
+This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required startup key information. If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. Here are the available options:
+
+- **Allow certificate-based data recovery agent**: specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor
+- **Configure user storage of BitLocker recovery information**: select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key
+- **Omit recovery options from the BitLocker setup wizard**: prevent users from specifying recovery options when they turn on BitLocker for a drive. This means that users won't be able to specify which recovery option to use when they turn on BitLocker. BitLocker recovery options for the drive are determined by the policy setting
+- **Save BitLocker recovery information to Active Directory Domain Services**: choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select **Backup recovery password and key package**, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select **Backup recovery password only**, only the recovery password is stored in AD DS
+- **Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives**: prevents users from enabling BitLocker unless the device is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. When using this option, a recovery password is automatically generated.
+
+> [!IMPORTANT]
+> The use of recovery keys must be disallowed if the **Deny write access to fixed drives not protected by BitLocker** policy setting is enabled.
+
+If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[FixedDrivesRecoveryOptions](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrecoveryoptions) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
new file mode 100644
index 0000000000..8cfee0617e
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-operating-system-drives-can-be-recovered.md
@@ -0,0 +1,23 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Choose how BitLocker-protected operating system drives can be recovered
+
+This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives. Here are the available options:
+
+- **Allow certificate-based data recovery agent**: specify whether a data recovery agent can be used with BitLocker-protected OS drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor
+- **Configure user storage of BitLocker recovery information**: select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key
+- **Omit recovery options from the BitLocker setup wizard**: prevent users from specifying recovery options when they turn on BitLocker for a drive. This means that users won't be able to specify which recovery option to use when they turn on BitLocker. BitLocker recovery options for the drive are determined by the policy setting
+- **Save BitLocker recovery information to Active Directory Domain Services**: choose which BitLocker recovery information to store in AD DS for operating system drives. If you select **Backup recovery password and key package**, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select **Backup recovery password only**, only the recovery password is stored in AD DS
+- **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives**: prevents users from enabling BitLocker unless the device is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. When using this option, a recovery password is automatically generated.
+
+If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesRecoveryOptions](/windows/client-management/mdm/bitlocker-csp#systemdrivesrecoveryoptions)|
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-removable-drives-can-be-recovered.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-removable-drives-can-be-recovered.md
new file mode 100644
index 0000000000..d9973fdef2
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/choose-how-bitlocker-protected-removable-drives-can-be-recovered.md
@@ -0,0 +1,26 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Choose how BitLocker-protected removable drives can be recovered
+
+This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required startup key information. If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected removable data drives. Here are the available options:
+
+- **Allow certificate-based data recovery agent**: specify whether a data recovery agent can be used with BitLocker-protected removable data drives. Before a data recovery agent can be used, it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor
+- **Configure user storage of BitLocker recovery information**: select whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key
+- **Omit recovery options from the BitLocker setup wizard**: prevent users from specifying recovery options when they turn on BitLocker for a drive. This means that users won't be able to specify which recovery option to use when they turn on BitLocker. BitLocker recovery options for the drive are determined by the policy setting
+- **Save BitLocker recovery information to Active Directory Domain Services**: choose which BitLocker recovery information to store in AD DS for removable data drives. If you select **Backup recovery password and key package**, both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select **Backup recovery password only**, only the recovery password is stored in AD DS
+- **Do not enable BitLocker until recovery information is stored in AD DS for removable data drives**: prevents users from enabling BitLocker unless the device is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. When using this option, a recovery password is automatically generated.
+
+> [!IMPORTANT]
+> The use of recovery keys must be disallowed if the **Deny write access to removable drives not protected by BitLocker** policy setting is enabled.
+
+If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-minimum-pin-length-for-startup.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-minimum-pin-length-for-startup.md
new file mode 100644
index 0000000000..cddc5432db
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-minimum-pin-length-for-startup.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure minimum PIN length for startup
+
+This policy configures a minimum length for a Trusted Platform Module (TPM) startup PIN. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+
+If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.\
+If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
+
+The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../../hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made.
+
+The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years.
+
+> [!TIP]
+> Increasing the PIN length requires a greater number of guesses for an attacker. In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
+
+> [!NOTE]
+> If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesMinimumPINLength](/windows/client-management/mdm/bitlocker-csp#systemdrivesminimumpinlength) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-pre-boot-recovery-message-and-url.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-pre-boot-recovery-message-and-url.md
new file mode 100644
index 0000000000..62dffacee5
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-pre-boot-recovery-message-and-url.md
@@ -0,0 +1,24 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure preboot recovery message and URL
+
+This policy setting is used to configure the recovery message and to replace the existing URL that is displayed on the preboot recovery screen when the OS drive is locked.
+
+- If you select the **Use default recovery message and URL** option, the default BitLocker recovery message and URL are displayed in the preboot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and select the **Use default recovery message and URL** option
+- If you select the **Use custom recovery message** option, the message you add to the **Custom recovery message option** text box is displayed in the preboot key recovery screen. If a recovery URL is available, include it in the message
+- If you select the **Use custom recovery URL** option, the URL you add to the **Custom recovery URL option** text box replaces the default URL in the default recovery message, which is displayed in the preboot key recovery screen
+
+> [!NOTE]
+> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
+
+For more information about the BitLocker preboot recovery screen, see [Preboot recovery screen](/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen).
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesRecoveryMessage](/windows/client-management/mdm/bitlocker-csp#systemdrivesrecoverymessage) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-recovery-password-rotation.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-recovery-password-rotation.md
new file mode 100644
index 0000000000..d2d790df4b
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-recovery-password-rotation.md
@@ -0,0 +1,27 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure recovery password rotation
+
+With this policy you can configure a numeric recovery password rotation upon use for OS and fixed drives on Microsoft Entra joined and Microsoft Entra hybrid joined devices.
+
+Possible values are:
+
+- `0`: numeric recovery password rotation is turned off
+- `1`: numeric recovery password rotation upon use is *on* for Microsoft Entra joined devices. This is also the default value
+- `2`: numeric recovery password rotation upon use is *on* for both Microsoft Entra joined devices and Microsoft Entra hybrid joined devices
+
+> [!NOTE]
+> The Policy is effective only when Micropsoft Entra ID or Active Directory backup for recovery password is configured to *required*
+>
+> - For OS drive: enable *Do not enable BitLocker until recovery information is stored to AD DS for operating system drives*
+> - For fixed drives: enable "*Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives*
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[ConfigureRecoveryPasswordRotation](/windows/client-management/mdm/bitlocker-csp#configurerecoverypasswordrotation)|
+| **GPO** | Not available |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations.md
new file mode 100644
index 0000000000..26f07df41c
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations.md
@@ -0,0 +1,56 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure TPM platform validation profile for BIOS-based firmware configurations
+
+This policy setting determines what values the TPM measures when it validates early boot components before it unlocks an operating system drive on a computer with a BIOS configuration or with UEFI firmware that has the Compatibility Support Module (CSM) enabled.
+
+- When enabled, the boot components that the TPM validates before unlocking access to the BitLocker-encrypted operating system drive can be configured. If any of these components change while BitLocker protection is in effect, then the TPM doesn't release the encryption key to unlock the drive. Instead, the computer displays the BitLocker Recovery console and requires that the recovery password or the recovery key is provided to unlock the drive.
+- When disabled or not configured, the TPM uses the default platform validation profile or the platform validation profile that is specified by the setup script.
+
+This policy setting doesn't apply if the computer doesn't have a compatible TPM or if BitLocker has already been turned on with TPM protection.
+
+> [!IMPORTANT]
+> This Group Policy setting only applies to computers with BIOS configurations or to computers with UEFI firmware with the CSM enabled. Computers that use a native UEFI firmware configuration store different values in the Platform Configuration Registers (PCRs). Use the **Configure TPM platform validation profile for native UEFI firmware configurations** policy setting to configure the TPM PCR profile for computers that use native UEFI firmware.
+
+A platform validation profile consists of a set of PCR indices that range from 0 to 23. Each PCR index represents a specific measurement that the TPM validates during early boot. The default platform validation profile secures the encryption key against changes to the following PCRs:
+
+|PCR|Description|
+|-|-|
+|PCR 0|Core root-of-trust for measurement, BIOS, and platform extensions|
+|PCR 2|Option ROM code|
+|PCR 4|Master Boot Record (MBR) code|
+|PCR 8|NTFS boot sector|
+|PCR 9|NTFS boot block|
+|PCR 10|Boot manager|
+|PCR 11|BitLocker access control|
+
+> [!NOTE]
+> Changing from the default platform validation profile affects the security and manageability of a computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+
+The following list identifies all of the available PCRs:
+
+|PCR|Description|
+|-|-|
+| PCR 0 | Core root-of-trust for measurement, BIOS, and platform extensions|
+| PCR 1 | Platform and motherboard configuration and data.|
+| PCR 2 | Option ROM code|
+| PCR 3 | Option ROM data and configuration|
+| PCR 4 | Master Boot Record (MBR) code|
+| PCR 5 | Master Boot Record (MBR) partition table|
+| PCR 6 | State transition and wake events|
+| PCR 7 | Computer manufacturer-specific|
+| PCR 8 | NTFS boot sector|
+| PCR 9 | NTFS boot block|
+| PCR 10 | Boot manager|
+| PCR 11 | BitLocker access control|
+| PCR 12-23 | Reserved for future use |
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md
new file mode 100644
index 0000000000..cb43d10a8c
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-tpm-platform-validation-profile-for-native-uefi-firmware-configurations.md
@@ -0,0 +1,67 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure TPM platform validation profile for native UEFI firmware configurations
+
+This policy setting determines what values the TPM measures when it validates early boot components, before unlocking the OS drive on native-UEFI firmware device.
+
+- If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM validates before unlocking access to the BitLocker-encrypted OS drive. If any of these components change while BitLocker protection is in effect, the TPM doesn't release the encryption key to unlock the drive. The device displays the BitLocker Recovery console and requires that either the recovery password or recovery key be provided to unlock the drive
+- If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile for the available hardware, or the platform validation profile specified by the setup script
+
+> [!IMPORTANT]
+> This policy setting only applies to devices with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Support Module (CSM) enabled store different values in the Platform Configuration Registers (PCRs). Use the **[Configure TPM platform validation profile for BIOS-based firmware configurations](../configure.md?tabs=os#configure-tpm-platform-validation-profile-for-bios-based-firmware-configurations)** policy setting to configure the TPM PCR profile for devices with BIOS configurations, or for devices with UEFI firmware with a CSM enabled.
+
+A platform validation profile consists of a set of PCR indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the following PCRs:
+
+|PCR|Description|
+|-|-|
+| PCR 0 | Core System Firmware executable code|
+| PCR 2 | Extended or pluggable executable code|
+| PCR 4 | Boot Manager|
+| PCR 11 | BitLocker access control|
+
+> [!NOTE]
+> When Secure Boot State (PCR7) support is available, the default platform validation profile secures the encryption key using Secure Boot State (PCR 7) and the BitLocker access control (PCR 11).
+
+The following list identifies all of the available PCRs:
+
+|PCR|Description|
+|-|-|
+| PCR 0 | Core System Firmware executable code|
+| PCR 1 | Core System Firmware data|
+| PCR 2 | Extended or pluggable executable code|
+| PCR 3 | Extended or pluggable firmware data|
+| PCR 4 | Boot Manager|
+| PCR 5 | GPT/Partition Table|
+| PCR 6 | Resume from S4 and S5 Power State Events|
+| PCR 7 | Secure Boot State|
+| PCR 8 | Initialized to 0 with no Extends (reserved for future use)|
+| PCR 9 | Initialized to 0 with no Extends (reserved for future use)|
+| PCR 10 | Initialized to 0 with no Extends (reserved for future use)|
+| PCR 11 | BitLocker access control|
+| PCR 12 | Data events and highly volatile events|
+| PCR 13 | Boot Module Details|
+| PCR 14 | Boot Authorities|
+| PCR 15 - 23 | Reserved for future use
+
+> [!WARNING]
+> Changing from the default platform validation profile affects the security and manageability of a device. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending on inclusion or exclusion (respectively) of the PCRs.
+>
+> Setting this policy with PCR 7 omitted, overrides the *[Allow Secure Boot for integrity validation](../configure.md?tabs=os#allow-secure-boot-for-integrity-validation)* policy, preventing BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
+>
+> Setting this policy may result in BitLocker recovery when firmware is updated. If you set this policy to include PCR 0, suspend BitLocker prior to applying firmware updates. It is recommended to not configure this policy, to allow Windows to select the PCR profile for the best combination of security and usability based on the available hardware on each device.
+
+PCR 7 measures the state of Secure Boot. With PCR 7, BitLocker can use Secure Boot for integrity validation. Secure Boot ensures that the computer's preboot environment loads only firmware that is digitally signed by authorized software publishers. PCR 7 measurements indicate whether Secure Boot is on, and which keys are trusted on the platform. If Secure Boot is on and the firmware measures PCR 7 correctly per the UEFI specification, BitLocker can bind to this information rather than to PCRs 0, 2, and 4, which have the measurements of the exact firmware and Bootmgr images loaded. This process reduces the likelihood of BitLocker starting in recovery mode as a result of firmware and image updates, and it provides with greater flexibility to manage the preboot configuration.
+
+PCR 7 measurements must follow the guidance that is described in [Appendix A Trusted Execution Environment EFI Protocol](/windows-hardware/test/hlk/testref/trusted-execution-environment-efi-protocol).
+
+PCR 7 measurements are a mandatory logo requirement for systems that support Modern Standby (also known as Always On, Always Connected PCs). On such systems, if the TPM with PCR 7 measurement and secure boot are correctly configured, BitLocker binds to PCR 7 and PCR 11 by default.
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-fixed-data-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-fixed-data-drives.md
new file mode 100644
index 0000000000..6c6a082d01
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-fixed-data-drives.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure use of hardware-based encryption for fixed data drives
+
+This policy setting allows you to manage BitLocker's use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.
+
+If you enable this policy setting, you can specify options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on devices that don't support hardware-based encryption. You can also specify if you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.
+
+If you disable this policy setting, BitLocker can't use hardware-based encryption with fixed data drives, and BitLocker software-based encryption will be used by default when the drive is encrypted.
+
+If you do not configure this policy setting, BitLocker will use software-based encryption, irrespective of hardware-based encryption availability.
+
+> [!NOTE]
+> The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive.
+>
+> The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example:
+> - AES 128 in CBC mode OID: `2.16.840.1.101.3.4.1.2`
+> - AES 256 in CBC mode OID: `2.16.840.1.101.3.4.1.42`
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-operating-system-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-operating-system-drives.md
new file mode 100644
index 0000000000..81b9dd760c
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-operating-system-drives.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure use of hardware-based encryption for operating system drives
+
+This policy setting allows you to manage BitLocker's use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.
+
+If you enable this policy setting, you can specify options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on devices that don't support hardware-based encryption. You can also specify if you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.
+
+If you disable this policy setting, BitLocker can't use hardware-based encryption with operating system drives, and BitLocker software-based encryption will be used by default when the drive is encrypted.
+
+If you do not configure this policy setting, BitLocker will use software-based encryption, irrespective of hardware-based encryption availability.
+
+> [!NOTE]
+> The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive.
+>
+> The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example:
+> - AES 128 in CBC mode OID: `2.16.840.1.101.3.4.1.2`
+> - AES 256 in CBC mode OID: `2.16.840.1.101.3.4.1.42`
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-removable-data-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-removable-data-drives.md
new file mode 100644
index 0000000000..21ebc8d5b5
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-hardware-based-encryption-for-removable-data-drives.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure use of hardware-based encryption for removable data drives
+
+This policy setting allows you to manage BitLocker's use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.
+
+If you enable this policy setting, you can specify options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on devices that don't support hardware-based encryption. You can also specify if you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.
+
+If you disable this policy setting, BitLocker can't use hardware-based encryption with removable data drives, and BitLocker software-based encryption will be used by default when the drive is encrypted.
+
+If you do not configure this policy setting, BitLocker will use software-based encryption, irrespective of hardware-based encryption availability.
+
+> [!NOTE]
+> The **Choose drive encryption method and cipher strength** policy setting doesn't apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive.
+>
+> The **Restrict encryption algorithms and cipher suites allowed for hardware-based encryption** option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive isn't available, BitLocker disables the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example:
+> - AES 128 in CBC mode OID: `2.16.840.1.101.3.4.1.2`
+> - AES 256 in CBC mode OID: `2.16.840.1.101.3.4.1.42`
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-fixed-data-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-fixed-data-drives.md
new file mode 100644
index 0000000000..db3025e06b
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-fixed-data-drives.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure use of passwords for fixed data drives
+
+This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to allow the use of a password, you can require that a password be used, enforce complexity requirements, and configure a minimum length.
+
+> [!IMPORTANT]
+> For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled.
+
+If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select **Require complexity**:
+
+- When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password
+- When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password is accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector
+- When set to **Do not allow complexity**, password complexity isn't validated
+
+Passwords must be at least eight characters. To configure a greater minimum length for the password, specify the desired number of characters under **Minimum password length**
+
+If you disable or don't configure this policy setting, the default length constraint of eight characters applies to operating system drive passwords, and no complexity checks occur.
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-operating-system-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-operating-system-drives.md
new file mode 100644
index 0000000000..5ec07cf5b7
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-operating-system-drives.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure use of passwords for operating system drives
+
+This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements, and configure a minimum length.
+
+> [!IMPORTANT]
+> For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled.
+
+If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select **Require complexity**:
+
+- When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password
+- When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password is accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector
+- When set to **Do not allow complexity**, password complexity isn't validated
+
+Passwords must be at least eight characters. To configure a greater minimum length for the password, specify the desired number of characters under **Minimum password length**
+
+If you disable or don't configure this policy setting, the default length constraint of eight characters applies to operating system drive passwords, and no complexity checks occur.
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-removable-data-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-removable-data-drives.md
new file mode 100644
index 0000000000..336f1e1f59
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-passwords-for-removable-data-drives.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure use of passwords for removable data drives
+
+This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow the use of a password, you can require that a password be used, enforce complexity requirements, and configure a minimum length.
+
+> [!IMPORTANT]
+> For the complexity requirement setting to be effective, the group policy setting **Password must meet complexity requirements** located in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Account Policies** > **Password Policy**, must be also enabled.
+
+If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select **Require complexity**:
+
+- When set to **Require complexity**, a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password
+- When set to **Allow complexity**, a connection to a domain controller is attempted to validate that the complexity adheres to the rules set by the policy. If no domain controllers are found, the password is accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector
+- When set to **Do not allow complexity**, password complexity isn't validated
+
+Passwords must be at least 8 characters. To configure a greater minimum length for the password, specify the desired number of characters under **Minimum password length**
+
+If you disable or don't configure this policy setting, the default length constraint of eight characters applies to operating system drive passwords, and no complexity checks occur.
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-smart-cards-on-fixed-data-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-smart-cards-on-fixed-data-drives.md
new file mode 100644
index 0000000000..272d4f036f
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-smart-cards-on-fixed-data-drives.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure use of smart cards on fixed data drives
+
+This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives.
+
+- If you enable this policy setting, smart cards can be used to authenticate user access to the drive
+ - You can require a smart card authentication by selecting the **Require use of smart cards on fixed data drives** option
+- If you disable this policy setting, users can't use smart cards to authenticate their access to BitLocker-protected fixed data drives
+- If you don't configure this policy setting, smart cards can be used to authenticate user access to a BitLocker-protected drive
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-smart-cards-on-removable-data-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-smart-cards-on-removable-data-drives.md
new file mode 100644
index 0000000000..420074ca92
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/configure-use-of-smart-cards-on-removable-data-drives.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Configure use of smart cards on removable data drives
+
+This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected removable data drives.
+
+- If you enable this policy setting, smart cards can be used to authenticate user access to the drive
+ - You can require a smart card authentication by selecting the **Require use of smart cards on removable data drives** option
+- If you disable this policy setting, users can't use smart cards to authenticate their access to BitLocker-protected removable data drives
+- If you don't configure this policy setting, smart cards can be used to authenticate user access to a BitLocker-protected drive
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/control-use-of-bitlocker-on-removable-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/control-use-of-bitlocker-on-removable-drives.md
new file mode 100644
index 0000000000..6900ca9c2d
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/control-use-of-bitlocker-on-removable-drives.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Control use of BitLocker on removable drives
+
+This policy setting controls the use of BitLocker on removable data drives.
+
+When this policy setting is enabled, you can select property settings that control how users can configure BitLocker:
+
+- Choose **Allow users to apply BitLocker protection on removable data drives** to permit the user to run the BitLocker setup wizard on a removable data drive
+- Choose **Allow users to suspend and decrypt BitLocker on removable data drives** to permit the user to remove BitLocker encryption from the drive or suspend the encryption while maintenance is performed
+
+If you disable this policy setting, users can't use BitLocker on removable disk drives.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[RemovableDrivesConfigureBDE](/windows/client-management/mdm/bitlocker-csp#removabledrivesconfigurebde) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/deny-write-access-to-fixed-drives-not-protected-by-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/deny-write-access-to-fixed-drives-not-protected-by-bitlocker.md
new file mode 100644
index 0000000000..3589ed946a
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/deny-write-access-to-fixed-drives-not-protected-by-bitlocker.md
@@ -0,0 +1,29 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Deny write access to fixed drives not protected by BitLocker
+
+This policy setting is used to require encryption of fixed drives prior to granting *write* access.
+
+If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
+
+If you disable or don't configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
+
+> [!NOTE]
+> When this policy setting is enabled, users receive **Access denied** error messages when they try to save data to unencrypted fixed data drives.
+>
+>
+> If the *BitLocker Drive Preparation Tool* `BdeHdCfg.exe` is executed on a computer when this policy setting is enabled, the following issues could be encountered:
+>
+> - If you attempt to shrink a drive to create the system drive, the drive size is successfully reduced, and a raw partition is created. However, the raw partition isn't formatted. The following error message is displayed: **The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.**
+> - If you attempt to use unallocated space to create the system drive, a raw partition is created. However, the raw partition isn't be formatted. The following error message is displayed: **The new active drive cannot be formatted. You may need to manually prepare your drive for BitLocker.**
+> - If you attempt to merge an existing drive into the system drive, the tool fails to copy the required boot file onto the target drive to create the system drive. The following error message is displayed: **BitLocker setup failed to copy boot files. You may need to manually prepare your drive for BitLocker.**
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[FixedDrivesRequireEncryption](/windows/client-management/mdm/bitlocker-csp#fixeddrivesrequireencryption) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/deny-write-access-to-removable-drives-not-protected-by-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/deny-write-access-to-removable-drives-not-protected-by-bitlocker.md
new file mode 100644
index 0000000000..510a31f0d3
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/deny-write-access-to-removable-drives-not-protected-by-bitlocker.md
@@ -0,0 +1,33 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Deny write access to removable drives not protected by BitLocker
+
+This policy setting configures whether BitLocker protection is required for a device to be able to write data to a removable data drive.
+
+If you enable this policy setting:
+
+- all removable data drives that are not BitLocker-protected are mounted as read-only
+- if the drive is protected by BitLocker, it's mounted with read and write access
+- if the **Deny write access to devices configured in another organization** option is selected, only drives with identification fields matching the computer's identification fields are given write access
+ - When a removable data drive is accessed, it's checked for valid identification field and allowed identification fields. These fields are defined by the (*Provide the unique identifiers for your organization*)[] policy setting
+
+If you disable or do not configure this policy setting, all removable data drives on the computer are mounted with read and write access.
+
+> [!NOTE]
+> This policy setting is ignored if the policy settings *Removable Disks: Deny write access* is enabled.
+
+> [!IMPORTANT]
+> If you enable this policy:
+>
+> - Use of BitLocker with the *TPM startup key* or *TPM key and PIN* must be disallowed
+> - Use of recovery keys must be disallowed
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[RemovableDrivesRequireEncryption](/windows/client-management/mdm/bitlocker-csp#removabledrivesrequireencryption) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/disable-new-dma-devices-when-this-computer-is-locked.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/disable-new-dma-devices-when-this-computer-is-locked.md
new file mode 100644
index 0000000000..cb3456daea
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/disable-new-dma-devices-when-this-computer-is-locked.md
@@ -0,0 +1,24 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Disable new DMA devices when this computer is locked
+
+When enabled, this policy setting blocks direct memory access (DMA) for all hot pluggable PCI ports until a user signs into Windows.
+
+Once a user signs in, Windows enumerates the PCI devices connected to the host Thunderbolt PCI ports. Every time the user locks the device, DMA is blocked on hot plug Thunderbolt PCI ports with no children devices, until the user signs in again.
+
+Devices that were already enumerated when the device was unlocked will continue to function until unplugged, or the system is rebooted or hibernated.
+
+This policy setting is only enforced when BitLocker or device encryption is enabled.
+
+> [!IMPORTANT]
+> This policy is not compatible with *Kernel DMA Protection*. It's recommended to disable this policy if the system supports Kernel DMA Protection, as Kernel DMA Protection provides higher security for the system. For more information about Kernel DMA Protection, see [Kernel DMA Protection](../../../../hardware-security/kernel-dma-protection-for-thunderbolt.md).
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/disallow-standard-users-from-changing-the-pin-or-password.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/disallow-standard-users-from-changing-the-pin-or-password.md
new file mode 100644
index 0000000000..5d5089cdfc
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/disallow-standard-users-from-changing-the-pin-or-password.md
@@ -0,0 +1,18 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Disallow standard users from changing the PIN or password
+
+This policy allows configuration of whether standard users are allowed to change the PIN or password that is used to protect the operating system drive, if they can provide the existing PIN first.
+
+If you enable this policy, standard users can't change BitLocker PINs or passwords.
+If you disable or don't configure this policy, standard users can change BitLocker PINs and passwords.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesDisallowStandardUsersCanChangePIN](/windows/client-management/mdm/bitlocker-csp#systemdrivesdisallowstandarduserscanchangepin) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates.md
new file mode 100644
index 0000000000..af984e4535
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/enable-use-of-bitlocker-authentication-requiring-preboot-keyboard-input-on-slates.md
@@ -0,0 +1,28 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Enable use of BitLocker authentication requiring preboot keyboard input on slates
+
+This policy setting allows users to turn on authentication options that require user input from the preboot environment, even if the platform lacks preboot input capability. The Windows touch keyboard (such as that used by tablets) isn't available in the preboot environment where BitLocker requires additional information such as a PIN or Password.
+
+- If you enable this policy setting, devices must have an alternative means of preboot input (such as an attached USB keyboard).
+- If this policy isn't enabled, the Windows Recovery Environment must be enabled on tablets to support the entry of the BitLocker recovery password.
+
+It's recommended that administrators enable this policy only for devices that are verified to have an alternative means of preboot input, such as attaching a USB keyboard.
+
+When the Windows Recovery Environment (WinRE) isn't enabled and this policy isn't enabled, BitLocker can't be turned on a device that uses a touch keyboard.
+
+If this policy setting isn't enabled, the following options in the **Require additional authentication at startup** policy might not be available:
+
+- Configure TPM startup PIN: Required and Allowed
+- Configure TPM startup key and PIN: Required and Allowed
+- Configure use of passwords for operating system drives
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesEnablePrebootInputProtectorsOnSlates](/windows/client-management/mdm/bitlocker-csp#systemdrivesenableprebootinputprotectorsonslates) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/enforce-drive-encryption-type-on-fixed-data-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/enforce-drive-encryption-type-on-fixed-data-drives.md
new file mode 100644
index 0000000000..ebbb59b261
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/enforce-drive-encryption-type-on-fixed-data-drives.md
@@ -0,0 +1,27 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Enforce drive encryption type on fixed data drives
+
+This policy setting controls the use of BitLocker on fixed data drives.
+
+If you enable this policy setting the encryption type that BitLocker uses to encrypt drives is defined by this policy, and the encryption type option won't be presented in the BitLocker setup wizard:
+
+- Choose **full encryption** to require that the entire drive be encrypted when BitLocker is turned on
+- Choose **used space only encryption** to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on
+
+If you disable or don't configure this policy setting, the BitLocker setup wizard asks the user to select the encryption type before turning on BitLocker.
+
+> [!NOTE]
+> Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress.
+>
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using *Used Space Only encryption* is expanded, the new free space isn't wiped like a drive that uses *Full encryption*. The user could wipe the free space on a *Used Space Only* drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[FixedDrivesEncryptionType](/windows/client-management/mdm/bitlocker-csp#fixeddrivesencryptiontype) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Fixed Data Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/enforce-drive-encryption-type-on-operating-system-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/enforce-drive-encryption-type-on-operating-system-drives.md
new file mode 100644
index 0000000000..d5c449d091
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/enforce-drive-encryption-type-on-operating-system-drives.md
@@ -0,0 +1,27 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Enforce drive encryption type on operating system drives
+
+This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption.
+
+When you enable this policy setting, the *encryption type* option isn't offered in the BitLocker setup wizard:
+
+- Choose **full encryption** to require that the entire drive be encrypted when BitLocker is turned on
+- Choose **used space only encryption** to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on
+
+If you disable or don't configure this policy setting, the BitLocker setup wizard asks the user to select the encryption type before turning on BitLocker.
+
+> [!NOTE]
+> Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress.
+>
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using *Used Space Only encryption* is expanded, the new free space isn't wiped like a drive that uses *Full encryption*. The user could wipe the free space on a *Used Space Only* drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesEncryptionType](/windows/client-management/mdm/bitlocker-csp#systemdrivesencryptiontype) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/enforce-drive-encryption-type-on-removable-data-drives.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/enforce-drive-encryption-type-on-removable-data-drives.md
new file mode 100644
index 0000000000..abf2f0dca0
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/enforce-drive-encryption-type-on-removable-data-drives.md
@@ -0,0 +1,27 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Enforce drive encryption type on removable data drives
+
+This policy setting controls the use of BitLocker on removable data drives.
+
+When you enable this policy setting, the *encryption type* option isn't offered in the BitLocker setup wizard:
+
+- Choose **full encryption** to require that the entire drive be encrypted when BitLocker is turned on
+- Choose **used space only encryption** to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on
+
+If you disable or don't configure this policy setting, the BitLocker setup wizard asks the user to select the encryption type before turning on BitLocker.
+
+> [!NOTE]
+> Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress.
+>
+> This policy is ignored when shrinking or expanding a volume, and the BitLocker driver uses the current encryption method. For example, when a drive that is using *Used Space Only encryption* is expanded, the new free space isn't wiped like a drive that uses *Full encryption*. The user could wipe the free space on a *Used Space Only* drive by using the following command: `manage-bde.exe -w`. If the volume is shrunk, no action is taken for the new free space.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[RemovableDrivesEncryptionType](/windows/client-management/mdm/bitlocker-csp#removabledrivesencryptiontype) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Removable Data Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/prevent-memory-overwrite-on-restart.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/prevent-memory-overwrite-on-restart.md
new file mode 100644
index 0000000000..0437a528d0
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/prevent-memory-overwrite-on-restart.md
@@ -0,0 +1,21 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Prevent memory overwrite on restart
+
+This policy setting is used to control whether the computer's memory is overwritten when the device restarts. BitLocker secrets include key material used to encrypt data.
+
+- If you enable this policy setting, memory isn't overwritten when the computer restarts. Preventing memory overwrite may improve restart performance but increases the risk of exposing BitLocker secrets.
+- If you disable or do not configure this policy setting, BitLocker secrets are removed from memory when the computer restarts.
+
+> [!NOTE]
+> This policy setting applies only when BitLocker protection is enabled.
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/provide-the-unique-identifiers-for-your-organization.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/provide-the-unique-identifiers-for-your-organization.md
new file mode 100644
index 0000000000..5612741246
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/provide-the-unique-identifiers-for-your-organization.md
@@ -0,0 +1,25 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Provide the unique identifiers for your organization
+
+This policy setting allows you to associate unique organizational identifiers to a drive that is encrypted with BitLocker. The identifiers are stored as the *identification field* and *allowed identification field*:
+
+- The identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the *BitLocker Drive Encryption: Configuration Tool* (`manage-bde.exe`)
+- The allowed identification field is used in combination with the *[Deny write access to removable drives not protected by BitLocker](../configure.md?tabs=removable#deny-write-access-to-removable-drives-not-protected-by-bitlocker)* policy setting to help control the use of removable drives in your organization. It's a comma separated list of identification fields from your organization or other external organizations. You can configure the identification fields on existing drives by using `manage-bde.exe`.
+
+If you enable this policy setting, you can configure the identification field on the BitLocker-protected drive and any allowed identification field used by your organization. When a BitLocker-protected drive is mounted on another BitLocker-enabled device, the identification field and allowed identification field are used to determine whether the drive is from a different organization.
+
+If you disable or don't configure this policy setting, the identification field is not required.
+
+> [!IMPORTANT]
+> Identification fields are required for management of certificate-based data recovery agents on BitLocker-protected drives. BitLocker only manages and updates certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the device. The identification field can be any value of 260 characters or fewer.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[IdentificationField](/windows/client-management/mdm/bitlocker-csp#identificationfield) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/removable-drives-excluded-from-encryption.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/removable-drives-excluded-from-encryption.md
new file mode 100644
index 0000000000..133e810d41
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/removable-drives-excluded-from-encryption.md
@@ -0,0 +1,13 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Removable drives excluded from encryption
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[RemovableDrivesExcludedFromEncryption](/windows/client-management/mdm/bitlocker-csp#removabledrivesexcludedfromencryption) |
+| **GPO** | Not available |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/require-additional-authentication-at-startup.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/require-additional-authentication-at-startup.md
new file mode 100644
index 0000000000..825a951cf0
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/require-additional-authentication-at-startup.md
@@ -0,0 +1,56 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Require additional authentication at startup
+
+This policy setting configures whether BitLocker requires extra authentication each time the device starts.
+
+If you enable this policy, users can configure advanced startup options in the BitLocker setup wizard.\
+If you disable or don't configure this policy setting, users can configure only basic options on computers with a TPM.
+
+> [!NOTE]
+> Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.
+
+If you want to use BitLocker on a device without a TPM, select the option **Allow BitLocker without a compatible TPM**. In this mode, either a password or a USB drive is required for startup.\
+When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted, the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable, or if you have forgotten the password, then you must use one of the BitLocker recovery options to access the drive.
+
+On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use:
+
+- TPM only
+- a USB flash drive containing a startup key
+- a PIN (6-digit to 20-digit)
+- PIN + USB flash drive
+
+> [!NOTE]
+> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool [manage-bde](/windows-server/administration/windows-commands/manage-bde) instead of the BitLocker Drive Encryption setup wizard.
+
+There are four options for TPM-enabled devices:
+
+- Configure TPM startup
+ - Allow TPM
+ - Require TPM
+ - Don't allow TPM
+
+- Configure TPM startup PIN
+ - Allow startup PIN with TPM
+ - Require startup PIN with TPM
+ - Don't allow startup PIN with TPM
+
+- Configure TPM startup key
+ - Allow startup key with TPM
+ - Require startup key with TPM
+ - Don't allow startup key with TPM
+
+- Configure TPM startup key and PIN
+ - Allow TPM startup key with PIN
+ - Require startup key and PIN with TPM
+ - Don't allow TPM startup key with PIN
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[SystemDrivesRequireStartupAuthentication](/windows/client-management/mdm/bitlocker-csp#systemdrivesrequirestartupauthentication) |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/require-device-encryption.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/require-device-encryption.md
new file mode 100644
index 0000000000..c80d17f8b9
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/require-device-encryption.md
@@ -0,0 +1,33 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Require device encryption
+
+This policy setting determines whether BitLocker is required:
+
+- If enabled, encryption is triggered on all drives silently or non-silently based on [Allow warning for other disk encryption](../configure.md?tabs=os#allow-warning-for-other-disk-encryption) policy
+- If disabled, BitLocker isn't turned off for the system drive, but it stops prompting the user to turn BitLocker on.
+
+> [!NOTE]
+> Typically, BitLocker follows the [Choose drive encryption method and cipher strength](../configure.md?tabs=os#choose-drive-encryption-method-and-cipher-strength) policy configuration. However, this policy setting will be ignored for self-encrypting fixed drives and self-encrypting OS drives.
+
+Encryptable fixed data volumes are treated similarly to OS volumes, but they must meet other criteria to be encryptable:
+
+- It must not be a dynamic volume
+- It must not be a recovery partition
+- It must not be a hidden volume
+- It must not be a system partition
+- It must not be backed by virtual storage
+- It must not have a reference in the BCD store
+
+> [!NOTE]
+> Only full disk encryption is supported when using this policy for silent encryption. For non-silent encryption, encryption type will depend on the [*Enforce drive encryption type on operating system drives*](../configure.md?tabs=fixed#enforce-drive-encryption-type-on-operating-system-drives) and [*Enforce drive encryption type on fixed data drives*](../configure.md?tabs=fixed#enforce-drive-encryption-type-on-fixed-data-drives) policies configured on the device.
+
+| | Path |
+|--|--|
+| **CSP** | `./Device/Vendor/MSFT/BitLocker/`[RequireDeviceEncryption](/windows/client-management/mdm/bitlocker-csp#requiredeviceencryption) |
+| **GPO** | Not available |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/reset-platform-validation-data-after-bitlocker-recovery.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/reset-platform-validation-data-after-bitlocker-recovery.md
new file mode 100644
index 0000000000..d34fafac10
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/reset-platform-validation-data-after-bitlocker-recovery.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Reset platform validation data after BitLocker recovery
+
+This policy setting determines if platform validation data should refresh when Windows is started following a BitLocker recovery. A platform validation data profile consists of the values in a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
+
+If you enable this policy setting, platform validation data is refreshed when Windows is started following BitLocker recovery. This is the default behavior.\
+If you disable this policy setting, platform validation data won't be refreshed when Windows is started following BitLocker recovery.
+
+For more information about the recovery process, see the [BitLocker recovery overview](../recovery-overview.md).
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/use-enhanced-boot-configuration-data-validation-profile.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/use-enhanced-boot-configuration-data-validation-profile.md
new file mode 100644
index 0000000000..e80cb22d19
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/use-enhanced-boot-configuration-data-validation-profile.md
@@ -0,0 +1,20 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Use enhanced Boot Configuration Data validation profile
+
+This policy setting determines specific Boot Configuration Data (BCD) settings to verify during platform validation. A platform validation uses the data in the platform validation profile, which consists of a set of Platform Configuration Register (PCR) indices that range from 0 to 23.
+
+If you don't configure this policy setting, the device will verify the default Windows BCD settings.
+
+> [!NOTE]
+> When BitLocker is using Secure Boot for platform and BCD integrity validation, as defined by the *[Allow Secure Boot for integrity validation](../configure.md?tabs=os#allow-secure-boot-for-integrity-validation)* policy setting, this policy setting is ignored. The setting that controls boot debugging `0x16000010` is always validated, and it has no effect if it's included in the inclusion or exclusion list.
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/includes/validate-smart-card-certificate-usage-rule-compliance.md b/windows/security/operating-system-security/data-protection/bitlocker/includes/validate-smart-card-certificate-usage-rule-compliance.md
new file mode 100644
index 0000000000..d74b1ca073
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/includes/validate-smart-card-certificate-usage-rule-compliance.md
@@ -0,0 +1,22 @@
+---
+author: paolomatarazzo
+ms.author: paoloma
+ms.date: 10/30/2023
+ms.topic: include
+---
+
+### Validate smart card certificate usage rule compliance
+
+This policy setting is used to determine which certificate to use with BitLocker by associating an object identifier (OID) from a smart card certificate to a BitLocker-protected drive. The object identifier is specified in the enhanced key usage (EKU) of a certificate.
+
+BitLocker can identify which certificates may be used to authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is defined by this policy setting. Default OID is `1.3.6.1.4.1.311.67.1.1`.
+
+If you enable this policy setting, the object identifier specified in the **Object identifier** field must match the object identifier in the smart card certificate. If you disable or don't configure this policy setting, the default OID is used.
+
+> [!NOTE]
+> BitLocker doesn't require that a certificate have an EKU attribute; however, if one is configured for the certificate, it must be set to an object identifier that matches the object identifier configured for BitLocker.
+
+| | Path |
+|--|--|
+| **CSP** | Not available |
+| **GPO** | **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** |
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/index.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md
index 3faff60393..9d9ff5daed 100644
--- a/windows/security/operating-system-security/data-protection/bitlocker/index.md
+++ b/windows/security/operating-system-security/data-protection/bitlocker/index.md
@@ -1,51 +1,148 @@
---
title: BitLocker overview
-description: Learn about BitLocker requirements, practical applications, and deprecated features.
-ms.collection:
- - highpri
- - tier1
+description: Learn about BitLocker practical applications and requirements.
ms.topic: overview
-ms.date: 08/03/2023
+ms.date: 10/30/2023
---
# BitLocker overview
-Bitlocker is a Windows disk encryption feature, designed to protect data by providing encryption for entire volumes.\
-BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.
-
-BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices and it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
-
-On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
-
-In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
+BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.
## Practical applications
-Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it or by transferring the computer's hard drive to a different computer. BitLocker helps mitigate unauthorized data access by enhancing file and system protections. BitLocker also helps render data inaccessible when BitLocker-protected devices are decommissioned or recycled.
+Data on a lost or stolen device is vulnerable to unauthorized access, either by running a software-attack tool against it, or by transferring the device's hard drive to a different device. BitLocker helps mitigate unauthorized data access by enhancing file and system protections, rendering data inaccessible when BitLocker-protected devices are decommissioned or recycled.
+
+## BitLocker and TPM
+
+BitLocker provides maximum protection when used with a Trusted Platform Module (TPM), which is a common hardware component installed on Windows devices. The TPM works with BitLocker to ensure that a device hasn't been tampered with while the system is offline.
+
+In *addition* to the TPM, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device that contains a *startup key*. These security measures provide multifactor authentication and assurance that the device can't start or resume from hibernation until the correct PIN or startup key is presented.
+
+On devices that don't have a TPM, BitLocker can still be used to encrypt the operating system drive. This implementation requires the user to either:
+
+- use a startup key, which is a file stored on a removable drive that is used to start the device, or when resuming from hibernation
+- use a password. This option isn't secure since it's subject to brute force attacks as there isn't a password lockout logic. As such, the password option is discouraged and disabled by default
+
+Both options don't provide the preboot system integrity verification offered by BitLocker with a TPM.
+
+:::row:::
+ :::column span="1":::
+ *BitLocker preboot screen with startup key:*
+ :::column-end:::
+ :::column span="1":::
+ *BitLocker preboot screen with PIN:*
+ :::column-end:::
+ :::column span="1":::
+ *BitLocker preboot screen with password:*
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="1":::
+ :::image type="content" source="images/preboot-startup-key.png" alt-text="Screenshot of the BitLocker preboot screen prompting to enter a startup key." lightbox="images/preboot-startup-key.png" border="false":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/preboot-pin.png" alt-text="Screenshot of the BitLocker preboot screen prompting to enter a PIN." lightbox="images/preboot-pin.png" border="false":::
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/preboot-password.png" alt-text="Screenshot of the BitLocker preboot screen prompting to enter a password." lightbox="images/preboot-password.png" border="false":::
+ :::column-end:::
+:::row-end:::
## System requirements
-BitLocker has the following hardware requirements:
+BitLocker has the following requirements:
-- For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker
-- A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware
-- The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment
+- For BitLocker to use the system integrity check provided by a TPM, the device must have TPM 1.2 or later versions. If a device doesn't have a TPM, saving a startup key on a removable drive is mandatory when enabling BitLocker
+- A device with a TPM must also have a *Trusted Computing Group* (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the preboot startup, and it must include support for *TCG-specified Static Root of Trust Measurement*. A computer without a TPM doesn't require TCG-compliant firmware
+- The system BIOS or UEFI firmware (for TPM and non-TPM devices) must support the USB mass storage device class, and reading files on a USB drive in the preboot environment
> [!NOTE]
- > TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
+ > TPM 2.0 is not supported in *Legacy* and *Compatibility Support Module (CSM)* modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the *secure boot* feature.
>
- > Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
+ > Installed operating system on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [`mbr2gpt.exe`][WIN-1] before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
- The hard disk must be partitioned with at least two drives:
- - The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system
- - The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space
+ - The *operating system drive* (or boot drive) contains the OS and its support files. It must be formatted with the NTFS file system
+ - The *system drive* contains files required to boot, decrypt, and load the operating system. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive:
+ - must not be encrypted
+ - must differ from the operating system drive
+ - must be formatted with the FAT32 file system on computers that use UEFI-based firmware, or with the NTFS file system on computers that use BIOS firmware
+ - it's recommended that to be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space
-> [!IMPORTANT]
-> When installed on a new device, Windows automatically creates the partitions that are required for BitLocker.
->
-> An encrypted partition can't be marked as active.
+ > [!IMPORTANT]
+ > When installed on a new device, Windows automatically creates the partitions that are required for BitLocker.
+ >
+ > If the drive was prepared as a single contiguous space, BitLocker requires a new volume to hold the boot files. `BdeHdCfg.exe` can create the volume. For more information about using the tool, see [Bdehdcfg][WIN-2] in the Command-Line Reference.
> [!NOTE]
-> When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
+> When installing the BitLocker optional component on a server, the *Enhanced Storage* feature must be installed. The feature is used to support hardware encrypted drives.
[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)]
+
+> [!NOTE]
+> Licensing requirements for BitLocker enablement are different from the licensing requirements for BitLocker *management*. To learn more, review the how-to guide: [configure BitLocker](configure.md).
+
+## Device encryption
+
+*Device encryption* is a Windows feature that provides a simple way for some devices to enable BitLocker encryption automatically. Device encryption is available on all Windows versions, and it requires a device to meet either [Modern Standby][WIN-3] or HSTI security requirements. Device encryption can't have externally accessible ports that allow DMA access.
+
+> [!IMPORTANT]
+> Device encryption encrypts only the OS drive and fixed drives, it doesn't encrypt external/USB drives.
+
+Unlike a standard BitLocker implementation, device encryption is enabled automatically so that the device is always protected. When a clean installation of Windows is completed and the out-of-box experience is finished, the device is prepared for first use. As part of this preparation, device encryption is initialized on the OS drive and fixed data drives on the computer with a clear key that is the equivalent of standard BitLocker suspended state. In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up.
+
+- If the device is Microsoft Entra joined or Active Directory domain joined, the clear key is removed once the recovery key is successfully backed up to Microsoft Entra ID or Active Directory Domain Services (AD DS). The following policy settings must be enabled for the recovery key to be backed up: [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
+ - For Microsoft Entra joined devices: the recovery password is created automatically when the user authenticates to Microsoft Entra ID, then the recovery key is backed up to Microsoft Entra ID, the TPM protector is created, and the clear key is removed
+ - For AD DS joined devices: the recovery password is created automatically when the computer joins the domain. The recovery key is then backed up to AD DS, the TPM protector is created, and the clear key is removed
+- If the device isn't Microsoft Entra joined or Active Directory domain joined, a Microsoft account with administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user is guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using their Microsoft account credentials
+- If a device uses only local accounts, then it remains unprotected even though the data is encrypted
+
+> [!IMPORTANT]
+> Device encryption uses the `XTS-AES 128-bit` encryption method, by default. In case you configure a policy setting to use a different encryption method, you can use the Enrollment Status Page to avoid the device to begin encryption with the default method. BitLocker has a logic that doesn't start encrypting until the end of OOBE, after the Enrollment Status Page device configuration phase is complete. This logic gives a device enough time to receive the BitLocker policy settings before starting encryption.
+>
+> If a different encryption method and/or cipher strength is needed but the device is already encrypted, it must first be decrypted before the new encryption method and/or cipher strength can be applied. After the device is decrypted, you can apply different BitLocker settings.
+
+If a device doesn't initially qualify for device encryption, but then a change is made that causes the device to qualify (for example, by turning on *Secure Boot*), device encryption enables BitLocker automatically as soon as it detects it.
+
+You can check whether a device meets requirements for device encryption in the System Information app (`msinfo32.exe`). If the device meets the requirements, System Information shows a line that reads:
+
+|Item|Value|
+|-|-|
+|Device Encryption Support | Meets prerequisites|
+
+### Difference between BitLocker and device encryption
+
+- Device encryption turns on BitLocker automatically on device encryption-qualifying devices, with the recovery key automatically backed up to Microsoft Entra ID, AD DS, or the user's Microsoft account
+- Device encryption adds a device encryption setting in the Settings app, which can be used to turn device encryption on or off
+ - The Settings UI doesn't show device encryption enabled until encryption is complete
+
+:::image type="content" source="images/settings-device-encryption.png" alt-text="Screenshot of the Settings app showing the device encryption panel." border="False":::
+
+> [!NOTE]
+> If device encryption is turned off, it will no longer automatically enable itself in the future. The user must enable it manually in Settings
+
+### Disable device encryption
+
+It's recommended to keep device encryption on for any systems that support it. However, you can prevent the automatic device encryption process by changing the following registry setting:
+
+| Path|Name|Type|Value|
+|-|-|-|-|
+| `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BitLocker`| `PreventDeviceEncryption`|REG_DWORD|0x1|
+
+For more information about device encryption, see [BitLocker device encryption hardware requirements][WIN-4].
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Learn about technologies and features to protect against attacks on the BitLocker encryption key:
+>
+>
+> [BitLocker countermeasures >](countermeasures.md)
+
+
+
+[WIN-1]: /windows/deployment/mbr-to-gpt
+[WIN-2]: /windows-server/administration/windows-commands/bdehdcfg
+[WIN-3]: /windows-hardware/design/device-experiences/modern-standby
+[WIN-4]: /windows-hardware/design/device-experiences/oem-bitlocker#bitlocker-automatic-device-encryption
\ No newline at end of file
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/install-server.md b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
new file mode 100644
index 0000000000..c79ab3d0aa
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/install-server.md
@@ -0,0 +1,93 @@
+---
+title: Install BitLocker on Windows Server
+description: Learn how to install BitLocker on Windows Server.
+ms.topic: how-to
+ms.date: 10/30/2023
+appliesto:
+- ✅ Windows Server 2022
+- ✅ Windows Server 2019
+- ✅ Windows Server 2016
+---
+
+# Install BitLocker on Windows Server
+
+For all Windows Server editions, BitLocker isn't installed by default, but it can be installed using Server Manager or Windows PowerShell cmdlets. This article explains how to install BitLocker on Windows Server.
+
+> [!NOTE]
+> To install BitLocker you must have administrator privileges.
+
+## Install BitLocker with Server Manager
+
+1. Open Server Manager by selecting the icon or running `servermanager.exe`
+1. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features**
+1. Select **Next** at the **Before you begin** pane (if shown)
+1. Under **Installation type**, select **Role-based or feature-based installation** and select **Next**
+1. Under **Server Selection**, select the **Select a server from the server pool** pane and confirm the server on which you want to install the BitLocker feature and **Next**
+1. Under **Server Roles** select **Next**
+1. Under **Features**, select the box next to **BitLocker Drive Encryption**. The wizard shows the extra management features available for BitLocker. If you don't need the extra management features, deselect **Include management tools**
+ > [!NOTE]
+ > The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems.
+1. Select **Next** and under **Confirmation** select **Install**
+
+The BitLocker feature requires a restart to complete its installation. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the server after installation is complete
+
+## Install BitLocker with Windows PowerShell
+
+Windows PowerShell offers administrators another option for BitLocker feature installation. Windows PowerShell installs features using the `servermanager` or `dism.exe` module. However, the `servermanager` and `dism.exe` modules don't always share feature name parity. Because of this mismatch of feature name parity, it's advisable to confirm the feature or role name prior to installation.
+
+> [!NOTE]
+> The server must be restarted to complete the installation of BitLocker.
+
+### Use the servermanager module to install BitLocker
+
+The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`.
+
+By default, installation of features in Windows PowerShell doesn't include optional subfeatures or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell.
+
+```powershell
+Install-WindowsFeature BitLocker -WhatIf
+```
+
+The results of this command show that only the BitLocker Drive Encryption feature is installed using this command.
+
+To see what would be installed with the BitLocker feature, including all available management tools and subfeatures, use the following command:
+
+```powershell
+Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl
+```
+
+The command to complete a full installation of the BitLocker feature with all available subfeatures and then to reboot the server at completion is:
+
+```powershell
+Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart
+```
+
+> [!IMPORTANT]
+> Installing the BitLocker feature using Windows PowerShell does not install the Enhanced Storage feature. Administrators wishing to support Encrypted Hard Drives in their environment will need to install the Enhanced Storage feature separately.
+
+### Use the dism module to install BitLocker
+
+The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command lists all of the optional features in an online (running) operating system.
+
+```powershell
+Get-WindowsOptionalFeature -Online | ft
+```
+
+From this output, there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items.
+
+To install BitLocker using the `dism.exe` module, use the following command:
+
+```powershell
+Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All
+```
+
+The command doesn't include installation of the management tools for BitLocker, but you can do a complete installation of BitLocker and all available management tools with the following command:
+
+```powershell
+Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All
+```
+
+> [!NOTE]
+> When using `Enable-WindowsOptionalFeature`, the administrator is prompted to reboot the server, as the cmdlet doesn't have support for forcing a reboot.
+
+After the server reboots, you can use BitLocker.
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
new file mode 100644
index 0000000000..f81e6c585f
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/network-unlock.md
@@ -0,0 +1,335 @@
+---
+title: Network Unlock
+description: Learn how BitLocker Network Unlock works and how to configure it.
+ms.topic: how-to
+ms.date: 10/30/2023
+---
+
+# Network Unlock
+
+Network Unlock is a BitLocker *key protector* for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. Network Unlock requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by `TPM+PIN` protectors require a PIN to be entered when a device reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers.
+
+Network Unlock allows BitLocker-enabled systems that have a `TPM+PIN` and that meet the hardware requirements to boot into Windows without user intervention. Network Unlock works in a similar fashion to the `TPM+StartupKey` at boot. Rather than needing to read the StartupKey from USB media, however, the Network Unlock feature needs the key to be composed from a key stored in the TPM and an encrypted network key that is sent to the server, decrypted and returned to the client in a secure session.
+
+## System requirements
+
+Network Unlock must meet mandatory hardware and software requirements before the feature can automatically unlock domain-joined systems. These requirements include:
+
+- Any supported operating system with UEFI DHCP drivers that can serve as Network Unlock clients
+- Network Unlock clients with a TPM chip and at least one TPM protector
+- A server running the Windows Deployment Services (WDS) role on any supported server operating system
+- BitLocker Network Unlock optional feature installed on any supported server operating system
+- A DHCP server, separate from the WDS server
+- Properly configured public/private key pairing
+- Network Unlock group policy settings configured
+- Network stack enabled in the UEFI firmware of client devices
+
+> [!IMPORTANT]
+> To support DHCP within UEFI, the UEFI-based system should be in native mode and shouldn't have a compatibility support module (CSM) enabled.
+
+For Network Unlock to work reliably, the first network adapter on the device, usually the onboard adapter, must be configured to support DHCP. This first network adapter must be used for Network Unlock. This configuration is especially worth noting when the device has multiple adapters, and some adapters are configured without DHCP, such as for use with a lights-out management protocol. This configuration is necessary because Network Unlock stops enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter doesn't support DHCP, isn't plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock fails.
+
+The Network Unlock server component is installed on supported versions of Windows Server as a Windows feature that uses Server Manager or Windows PowerShell cmdlets. The feature name is `BitLocker Network Unlock` in Server Manager and `BitLocker-NetworkUnlock` in PowerShell.
+
+Network Unlock requires Windows Deployment Services (WDS) in the environment where the feature will be utilized. Configuration of the WDS installation isn't required. However, the WDS service must be running on the server.
+
+The network key is stored on the system drive along with an AES 256 session key and encrypted with the 2048-bit RSA public key of the Unlock server certificate. The network key is decrypted with the help of a provider on a supported version of Windows Server running WDS, and returned encrypted with its corresponding session key.
+
+## Network Unlock sequence
+
+The unlock sequence starts on the client side when the Windows boot manager detects the existence of Network Unlock protector. It uses the DHCP driver in UEFI to obtain an IP address for IPv4 and then broadcasts a vendor-specific DHCP request that contains the network key and a session key for the reply, all encrypted by the server's Network Unlock certificate. The Network Unlock provider on the supported WDS server recognizes the vendor-specific request, decrypts it with the RSA private key, and returns the network key encrypted with the session key via its own vendor-specific DHCP reply.
+
+On the server side, the WDS server role has an optional plugin component, like a PXE provider, which is what handles the incoming Network Unlock requests. The provider can also be configured with subnet restrictions, which would require that the IP address provided by the client in the Network Unlock request belong to a permitted subnet to release the network key to the client. In instances where the Network Unlock provider is unavailable, BitLocker fails over to the next available protector to unlock the drive. In a typical configuration, the standard `TPM+PIN` unlock screen is presented to unlock the drive.
+
+The server side configuration to enable Network Unlock also requires provisioning a 2048-bit RSA public/private key pair in the form of an X.509 certificate, and distributing the public key certificate to the clients. This certificate is the *public key* that encrypts the intermediate network key (which is one of the two secrets required to unlock the drive; the other secret is stored in the TPM), and it must be managed and deployed via Group Policy.
+
+The Network Unlock process follows these phases:
+
+:::row:::
+ :::column span="3":::
+ 1. The Windows boot manager detects a Network Unlock protector in the BitLocker configuration
+ 2. The client computer uses its DHCP driver in the UEFI to get a valid IPv4 IP address
+ 3. The client computer broadcasts a vendor-specific DHCP request that contains a network key (a 256-bit intermediate key) and an AES-256 session key for the reply. The network key is encrypted by using the 2048-bit RSA Public Key of the Network Unlock certificate from the WDS server
+ 4. The Network Unlock provider on the WDS server recognizes the vendor-specific request
+ 5. The provider decrypts the request by using the WDS server's BitLocker Network Unlock certificate RSA private key
+ 6. The WDS provider returns the network key encrypted with the session key by using its own vendor-specific DHCP reply to the client computer. This key is an intermediate key
+ 7. The returned intermediate key is combined with another local 256-bit intermediate key. This key can be decrypted only by the TPM
+ 8. This combined key is used to create an AES-256 key that unlocks the volume
+ 9. Windows continues the boot sequence
+ :::column-end:::
+ :::column span="1":::
+ :::image type="content" source="images/network-unlock-diagram.png" alt-text="Diagram of the Network Unlock sequence." lightbox="images/network-unlock-diagram.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+## Configure Network Unlock
+
+The following steps allow an administrator to configure Network Unlock in an Active Directory domain.
+
+### Install the WDS server role
+
+The BitLocker Network Unlock feature installs the WDS role if it isn't already installed. WDS can be installed separately, before BitLocker Network Unlock is installed, by using **Server Manager** or **PowerShell**. To install the role using Server Manager, select the **Windows Deployment Services** role in **Server Manager**.
+
+To install the role by using PowerShell, use the following command:
+
+```powershell
+Install-WindowsFeature WDS-Deployment
+```
+
+The WDS server must be configured so that it can communicate with DHCP (and optionally AD DS) and the client computer. The WDS server can be configured using the WDS management tool, `wdsmgmt.msc`, which starts the Windows Deployment Services Configuration wizard.
+
+### Confirm the WDS service is running
+
+To confirm that the WDS service is running, use the Services Management Console or PowerShell. To confirm that the service is running in Services Management Console, open the console using `services.msc` and check the status of the **Windows Deployment Services** service.
+
+To confirm that the service is running using PowerShell, use the following command:
+
+```powershell
+Get-Service WDSServer
+```
+
+### Install the Network Unlock feature
+
+To install the Network Unlock feature, use Server Manager or PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console.
+
+To install the feature by using PowerShell, use the following command:
+
+```powershell
+Install-WindowsFeature BitLocker-NetworkUnlock
+```
+
+### Create the certificate template for Network Unlock
+
+A properly configured Active Directory Certification Authority can use this certificate template to create and issue Network Unlock certificates.
+
+1. Open the Certificates Template snap-in (`certtmpl.msc`)
+1. Locate the User template, right-click the template name and select **Duplicate Template**
+1. On the **Compatibility** tab, change the **Certification Authority** and **Certificate recipient** fields to Windows Server 2016 and Windows 10, respectively. Ensure that the **Show resulting changes** dialog box is selected
+1. Select the **General** tab of the template. The **Template display name** and **Template name** should identify that the template will be used for Network Unlock. Clear the check box for the **Publish certificate in Active Directory** option
+1. Select the **Request Handling** tab. Select **Encryption** from the **Purpose** drop-down menu. Ensure that the **Allow private key to be exported** option is selected
+1. Select the **Cryptography** tab. Set the **Minimum key size** to 2048. Any Microsoft cryptographic provider that supports RSA can be used for this template, but for simplicity and forward compatibility, it is recommended to use **Microsoft Software Key Storage Provider**
+1. Select the **Requests must use one of the following providers** option and clear all options except for the cryptography provider selected, such as **Microsoft Software Key Storage Provider**
+1. Select the **Subject Name** tab. Select **Supply in the request**. Select **OK** if the certificate templates pop-up dialog appears
+1. Select the **Issuance Requirements** tab. Select both **CA certificate manager approval** and **Valid existing certificate** options
+1. Select the **Extensions** tab. Select **Application Policies** and choose **Edit…**
+1. In the **Edit Application Policies Extension** options dialog box, select **Client Authentication**, **Encrypting File System**, **and Secure Email** and choose **Remove**
+1. On the **Edit Application Policies Extension** dialog box, select **Add**
+1. On the **Add Application Policy** dialog box, select **New**. In the **New Application Policy** dialog box, enter the following information in the space provided and then select **OK** to create the BitLocker Network Unlock application policy:
+
+ - *Name:* **BitLocker Network Unlock**
+ - *Object Identifier:* **1.3.6.1.4.1.311.67.1.1**
+
+1. Select the newly created **BitLocker Network Unlock** application policy and select **OK**
+1. With the **Extensions** tab still open, select the **Edit Key Usage Extension** dialog. Select the **Allow key exchange only with key encryption (key encipherment)** option. Select the **Make this extension critical** option
+1. Select the **Security** tab. Confirm that the **Domain Admins** group has been granted **Enroll** permission
+1. Select **OK** to complete configuration of the template
+
+To add the Network Unlock template to the certificate authority, open the certificate authority snap-in (`certsrv.msc`). Right-click **Certificate Templates**, and then choose **New, Certificate Template to issue**. Select the previously created BitLocker Network Unlock certificate.
+
+After the Network Unlock template is added to the certificate authority, this certificate can be used to configure BitLocker Network Unlock.
+
+### Create the Network Unlock certificate
+
+Network Unlock can use imported certificates from an existing public key infrastructure (PKI). Or it can use a self-signed certificate.
+
+To enroll a certificate from an existing certificate authority:
+
+1. On the WDS server, open Certificate Manager by using `certmgr.msc`
+1. Under **Certificates - Current User**, right-click **Personal**
+1. Select **All Tasks** > **Request New Certificate**
+1. When the Certificate Enrollment wizard opens, select **Next**
+1. Select **Active Directory Enrollment Policy**
+1. Choose the certificate template that was created for Network Unlock on the domain controller. Then select **Enroll**
+1. When prompted for more information, select **Subject Name** and provide a friendly name value. The friendly name should include information for the domain or organizational unit for the certificate For example: *BitLocker Network Unlock Certificate for Contoso domain*
+1. Create the certificate. Ensure the certificate appears in the **Personal** folder
+1. Export the public key certificate for Network Unlock:
+ 1. Create a `.cer` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**
+ 2. Select **No, do not export the private key**
+ 3. Select **DER encoded binary X.509** and complete exporting the certificate to a file
+ 4. Give the file a name such as **BitLocker-NetworkUnlock.cer**
+1. Export the public key with a private key for Network Unlock
+ 1. Create a `.pfx` file by right-clicking the previously created certificate, selecting **All Tasks**, and then selecting **Export**
+ 1. Select **Yes, export the private key**
+ 1. Complete the steps to create the `.pfx` file
+
+To create a self-signed certificate, either use the `New-SelfSignedCertificate` cmdlet in Windows PowerShell or use `certreq.exe`. For example:
+
+#### PowerShell
+
+```powershell
+New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "CN=BitLocker Network Unlock certificate" -Provider "Microsoft Software Key Storage Provider" -KeyUsage KeyEncipherment -KeyUsageProperty Decrypt,Sign -KeyLength 2048 -HashAlgorithm sha512 -TextExtension @("1.3.6.1.4.1.311.21.10={text}OID=1.3.6.1.4.1.311.67.1.1","2.5.29.37={text}1.3.6.1.4.1.311.67.1.1")
+```
+
+#### certreq.exe
+
+1. Create a text file with an `.inf` extension, for example:
+
+ ```cmd
+ notepad.exe BitLocker-NetworkUnlock.inf
+ ```
+
+1. Add the following contents to the previously created file:
+
+ ```ini
+ [NewRequest]
+ Subject="CN=BitLocker Network Unlock certificate"
+ ProviderType=0
+ MachineKeySet=True
+ Exportable=true
+ RequestType=Cert
+ KeyUsage="CERT_KEY_ENCIPHERMENT_KEY_USAGE"
+ KeyUsageProperty="NCRYPT_ALLOW_DECRYPT_FLAG | NCRYPT_ALLOW_SIGNING_FLAG"
+ KeyLength=2048
+ SMIME=FALSE
+ HashAlgorithm=sha512
+ [Extensions]
+ 1.3.6.1.4.1.311.21.10 = "{text}"
+ _continue_ = "OID=1.3.6.1.4.1.311.67.1.1"
+ 2.5.29.37 = "{text}"
+ _continue_ = "1.3.6.1.4.1.311.67.1.1"
+ ```
+
+1. Open an elevated Command Prompt and use the `certreq.exe` tool to create a new certificate. Use the following command, specifying the full path to the file that was created previously along with the file name:
+
+ ```cmd
+ certreq.exe -new BitLocker-NetworkUnlock.inf BitLocker-NetworkUnlock.cer
+ ```
+
+1. Verify that certificate was properly created by the previous command by confirming that the `.cer` file exists
+1. Launch the **Certificates - Local Computer** console by running `certlm.msc`
+1. Create a `.pfx` file by following the below steps the **Certificates - Local Computer** console:
+
+ 1. Navigate to **Certificates - Local Computer** > **Personal** > **Certificates**
+ 1. Right-click the previously imported certificate, select **All Tasks**, and then select **Export**
+ 1. Follow through the wizard to create the `.pfx` file
+
+### Deploy the private key and certificate to the WDS server
+
+After creating the certificate and key, deploy them to the infrastructure to properly unlock systems. To deploy the certificates:
+
+1. On the WDS server, launch the **Certificates - Local Computer** console by running `certlm.msc`
+1. Right-click **BitLocker Drive Encryption Network Unlock** item under **Certificates (Local Computer)**, select **All Tasks**, and then select **Import**
+1. In the **File to Import** dialog, choose the `.pfx` file created previously
+1. Enter the password used to create the `.pfx` and complete the wizard
+
+### Configure group policy settings for Network Unlock
+
+With certificate and key deployed to the WDS server for Network Unlock, the final step is to use group policy settings to deploy the public key certificate to the desired computers that will use the Network Unlock key to unlock. Group policy settings for BitLocker can be found under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** using the Local Group Policy Editor or the Microsoft Management Console.
+
+The following steps describe how to enable the group policy setting that is a requirement for configuring Network Unlock.
+
+1. Open Group Policy Management Console (`gpmc.msc`)
+1. Enable the policy **Require additional authentication at startup**, and then select **Require startup PIN with TPM** or **Allow startup PIN with TPM**
+1. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers
+
+The following steps describe how to deploy the required group policy setting:
+
+1. Copy the `.cer` file that was created for Network Unlock to the domain controller
+1. On the domain controller, open Group Policy Management Console (`gpmc.msc`)
+1. Create a new Group Policy Object or modify an existing object to enable the **Allow Network Unlock at startup** setting
+1. Deploy the public certificate to clients:
+
+ 1. Within group policy management console, navigate to the following location:
+
+ **Computer Configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption Network Unlock Certificate**.
+
+ 1. Right-click the folder and select **Add Network Unlock Certificate**
+ 1. Follow the wizard steps and import the `.cer` file that was copied earlier
+
+ > [!NOTE]
+ > Only one Network Unlock certificate can be available at a time. If a new certificate is needed, delete the current certificate before deploying a new one. The Network Unlock certificate is located under the **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** registry key on the client computer.
+
+1. Reboot the clients after the Group Policy is deployed
+
+ > [!NOTE]
+ > The **Network (Certificate Based)** protector will be added only after a reboot, with the policy enabled and a valid certificate present in the FVE_NKP store.
+
+### Subnet policy configuration files on the WDS server (optional)
+
+By default, all clients with the correct Network Unlock certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which are the subnet(s) the Network Unlock clients can use to unlock.
+
+The configuration file, called `bde-network-unlock.ini`, must be located in the same directory as the Network Unlock provider DLL (`%windir%\System32\Nkpprov.dll`) and it applies to both IPv6 and IPv4 DHCP implementations. If the subnet configuration policy becomes corrupted, the provider fails and stops responding to requests.
+
+The subnet policy configuration file must use a `[SUBNETS]` section to identify the specific subnets. The named subnets may then be used to specify restrictions in certificate subsections. Subnets are defined as simple name-value pairs, in the common INI format, where each subnet has its own line, with the name on the left of the equal-sign, and the subnet identified on the right of the equal-sign as a Classless Inter-Domain Routing (CIDR) address or range. The key word `ENABLED` is disallowed for subnet names.
+
+```ini
+[SUBNETS]
+SUBNET1=10.185.250.0/24 ; a comment about this subrange could be here, after the semicolon
+SUBNET2=10.185.252.200/28
+SUBNET3= 2001:4898:a:2::/64 ; an IPv6 subnet
+SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more useful names, like BUILDING9-EXCEPT-RECEP.
+```
+
+Following the `[SUBNETS]` section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define the subnets clients that can be unlocked from that certificate.
+
+> [!NOTE]
+> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint, the subnet configuration fails because the thumbprint will not be recognized as valid.
+
+Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnets are listed in a certificate section, then only those subnets are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate doesn't have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. For restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
+
+Subnet lists are created by putting the name of a subnet from the `[SUBNETS]` section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by commenting it out with a prepended semi-colon.
+
+```ini
+[2158a767e1c14e88e27a4c0aee111d2de2eafe60]
+;Comments could be added here to indicate when the cert was issued, which Group Policy should get it, and so on.
+;This list shows this cert is allowed to unlock clients only on the SUBNET1 and SUBNET3 subnets. In this example, SUBNET2 is commented out.
+SUBNET1
+;SUBNET2
+SUBNET3
+```
+
+To disallow the use of a certificate altogether, add a `DISABLED` line to its subnet list.
+
+## Turn off Network Unlock
+
+To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors, the **Allow Network Unlock at startup** group policy setting should be disabled. When this policy setting is updated to **disabled** on client computers, any Network Unlock key protector on the computer is deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
+
+> [!NOTE]
+> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server's ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
+
+## Update Network Unlock certificates
+
+To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server, and then update the Network Unlock certificate group policy setting on the domain controller.
+
+> [!NOTE]
+> Servers that don't receive the group policy setting require a PIN when they boot. In such cases, find out why the servers don't receive the GPO to update the certificate.
+
+## Troubleshoot Network Unlock
+
+Troubleshooting Network Unlock issues begins by verifying the environment. Many times, a small configuration issue can be the root cause of the failure. Items to verify include:
+
+- Verify that the client hardware is UEFI-based and is on firmware version 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Verification can be done by checking that the firmware doesn't have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware doesn't appear to be in a BIOS-like mode
+- All required roles and services are installed and started
+- Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **`HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\FVE_NKP`** on the client computer
+- Group policy for Network Unlock is enabled and linked to the appropriate domains
+- Verify whether group policy is reaching the clients properly. Verification of group policy can be done using the `GPRESULT.exe` or `RSOP.msc` utilities
+- Verify whether the clients were rebooted after applying the policy
+- Verify whether the **Network (Certificate Based)** protector is listed on the client. Verification of the protector can be done using either manage-bde or Windows PowerShell cmdlets. For example, the following command will list the key protectors currently configured on the C: drive of the local computer:
+
+ ```powershell
+ manage-bde.exe -protectors -get C:
+ ```
+
+ > [!NOTE]
+ > Use the output of `manage-bde.exe` along with the WDS debug log to determine whether the proper certificate thumbprint is being used for Network Unlock.
+
+Gather the following files to troubleshoot BitLocker Network Unlock.
+
+- The Windows event logs. Specifically, get the BitLocker event logs and the `Microsoft-Windows-Deployment-Services-Diagnostics-Debug` log
+
+ Debug logging is turned off by default for the WDS server role. To retrieve WDS debug logs, the WDS debug logs first need to be enabled. Use either of the following two methods to turn on WDS debug logging.
+
+ - Start an elevated Command Prompt, and then run the following command:
+
+ ```cmd
+ wevtutil.exe sl Microsoft-Windows-Deployment-Services-Diagnostics/Debug /e:true
+ ```
+
+ - Open **Event Viewer** on the WDS server:
+
+ 1. In the left pane, navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **Deployment-Services-Diagnostics** > **Debug**
+ 2. In the right pane, select **Enable Log**
+
+- The DHCP subnet configuration file (if one exists)
+- The output of the BitLocker status on the volume. Gather this output into a text file by using `manage-bde.exe -status`. Or in Windows PowerShell, use `Get-BitLockerVolume`
+- The Network Monitor capture on the server that hosts the WDS role, filtered by client IP address
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
new file mode 100644
index 0000000000..380ac306c4
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
@@ -0,0 +1,616 @@
+---
+title: BitLocker operations guide
+description: Learn how to use different tools to manage and operate BitLocker.
+ms.topic: how-to
+ms.date: 10/30/2023
+---
+
+# BitLocker operations guide
+
+There are different tools and options to manage and operate BitLocker:
+
+- the BitLocker PowerShell module
+- the BitLocker drive encryption tools
+- Control Panel
+
+The BitLocker drive encryption tools and BitLocker PowerShell module can be used to perform any tasks that can be accomplished through the BitLocker Control Panel. They're appropriate to use for automated deployments and other scripting scenarios.\
+The BitLocker Control Panel applet allows users to perform basic tasks such as turning on BitLocker on a drive and specifying unlock methods and authentication methods. The BitLocker Control Panel applet is appropriate to use for basic BitLocker tasks.
+
+This article describes the BitLocker management tools and how to use them, providing practical examples.
+
+## BitLocker PowerShell module
+
+The BitLocker PowerShell module enables administrators to integrate BitLocker options into existing scripts with ease. For a list of cmdlets included in module, their description and syntax, check the [BitLocker PowerShell reference article][PS-1].
+
+## BitLocker drive encryption tools
+
+The BitLocker drive encryption tools include the two command-line tools:
+
+- *Configuration Tool* (`manage-bde.exe`) can be used for scripting BitLocker operations, offering options that aren't present in the BitLocker Control Panel applet. For a complete list of the `manage-bde.exe` options, see the [Manage-bde reference][PREV-1]
+- *Repair Tool* (`repair-bde.exe`) is useful for disaster recovery scenarios, in which a BitLocker protected drive can't be unlocked normally or using the recovery console
+
+## BitLocker Control Panel applet
+
+Encrypting volumes with the BitLocker Control Panel (select **Start**, enter `BitLocker`, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker Control Panel applet is *BitLocker Drive Encryption*. The applet supports encrypting operating system, fixed data, and removable data volumes. The BitLocker Control Panel organizes available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters appear properly in the BitLocker Control Panel applet.
+
+### Use BitLocker within Windows Explorer
+
+Windows Explorer allows users to launch the **BitLocker Drive Encryption Wizard** by right-clicking a volume and selecting **Turn On BitLocker**. This option is available on client computers by default. On servers, the BitLocker feature and the Desktop-Experience feature must first be installed for this option to be available. After selecting **Turn on BitLocker**, the wizard works exactly as it does when launched using the BitLocker Control Panel.
+
+## Check the BitLocker status
+
+To check the BitLocker status of a particular volume, administrators can look at the status of the drive in the BitLocker Control Panel applet, Windows Explorer, `manage-bde.exe` command-line tool, or Windows PowerShell cmdlets. Each option offers different levels of detail and ease of use.
+
+Follow the instructions below verify the status of BitLocker, selecting the tool of your choice.
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+To determine the current state of a volume you can use the `Get-BitLockerVolume` cmdlet, which provides information on the volume type, protectors, protection status, and other details. For example:
+
+```powershell
+PS C:\> Get-BitLockerVolume C: | fl
+
+ComputerName : DESKTOP
+MountPoint : C:
+EncryptionMethod : XtsAes128
+AutoUnlockEnabled :
+AutoUnlockKeyStored : False
+MetadataVersion : 2
+VolumeStatus : FullyEncrypted
+ProtectionStatus : On
+LockStatus : Unlocked
+EncryptionPercentage : 100
+WipePercentage : 0
+VolumeType : OperatingSystem
+CapacityGB : 1000
+KeyProtector : {Tpm, RecoveryPassword}
+```
+
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+With `manage-bde.exe` you can determine the volume status on the target system, for example:
+
+```cmd
+manage-bde.exe -status
+```
+
+This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume.
+
+```cmd
+C:\>manage-bde -status
+
+Volume C: [Local Disk]
+[OS Volume]
+
+ Size: 1000 GB
+ BitLocker Version: 2.0
+ Conversion Status: Used Space Only Encrypted
+ Percentage Encrypted: 100.0%
+ Encryption Method: XTS-AES 128
+ Protection Status: Protection On
+ Lock Status: Unlocked
+ Identification Field: Unknown
+ Key Protectors:
+ TPM
+ Numerical Password
+```
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+Checking BitLocker status with the Control Panel is a common method used by most users. Once opened, the status for each volume is displayed next to the volume description and drive letter. Available status return values with applet include:
+
+| Status | Description |
+| - | - |
+| **On**|BitLocker is enabled for the volume |
+| **Off**| BitLocker isn't enabled for the volume |
+| **Suspended** | BitLocker is suspended and not actively protecting the volume |
+| **Waiting for Activation**| BitLocker is enabled with a clear protector key and requires further action to be fully protected|
+
+If a drive is pre-provisioned with BitLocker, a status of **Waiting for Activation** displays with a yellow exclamation icon on the volume. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't in a protected state and needs to have a secure key added to the volume before the drive is fully protected. Administrators can use the Control Panel, PowerShell or `manage-bde.exe` to add an appropriate key protector. Once complete, the Control Panel updates to reflect the new status.
+
+---
+
+## Enable BitLocker
+
+### OS drive with TPM protector
+
+The following example shows how to enable BitLocker on an operating system drive using only the TPM protector and no recovery key:
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+```powershell
+Enable-BitLocker C: -TpmProtector
+```
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+```cmd
+manage-bde.exe -on C:
+```
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+From the **BitLocker Drive Encryption** Control Panel applet:
+
+1. Expand the OS drive and select the option **Turn on BitLocker**
+1. When prompted, select the option **Let BitLocker automatically unlock my drive**
+1. Back up the *recovery key* using one of the following methods:
+
+ - **Save to your Microsoft Entra ID account** or **Microsoft Account** (if applicable)
+ - **Save to a USB flash drive**
+ - **Save to a file** - the file needs to be saved to a location that isn't on the device itself such as a network folder
+ - **Print the recovery key**
+
+1. Select **Next**
+1. Choose one of the options to **encrypt used disk space only** or **encrypt entire drive** and select **Next**
+
+ - **Encrypt used disk space only** - Encrypts only disk space that contains data
+ - **Encrypt entire drive** - Encrypts the entire volume including free space. Also known as full disk encryption
+
+ Each of the methods is recommended in the following scenarios:
+
+ - **Encrypt used disk space only**:
+
+ - The drive has never had data
+ - Formatted or erased drives that in the past have never had confidential data that was never encrypted
+
+ - **Encrypt entire drive** (full disk encryption):
+
+ - Drives that currently have data
+ - Drives that currently have an operating system
+ - Formatted or erased drives that in the past had confidential data that was never encrypted
+
+ > [!IMPORTANT]
+ > Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
+
+1. Select an encryption mode and select **Next**
+
+ - **New encryption mode**
+ - **Compatible mode**
+
+ > [!NOTE]
+ > Normally **New encryption mode** should be chosen, but if the drive will be potentially moved to another device with an older Windows operating system, select **Compatible mode**
+1. Select **Continue** > **Restart now**
+1. After reboot, the OS performs a BitLocker system check and start encryption
+
+Users can check encryption status using the BitLocker Control Panel applet.
+
+> [!NOTE]
+> After a recovery key is created, the BitLocker Control Panel can be used to make additional copies of the recovery key.
+
+---
+
+### OS drive with TPM protector and startup key
+
+The following example shows how to enable BitLocker on an operating system drive using the TPM and *startup key* protectors.
+
+Assuming the OS drive letter is `C:` and the USB flash drive is drive letter `E:`, here's the command:
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+If you choose to skip the BitLocker hardware test, encryption starts immediately without the need for a reboot.
+
+```powershell
+Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath E: -SkipHardwareTest
+```
+
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+```cmd
+manage-bde.exe -protectors -add C: -TPMAndStartupKey E:
+manage-bde.exe -on C:
+```
+
+If prompted, reboot the computer to complete the encryption process.
+
+> [!NOTE]
+> After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+The Control Panel applet doesn't allow enabling BitLocker and adding a startup key protector at the same time. To add a startup key protector, follow these steps:
+
+- From the **BitLocker Drive Encryption** Control Panel applet, under the OS drive, select the option **Change how drive is unlocked at startup**
+- When prompted, select the option **Insert a USB flash drive**
+- Selecting the USB drive where you want to store the startup key, and select **Save**
+
+---
+
+After reboot, the BitLocker preboot screen displays and the USB startup key must be inserted before the operating system can be started:
+
+:::image type="content" source="images/preboot-startup-key.png" alt-text="Screenshot of the BitLocker preboot screen asking for a USB drive containing the startup key.":::
+
+### Data volumes
+
+Data volumes use a similar process for encryption as operating system volumes, but they don't require protectors for the operation to complete.
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+Add the desired protectors prior to encrypting the volume. The following example adds a password protector to the `E:` volume using the variable `$pw` as the password. The `$pw` variable is held as a SecureString value to store the user-defined password:
+
+```powershell
+$pw = Read-Host -AsSecureString
+
+Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
+```
+
+> [!NOTE]
+> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
+
+**Example**: Use PowerShell to enable BitLocker with a TPM protector
+
+```powershell
+Enable-BitLocker D: -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
+```
+
+**Example**: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to *123456*:
+
+```powershell
+$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
+Enable-BitLocker C: -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
+```
+
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+Encrypting data volumes can be done using the base command:
+
+```cmd
+manage-bde.exe -on
+```
+
+or additional protectors can be added to the volume first. It's recommended to add at least one primary protector plus a recovery protector to a data volume.
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+Encrypting data volumes using the BitLocker Control Panel works in a similar fashion to encryption of the operating system volumes. Users select **Turn on BitLocker** within the BitLocker Control Panel to begin the **BitLocker Drive Encryption Wizard**.
+
+---
+
+## Manage BitLocker protectors
+
+The management of BitLocker protectors consists in adding, removing, and backing up protectors.
+
+Managed BitLocker protectors by using the following instructions, selecting the option that best suits your needs.
+
+### List protectors
+
+The list of protectors available for a volume (`C:` in the example) can be listed by running the following command:
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+```PowerShell
+(Get-BitLockerVolume -mountpoint C).KeyProtector
+```
+
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+```cmd
+ manage-bde.exe -protectors -get C:
+```
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+This information isn't available in the Control Panel.
+
+---
+
+### Add protectors
+
+#### Add a recovery password protector
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+
+```PowerShell
+Add-BitLockerKeyProtector -MountPoint C -RecoveryPasswordProtector
+```
+
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+```cmd
+manage-bde.exe -protectors -add -recoverypassword C:
+```
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+From the **BitLocker Drive Encryption** Control Panel applet, select the volume where you want to add a protector and select the option **Back up your recovery key**.
+
+---
+
+#### Add a password protector
+
+A common protector for a *data volume* is the *password protector*. In the next example, a password protector is added to a volume.
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+```PowerShell
+Add-BitLockerKeyProtector -MountPoint D -PasswordProtector
+```
+
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+```cmd
+manage-bde.exe -protectors -add -pw D:
+```
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+From the **BitLocker Drive Encryption** Control Panel applet, expand the drive where you want to add a password protector and select the option **Add password**. When prompted, enter and confirm a password to unlock the drive. Select **Finish** to complete the process.
+
+---
+
+#### Add an Active Directory protector
+
+The Active Directory protector is a SID-based protector that can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the preboot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and unlock to any member computer of the cluster.
+
+> [!IMPORTANT]
+> The SID-based protector requires the use of an additional protector such as TPM, PIN, recovery key, etc. when used on operating system volumes.
+
+> [!NOTE]
+> This option is not available for Microsoft Entra joined devices.
+
+In this example, a domain SID-based protector is added to a previously encrypted volume. The user knows the SID for the user account or group they wish to add and uses the following command:
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+```powershell
+Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup ""
+```
+
+To add the protector to a volume, either the domain SID or the group name preceded by the domain and a backslash are needed. In the following example, the **CONTOSO\\Administrator** account is added as a protector to the data volume G.
+
+```powershell
+Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator
+```
+
+To use the SID for the account or group, the first step is to determine the SID associated with the security principal. To get the specific SID for a user account in Windows PowerShell, use the following command:
+
+```powershell
+Get-ADUser -filter {samaccountname -eq "administrator"}
+```
+
+> [!NOTE]
+> Use of this command requires the RSAT-AD-PowerShell feature.
+
+> [!TIP]
+> Information about the locally logged on user and group membership can be found using: `whoami.exe /all`.
+
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+```cmd
+manage-bde.exe -protectors -add -sid
+```
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+This option isn't available in the Control Panel.
+
+---
+
+### Remove protectors
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+To remove existing protectors on a volume, use the `Remove-BitLockerKeyProtector` cmdlet. A GUID associated with the protector to be removed must be provided.
+
+The following commands return the list of key protectors and GUIDS:
+
+```PowerShell
+$vol = Get-BitLockerVolume C
+$keyprotectors = $vol.KeyProtector
+$keyprotectors
+```
+
+By using this information, the key protector for a specific volume can be removed using the command:
+
+```powershell
+Remove-BitLockerKeyProtector -KeyProtectorID "{GUID}"
+```
+
+> [!NOTE]
+> The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command.
+
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+The following commands return the list of key protectors:
+
+```cmd
+manage-bde.exe -status C:
+```
+
+The following command removes keys protector of a certain type:
+
+```cmd
+manage-bde.exe -protectors -delete C: -type TPMandPIN
+```
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+From the **BitLocker Drive Encryption** Control Panel applet, expand the drive where you want to remove a protector and select the option to remove it, if available.
+
+---
+
+> [!NOTE]
+> You must have at least one unlock method for any BitLocker-encrypted drives.
+
+## Suspend and resume
+
+Some configuration changes may require to suspend BitLocker and then resume it after the change is applied.
+
+Suspend and resume BitLocker by using the following instructions, selecting the option that best suits your needs.
+
+### Suspend BitLocker
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+```powershell
+Suspend-BitLocker -MountPoint D
+```
+
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+```cmd
+manage-bde.exe -protectors -disable d:
+```
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+You can only suspend BitLocker protection for the OS drive when using the Control Panel.
+
+From the **BitLocker Drive Encryption** Control Panel applet, select the OS drive and select the option **Suspend protection**.
+
+---
+
+### Resume BitLocker
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+```powershell
+Resume-BitLocker -MountPoint D
+```
+
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+```cmd
+manage-bde.exe -protectors -enable d:
+```
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+From the **BitLocker Drive Encryption** Control Panel applet, select the OS drive and select the option **Resume protection**.
+
+---
+
+## Reset and backup a recovery password
+
+It's recommended to invalidate a recovery password after its use. In this example the recovery password protector is removed from the OS drive, a new protector added, and backed up to Microsoft Entra ID or Active Directory.
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+Remove all recovery passwords from the OS volume:
+
+```PowerShell
+(Get-BitLockerVolume -MountPoint $env:SystemDrive).KeyProtector | `
+ where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | `
+ Remove-BitLockerKeyProtector -MountPoint $env:SystemDrive
+```
+
+Add a BitLocker recovery password protector for the OS volume:
+
+```PowerShell
+Add-BitLockerKeyProtector -MountPoint $env:SystemDrive -RecoveryPasswordProtector
+```
+
+Obtain the ID of the new recovery password:
+
+```PowerShell
+(Get-BitLockerVolume -mountpoint $env:SystemDrive).KeyProtector | where-object {$_.KeyProtectorType -eq 'RecoveryPassword'} | ft KeyProtectorId,RecoveryPassword
+```
+
+> [!NOTE]
+>This next steps are not required if the policy setting [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered) is configured to **Require BitLocker backup to AD DS**.
+
+Copy the ID of the recovery password from the output.
+
+Using the GUID from the previous step, replace the `{ID}` in the following command and use the following command to back up the recovery password to Microsoft Entra ID:
+
+```PowerShell
+BackuptoAAD-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{ID}"
+```
+
+Or use the following command to back up the recovery password to Active Directory:
+
+```PowerShell
+Backup-BitLockerKeyProtector -MountPoint $env:SystemDrive -KeyProtectorId "{ID}"
+```
+
+> [!NOTE]
+> The braces `{}` must be included in the ID string.
+
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+Remove all recovery passwords from the OS volume:
+
+```cmd
+manage-bde.exe -protectors -delete C: -type RecoveryPassword
+```
+
+Add a BitLocker recovery password protector for the OS volume:
+
+```cmd
+manage-bde.exe -protectors -add C: -RecoveryPassword
+```
+
+Obtain the ID of the new recovery password:
+
+```cmd
+manage-bde.exe -protectors -get C: -Type RecoveryPassword
+```
+
+> [!NOTE]
+>This following steps are not required if the policy setting [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered) is configured to **Require BitLocker backup to AD DS**.
+
+Using the GUID from the previous step, replace the `{ID}` in the following command and use the following command to back up the recovery password to Microsoft Entra ID:
+
+```cmd
+manage-bde.exe -protectors -aadbackup C: -id {ID}
+```
+
+Or use the following command to back up the recovery password to Active Directory:
+
+```cmd
+manage-bde.exe -protectors -adbackup C: -id {ID}
+```
+
+> [!NOTE]
+> The braces `{}` must be included in the ID string.
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+This process can't be accomplished using the Control Panel. Use one of the other options instead.
+
+---
+
+## Disable BitLocker
+
+Disabling BitLocker decrypts and removes any associated protectors from the volumes. Decryption should occur when protection is no longer required, and not as a troubleshooting step.
+
+Disable BitLocker by using the following instructions, selecting the option that best suits your needs.
+
+#### [:::image type="icon" source="images/powershell.svg"::: **PowerShell**](#tab/powershell)
+
+Windows PowerShell offers the ability to decrypt multiple drives in one pass. In the following example, the user has three encrypted volumes, which they wish to decrypt.
+
+Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for more commands. An example of this command is:
+
+```powershell
+Disable-BitLocker
+```
+
+To avoid specifying each mount point individually, use the `-MountPoint` parameter in an array to sequence the same command into one line, without requiring additional user input. Example:
+
+```powershell
+Disable-BitLocker -MountPoint C,D
+```
+
+#### [:::image type="icon" source="images/cmd.svg"::: **Command Prompt**](#tab/cmd)
+
+Decryption with `manage-bde.exe` offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is:
+
+```cmd
+manage-bde.exe -off C:
+```
+
+This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete.
+
+#### [:::image type="icon" source="images/controlpanel.svg"::: **Control Panel**](#tab/controlpanel)
+
+BitLocker decryption using the Control Panel is done using a wizard. After opening the BitLocker Control Panel applet, select the **Turn off BitLocker** option to begin the process. To proceed, select the confirmation dialog. With **Turn off BitLocker** confirmed, the drive decryption process begins.
+
+Once decryption is complete, the drive updates its status in the Control Panel and becomes available for encryption.
+
+---
+
+
+
+[PREV-1]: /previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/ff829849(v=ws.11)
+[PS-1]: /powershell/module/bitlocker
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
new file mode 100644
index 0000000000..5fb64c8c85
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/planning-guide.md
@@ -0,0 +1,216 @@
+---
+title: BitLocker planning guide
+description: Learn how to plan for a BitLocker deployment in your organization.
+ms.topic: concept-article
+ms.date: 10/30/2023
+---
+
+# BitLocker planning guide
+
+A BitLocker deployment strategy includes defining the appropriate policies and configuration requirements based on your organization's security requirements. This article helps collecting the information to assist with a BitLocker deployment.
+
+## Audit the environment
+
+To plan a BitLocker deployment, understand the current environment. Perform an informal audit to define the current policies, procedures, and hardware environment. Review the existing disk encryption software and the organization's security policies. If the organization isn't using disk encryption software, then these policies might not exist. If disk encryption software is in use, then the policies might need to change to use certain BitLocker features.
+
+To help document the organization's current disk encryption security policies, answer the following questions:
+
+| :ballot_box_with_check: | **Question** |
+|--|--|
+| :black_square_button: | *Are there policies to determine which devices must use BitLocker and which don't?* |
+| :black_square_button: | *What policies exist to control recovery password and recovery key storage?* |
+| :black_square_button: | *What are the policies for validating the identity of users who need to perform BitLocker recovery?* |
+| :black_square_button: | *What policies exist to control who in the organization has access to recovery data?* |
+| :black_square_button: | *What policies exist to control the decommission or retirement of devices?* |
+| :black_square_button: | *What encryption algorithm strength is in place?* |
+
+## Encryption keys and authentication
+
+A trusted platform module (TPM) is a hardware component installed in many Windows devices by the manufacturers. It works with BitLocker to help protect user data and to make sure a device hasn't been tampered with while the system was offline.
+
+BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN), or inserts a removable USB device that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer doesn't start or resume from hibernation until the correct PIN or startup key is presented.
+
+On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system volume. However, this implementation doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
+
+An effective implementation of information protection, like most security controls, considers usability and security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
+
+It's crucial that organizations protect information on their devices regardless of the state of the device or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign-in. Challenging users for input more than once should be avoided.
+
+The TPM is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use, and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices' configuration they may not offer more security when it comes to key protection. For more information, see [BitLocker countermeasures](countermeasures.md).
+
+### BitLocker key protectors
+
+To protect the BitLocker encryption key, BitLocker can use different types of *protectors*. When enabling BitLocker, each protector receives a copy of the *Volume Master Key*, which is then encrypted by using its own mechanism.
+
+| Key protector | Description |
+|--|--|
+| **Auto-unlock** | Used to automatically unlock volumes that don't host an operating system. BitLocker uses encrypted information stored in the registry and volume metadata to unlock any data volumes that use automatic unlocking. |
+| **Password** and **Password for OS drive**| To unlock a drive, the user must supply a password. When used for OS drives, the user is prompted for a password in the preboot screen. This method doesn't offer any lockout logic, therefore it doesn't protect against brute force attacks. |
+| **Startup key** | An encryption key that can be stored on removable media, with a file name format of `.bek`. The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the device. |
+| **Smart card certificate** | Used to unlock volumes that don't host an operating system. To unlock a drive, the user must use a smart card. |
+| **TPM** | A hardware device used to help establish a secure root-of-trust, validating early boot components. The TPM protector can only be used with the OS drive. |
+| **TPM + PIN** | A user-entered numeric or alphanumeric key protector that can only be used with OS volumes and in addition to the TPM.The TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that trigger a lockout is variable. |
+| **TPM + Startup key** | The TPM successfully validates early boot components. The user must insert a USB drive containing the startup key before the OS can boot. |
+| **TPM + Startup key + PIN** | The TPM successfully validates early boot components. The user must enter the correct PIN and insert a USB drive containing the startup key before the OS can boot. |
+| **Recovery password** | A 48-digit number used to unlock a volume when it is in *recovery mode*. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers. |
+| **TPM + Network Key** | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from a WDS server. This authentication method provides automatic unlock of OS volumes while maintaining multifactor authentication. This key protector can only be used with OS volumes. |
+| **Recovery key** | An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume. The file name has a format of `.bek`. |
+| **Data Recovery Agent** | Data recovery agents (DRAs) are accounts that are able to decrypt BitLocker-protected drives by using their certificates. Recovery of a BitLocker-protected drive can be accomplished by a data recovery agent that is configured with the proper certificate. |
+| **Active Directory user or group** | A protector that is based on an Active Directory user or group security identified (SID). Data drives are automatically unlocked when such users attempt to access them. |
+
+#### Support for devices without TPM
+
+Determine whether computers that don't have a TPM 1.2 or higher versions in the environment will be supported. If you decide to support devices without TPM, a user must use a USB startup key or a password to boot the system. The startup key requires extra support processes similar to multifactor authentication.
+
+#### What areas of the organization need a baseline level of data protection?
+
+The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for devices that are unattended or that must reboot unattended.
+
+However, TPM-only authentication method doesn't offer a high level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker's multifactor authentication methods significantly increase the overall level of data protection.
+
+> [!TIP]
+> An advantage of TPM-only authentication is that a device can boot Windows without any user interaction. In case of lost or stolen device, there may be an advantage of this configuration: if the device is connected to the Internet, it can be remotely wiped with a device management solution like Microsoft Intune.
+
+#### What areas of the organization need a more secure level of data protection?
+
+If there are devices with highly sensitive data, then deploy BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. BitLocker Network Unlock can also be used to allow these devices to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key.
+
+#### What multifactor authentication method does the organization prefer?
+
+The protection differences provided by multifactor authentication methods can't be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and any automated systems management processes.
+
+## Manage passwords and PINs
+
+When BitLocker is enabled on a system drive and the device has a TPM, users can be required to enter a PIN before BitLocker unlocks the drive. Such a PIN requirement can prevent an attacker who has physical access to a device from even getting to the Windows sign-in, which makes it almost impossible for the attacker to access or modify user data and system files.
+
+Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor. However, this configuration comes with some costs, especially if you require to change the PIN regularly.
+
+In addition, Modern Standby devices don't require a PIN for startup: they're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
+
+For more information about how startup security works and the countermeasures that Windows provides, see [Preboot authentication](countermeasures.md#preboot-authentication).
+
+## TPM hardware configurations
+
+In the deployment plan, identify what TPM-based hardware platforms are supported. Document the hardware models from an OEM(s) used by the organization so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
+
+### TPM 1.2 states and initialization
+
+For TPM 1.2, there are multiple possible states. Windows automatically initializes the TPM, which brings it to an enabled, activated, and owned state. This state is the state that BitLocker requires before it can use the TPM.
+
+### Endorsement keys
+
+For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM doesn't have an endorsement key, BitLocker forces the TPM to generate one automatically as part of BitLocker setup.
+
+An endorsement key can be created at various points in the TPM's lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key doesn't exist for the TPM, it must be created before you can take TPM ownership.
+
+For more information about the TPM and the TCG, see the Trusted Computing Group: [Trusted Platform Module (TPM) Specifications][FWD-1].
+
+## Non-TPM hardware configurations
+
+Devices without a TPM can still be protected with drive encryption using a startup key.
+
+Use the following questions to identify issues that might affect the deployment in a non-TPM configuration:
+
+- Is there a budget for USB flash drives for each of these devices?
+- Do existing non-TPM devices support USB drives at boot time?
+
+Test the individual hardware platforms with the BitLocker system check option while enabling BitLocker. The system check makes sure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume.
+
+## Disk configuration considerations
+
+To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements:
+
+- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system
+- The system partition (or boot partition) includes the files needed to load Windows after the BIOS or UEFI firmware has prepared the system hardware. BitLocker isn't enabled on this partition. For BitLocker to work, the system partition must not be encrypted, and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32-file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size.
+
+Windows setup automatically configures the disk drives of computers to support BitLocker encryption.
+
+Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE with BitLocker, the Windows RE boot image must be on a volume that isn't protected by BitLocker.
+
+Windows RE can also be used from boot media other than the local hard disk. If Windows RE isn't installed on the local hard disk of BitLocker-enabled computers, then different methods can be used to boot Windows RE. For example, Windows Deployment Services (WDS) or USB flash drive can be used for recovery.
+
+## BitLocker provisioning
+
+Administrators can enable BitLocker before to operating system deployment from the *Windows Pre-installation Environment* (WinPE). This step is done with a randomly generated clear key protector applied to the formatted volume. It encrypts the volume before running the Windows setup process. If the encryption uses the **Used Disk Space Only** option, then this step takes only a few seconds, and can be incorporated into existing deployment processes. Preprovisioning requires a TPM.
+
+To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker Control Panel applet or Windows Explorer. The **Waiting For Activation** status means that the drive was preprovisioned for BitLocker, and there's only a clear protector used to encrypt the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the Control Panel options, PowerShell cmdlets, the `manage-bde.exe` tool, or WMI APIs to add an appropriate key protector. The volume status then is updated.
+
+When using the Control Panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented before changing the volume status.
+
+## *Used Disk Space Only* encryption
+
+The BitLocker Setup wizard provides administrators the ability to choose the *Used Disk Space Only* or *Full* encryption method when enabling BitLocker for a volume. Administrators can use BitLocker policy settings to enforce either Used Disk Space Only or Full disk encryption.
+
+Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, the wizard asks to choose the drive encryption type. Select **Used Disk Space Only** or **Full** drive encryption.
+
+With Used Disk Space Only, just the portion of the drive that contains data are encrypted. Unused space remains unencrypted. This behavior causes the encryption process to be faster, especially for new devices and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive.
+
+With Full drive encryption, the entire drive is encrypted, whether data is stored on it or not. This option is useful for drives that have been repurposed, and might contain data remnants from their previous use.
+
+> [!CAUTION]
+> Exercise caution when encrypting only used space on an existing volume on which confidential data might have already been stored in an unencrypted state. When using used space encryption, sectors where previously unencrypted data are stored can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
+
+## Encrypted hard drive support
+
+Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives. This feature improves both drive and system performance by offloading cryptographic calculations from the device's processor to the drive itself. Data is rapidly encrypted by the drive by using dedicated, purpose-built hardware. If planning to use whole-drive encryption with Windows, Microsoft recommends researching hard drive manufacturers and models to determine whether any of their encrypted hard drives meet the security and budget requirements.
+
+For more information about encrypted hard drives, see [Encrypted hard drives](../encrypted-hard-drive.md).
+
+## Microsoft Entra ID and Active Directory Domain Services considerations
+
+BitLocker integrates with Microsoft Entra ID and Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Microsoft Entra ID or AD DS. Administrators can configure [policy setting](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered) for each drive type to enable backup of BitLocker recovery information.
+
+The following recovery data is saved for each computer object:
+
+- *Recovery password*: a 48-digit recovery password used to recover a BitLocker-protected volume. Users must enter this password to unlock a volume when BitLocker enters recovery mode
+- *Key package*: with the key package and the recovery password, portions of a BitLocker-protected volume can be decrypted if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID
+
+## FIPS support for recovery password protector
+
+Devices configured to operate in FIPS mode can create FIPS-compliant recovery password protectors, which use the *FIPS-140 NIST SP800-132* algorithm.
+
+> [!NOTE]
+> The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. Federal Government. The FIPS-140 standard defines approved cryptographic algorithms. The FIPS-140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS-140 standard. An implementation of a cryptographic algorithm is considered FIPS-140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.
+
+- FIPS-compliant recovery password protectors can be exported and stored in AD DS
+- The BitLocker policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPS mode or not
+
+## Network Unlock
+
+Some organizations have location-specific data security requirements, especially in environments with high-value data. The network environment might provide crucial data protection and enforce mandatory authentication. Therefore, policy states that those devices shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing might help enforce this policy as reactive controls. Beyond these safeguards, a proactive security control that grants data access only when the device is connected to the corporate network is necessary.
+
+*Network Unlock* enables BitLocker-protected devices to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the device isn't connected to the corporate network, a user must enter a PIN to unlock the drive (if PIN-based unlock is enabled). Network Unlock requires the following infrastructure:
+
+- Client devices that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
+- A Windows Server running the Windows deployment services (WDS) role
+- A DHCP server
+
+For more information about how to configure Network unlock feature, see [Network Unlock](network-unlock.md).
+
+## BitLocker recovery
+
+Organizations should carefully plan a BitLocker recovery strategy as part of the overall BitLocker implementation plan. There are different options when implementing a BitLocker recovery model, which are described in [BitLocker recovery overview](recovery-overview.md).
+
+## Monitor BitLocker
+
+Organizations can use Microsoft Intune or Configuration Manager to monitor device encryption across multiple devices. For more information, see [Monitor device encryption with Intune][INT-1] and [View BitLocker reports in Configuration Manager][MCM-1].
+
+## Next steps
+
+> [!div class="nextstepaction"]
+> Learn how to plan a BitLocker recovery strategy for your organization:
+>
+>
+> [BitLocker recovery overview >](recovery-overview.md)
+
+> [!div class="nextstepaction"]
+> Learn about the available options to configure BitLocker and how to configure them via Configuration Service Providers (CSP) or group policy (GPO):
+>
+>
+> [Configure BitLocker >](configure.md)
+
+
+
+[FWD-1]: https://go.microsoft.com/fwlink/p/?linkid=69584
+[INT-1]: /mem/intune/protect/encryption-monitor
+[MCM-1]: /mem/configmgr/protect/deploy-use/bitlocker/view-reports
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
new file mode 100644
index 0000000000..78ab928ae2
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
@@ -0,0 +1,189 @@
+---
+title: BitLocker preboot recovery screen
+description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status.
+ms.topic: concept-article
+ms.date: 10/30/2023
+---
+
+# BitLocker preboot recovery screen
+
+During BitLocker recovery, the *preboot recovery screen* can display a custom recovery message, a custom recovery URL, and a few hints to help users finding where a key can be retrieved from.
+
+This article describes the information displayed in the preboot recovery screen depending on configured policy settings and recovery keys status.
+
+## Default preboot recovery screen
+
+:::row:::
+ :::column span="2":::
+ By default, the BitLocker recovery screen displays a generic message and the url **https://aka.ms/recoverykeyfaq**.
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery.png" alt-text="Screenshot of the default BitLocker recovery screen." lightbox="images/preboot-recovery.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+## Custom recovery message
+
+With BitLocker policy settings, you can configure a custom recovery message and URL on the BitLocker preboot recovery screen. The custom recovery message and URL can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
+
+:::row:::
+ :::column span="2":::
+ BitLocker policy settings configured with a custom recovery message.
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery-custom-message.png" alt-text="Screenshot of the BitLocker recovery screen showing a custom message." lightbox="images/preboot-recovery-custom-message.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="2":::
+ BitLocker policy settings configured with a custom recovery URL.
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery-custom-url.png" alt-text="Screenshot of the BitLocker recovery screen showing a custom URL." lightbox="images/preboot-recovery-custom-url.png" border="false":::
+ :::column-end:::
+:::row-end:::
+
+For more information how to configure a custom recovery message with policy settings, see [Configure preboot recovery message and URL](configure.md?tabs=os#configure-preboot-recovery-message-and-url).
+
+## Recovery key hints
+
+BitLocker metadata includes information about when and where a BitLocker recovery key was saved. This information isn't exposed through the UI or any public API. It's used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key was saved. The hints apply to both the boot manager recovery screen and the WinRE unlock screen.
+
+There are rules governing which hint is shown during the recovery (in the order of processing):
+
+1. Always display custom recovery message, if configured via policy settings
+1. Always display generic hint: **For more information, go to https://aka.ms/recoverykeyfaq**
+1. If multiple recovery keys exist on the volume, prioritize the last-created (and successfully backed up) recovery key
+1. Prioritize keys with successful backup over keys that have never been backed up
+1. Prioritize backup hints in the following order for remote backup locations:
+ - Microsoft account
+ - Microsoft Entra ID
+ - Active Directory
+1. If a key has been printed and saved to file, display a combined hint **Look for a printout or a text file with the key**, instead of two separate hints
+1. If multiple backups of the same type (remove vs. local) were done for the same recovery key, prioritize backup info with latest backup date
+1. There's no specific hint for keys saved to an on-premises Active Directory. In this case, a custom message (if configured) or a generic message, **Contact your organization's help desk**, is displayed
+1. If two recovery keys are present and only one backed up, the system asks for the backed up key, even if the other key is newer
+
+:::row:::
+ :::column span="4":::
+ #### Example: single recovery password saved to file and single backup
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="2":::
+ In this scenario, the recovery password is saved to a file
+
+ > [!IMPORTANT]
+ > It's not recommend to print recovery keys or saving them to a file. Instead, use Microsoft account, Microsoft Entra ID or Active Directory backup.
+
+:::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery-hint.png" alt-text="Screenshot of the BitLocker recovery screen showing a hint where the BitLocker recovery key was saved." lightbox="images/preboot-recovery-hint.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+ #### Example: single recovery password for Microsoft account and single backup
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="2":::
+ In this scenario, a custom URL is configured. The recovery password is:
+ - saved to Microsoft account
+ - not printed
+ - not saved to a file
+
+ **Result:** the hints for the custom URL and the Microsoft account (**https://aka.ms/myrecoverykey**) are displayed.
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery-custom-url-single-backup.png" alt-text="Screenshot of the BitLocker recovery screen showing a custom URL and the hint where the BitLocker recovery key was saved." lightbox="images/preboot-recovery-custom-url-single-backup.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+ #### Example: single recovery password in AD DS and single backup
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="2":::
+ In this scenario, a custom URL is configured. The recovery password is:
+ - saved to Active Directory
+ - not printed
+ - not saved to a file
+
+ **Result:** only the custom URL is displayed.
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery-custom-url.png" alt-text="Screenshot of the BitLocker recovery screen showing only the custom URL." lightbox="images/preboot-recovery-custom-url.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+ #### Example: single recovery password with multiple backups
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="2":::
+ In this scenario, the recovery password is:
+ - saved to Microsoft account
+ - saved to Microsoft Entra ID
+ - printed
+ - saved to file
+
+ **Result:** only the Microsoft account hint (**https://aka.ms/myrecoverykey**) is displayed.
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery-multiple-backups.png" alt-text="Screenshot of the BitLocker recovery screen showing only the Microsoft account hint." lightbox="images/preboot-recovery-multiple-backups.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+ #### Example: multiple recovery passwords with sinlge backup
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="2":::
+ In this scenario, there are two recovery passwords.
+
+ The recovery password #1 is:
+ - saved to file
+ - creation time: **1PM**
+ - key ID: **4290B6C0-B17A-497A-8552-272CC30E80D4**
+
+ The recovery password #2 is:
+ - not backed up
+ - creation time: **3PM**
+ - key ID: **045219EC-A53B-41AE-B310-08EC883AAEDD**
+
+ **Result:** only the hint for the successfully backed up key is displayed, even if it isn't the most recent key.
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery-hint.png" alt-text="Screenshot of the BitLocker recovery screen showing the key ID of the recovery password that was successfully backed up." lightbox="images/preboot-recovery-hint.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+ #### Example: multiple recovery passwords with multiple backups
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="2":::
+ In this scenario, there are two recovery passwords.
+
+ The recovery password #1 is:
+ - Saved to Microsoft account
+ - Saved to Microsoft Entra ID
+ - creation time: **1PM**
+ - key ID: **4290B6C0-B17A-497A-8552-272CC30E80D4**
+
+ The recovery password #2 is:
+ - Saved to Microsoft Entra ID
+ - creation time: **3PM**
+ - key ID: **045219EC-A53B-41AE-B310-08EC883AAEDD**
+
+ **Result:** the Microsoft Entra ID hint (**https://aka.ms/aadrecoverykey**), which is the most recent key saved, is displayed.
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery-multiple-passwords-multiple-backups.png" alt-text="Screenshot of the BitLocker recovery screen showing the key ID of the most recent key." lightbox="images/preboot-recovery-multiple-passwords-multiple-backups.png" border="false":::
+ :::column-end:::
+:::row-end:::
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
deleted file mode 100644
index ebce5dd70e..0000000000
--- a/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+++ /dev/null
@@ -1,191 +0,0 @@
----
-title: Prepare the organization for BitLocker Planning and policies
-description: This article for the IT professional explains how can to plan for a BitLocker deployment.
-ms.topic: conceptual
-ms.date: 11/08/2022
----
-
-# Prepare an organization for BitLocker: Planning and policies
-
-This article for the IT professional explains how to plan BitLocker deployment.
-
-When BitLocker deployment strategy is defined, define the appropriate policies and configuration requirements based on the business requirements of the organization. The following sections will help with collecting information. Use this information to help with the decision-making process about deploying and managing BitLocker systems.
-
-## Audit the environment
-
-To plan a BitLocker deployment, understand the current environment. Perform an informal audit to define the current policies, procedures, and hardware environment. Review the existing disk encryption software corporate security policies. If the organization isn't using disk encryption software, then none of these policies will exist. If disk encryption software is being used, then the organization's policies might need to be changed to use the BitLocker features.
-
-To help document the organization's current disk encryption security policies, answer the following questions:
-
-1. Are there policies to determine which computers will use BitLocker and which computers won't use BitLocker?
-
-2. What policies exist to control recovery password and recovery key storage?
-
-3. What are the policies for validating the identity of users who need to perform BitLocker recovery?
-
-4. What policies exist to control who in the organization has access to recovery data?
-
-5. What policies exist to control computer decommissioning or retirement?
-
-## Encryption keys and authentication
-
-BitLocker helps prevent unauthorized access to data on lost or stolen computers by:
-
-- Encrypting the entire Windows operating system volume on the hard disk.
-- Verifying the boot process integrity.
-
-The trusted platform module (TPM) is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data. And, help make sure a computer hasn't been tampered with while the system was offline.
-
-Also, BitLocker can lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable USB device that contains a startup key. These extra security measures provide multifactor authentication. They also make sure that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
-
-On computers that don't have a TPM version 1.2 or higher, BitLocker can still be used to encrypt the Windows operating system volume. However, this implementation requires the user to insert a USB startup key to start the computer or resume from hibernation. It doesn't provide the pre-startup system integrity verification offered by BitLocker working with a TPM.
-
-### BitLocker key protectors
-
-| Key protector | Description |
-| - | - |
-| *TPM* | A hardware device used to help establish a secure root-of-trust. BitLocker only supports TPM 1.2 or higher versions.|
-| *PIN* | A user-entered numeric key protector that can only be used in addition to the TPM.|
-| *Enhanced PIN* | A user-entered alphanumeric key protector that can only be used in addition to the TPM.|
-| *Startup key* | An encryption key that can be stored on most removable media. This key protector can be used alone on non-TPM computers, or with a TPM for added security.|
-| *Recovery password* | A 48-digit number used to unlock a volume when it is in recovery mode. Numbers can often be typed on a regular keyboard. If the numbers on the normal keyboard aren't responding, the function keys (F1-F10) can be used to input the numbers.|
-| *Recovery key*| An encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume.|
-
-### BitLocker authentication methods
-
-| Authentication method | Requires user interaction | Description |
-| - | - | - |
-| *TPM only*| No| TPM validates early boot components.|
-| *TPM + PIN* | Yes| TPM validates early boot components. The user must enter the correct PIN before the start-up process can continue, and before the drive can be unlocked. The TPM enters lockout if the incorrect PIN is entered repeatedly, to protect the PIN from brute force attacks. The number of repeated attempts that will trigger a lockout is variable.|
-| *TPM + Network key* | No | The TPM successfully validates early boot components, and a valid encrypted network key has been provided from the WDS server. This authentication method provides automatic unlock of operating system volumes at system reboot while still maintaining multifactor authentication. |
-| *TPM + startup key* | Yes| The TPM successfully validates early boot components, and a USB flash drive containing the startup key has been inserted.|
-| *Startup key only* | Yes| The user is prompted for the USB flash drive that has the recovery key and/or startup key, and then reboot the computer.|
-
-#### Will computers without TPM 1.2 or higher versions be supported?
-
-Determine whether computers that don't have a TPM 1.2 or higher versions in the environment will be supported. If it's decided to support computers with TPM 1.2 or higher versions, a user must use a USB startup key to boot the system. This startup key requires extra support processes similar to multifactor authentication.
-
-#### What areas of the organization need a baseline level of data protection?
-
-The TPM-only authentication method provides the most transparent user experience for organizations that need a baseline level of data protection to meet security policies. It has the lowest total cost of ownership. TPM-only might also be more appropriate for computers that are unattended or that must reboot unattended.
-
-However, TPM-only authentication method offers the lowest level of data protection. This authentication method protects against attacks that modify early boot components. But, the level of protection can be affected by potential weaknesses in hardware or in the early boot components. BitLocker's multifactor authentication methods significantly increase the overall level of data protection.
-
-#### What areas of the organization need a more secure level of data protection?
-
-If there are user computers with highly sensitive data, then deploy BitLocker with multifactor authentication on those systems. Requiring the user to input a PIN significantly increases the level of protection for the system. BitLocker Network Unlock can also be used to allow these computers to automatically unlock when connected to a trusted wired network that can provide the Network Unlock key.
-
-#### What multifactor authentication method does the organization prefer?
-
-The protection differences provided by multifactor authentication methods can't be easily quantified. Consider each authentication method's impact on Helpdesk support, user education, user productivity, and any automated systems management processes.
-
-## TPM hardware configurations
-
-In the deployment plan, identify what TPM-based hardware platforms will be supported. Document the hardware models from an OEM(s) being used by the organization so that their configurations can be tested and supported. TPM hardware requires special consideration during all aspects of planning and deployment.
-
-### TPM 1.2 states and initialization
-
-For TPM 1.2, there are multiple possible states. Windows automatically initializes the TPM, which brings it to an enabled, activated, and owned state. This state is the state that BitLocker requires before it can use the TPM.
-
-### Endorsement keys
-
-For a TPM to be usable by BitLocker, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and is never revealed or accessible outside the TPM. If the TPM doesn't have an endorsement key, BitLocker will force the TPM to generate one automatically as part of BitLocker setup.
-
-An endorsement key can be created at various points in the TPM's lifecycle, but needs to be created only once for the lifetime of the TPM. If an endorsement key doesn't exist for the TPM, it must be created before TPM ownership can be taken.
-
-For more information about the TPM and the TCG, see the Trusted Computing Group: Trusted Platform Module (TPM) Specifications ().
-
-## Non-TPM hardware configurations
-
-Devices that don't include a TPM can still be protected by drive encryption. Windows To Go workspaces can be BitLocker protected using a startup password and PCs without a TPM can use a startup key.
-
-Use the following questions to identify issues that might affect the deployment in a non-TPM configuration:
-
-- Are password complexity rules in place?
-- Is there a budget for USB flash drives for each of these computers?
-- Do existing non-TPM devices support USB devices at boot time?
-
-Test the individual hardware platforms with the BitLocker system check option while enabling BitLocker. The system check makes sure that BitLocker can read the recovery information from a USB device and encryption keys correctly before it encrypts the volume. CD and DVD drives can't act as a block storage device and can't be used to store the BitLocker recovery material.
-
-## Disk configuration considerations
-
-To function correctly, BitLocker requires a specific disk configuration. BitLocker requires two partitions that meet the following requirements:
-
-- The operating system partition contains the operating system and its support files; it must be formatted with the NTFS file system
-- The system partition (or boot partition) includes the files needed to load Windows after the BIOS or UEFI firmware has prepared the system hardware. BitLocker isn't enabled on this partition. For BitLocker to work, the system partition must not be encrypted, and must be on a different partition than the operating system. On UEFI platforms, the system partition must be formatted with the FAT 32-file system. On BIOS platforms, the system partition must be formatted with the NTFS file system. It should be at least 350 MB in size.
-
-Windows setup automatically configures the disk drives of computers to support BitLocker encryption.
-
-Windows Recovery Environment (Windows RE) is an extensible recovery platform that is based on Windows Pre-installation Environment (Windows PE). When the computer fails to start, Windows automatically transitions into this environment, and the Startup Repair tool in Windows RE automates the diagnosis and repair of an unbootable Windows installation. Windows RE also contains the drivers and tools that are needed to unlock a volume protected by BitLocker by providing a recovery key or recovery password. To use Windows RE with BitLocker, the Windows RE boot image must be on a volume that isn't protected by BitLocker.
-
-Windows RE can also be used from boot media other than the local hard disk. If Windows RE isn't installed on the local hard disk of BitLocker-enabled computers, then different methods can be used to boot Windows RE. For example, Windows Deployment Services (WDS), CD-ROM, or USB flash drive can be used for recovery.
-
-## BitLocker provisioning
-
-In Windows Vista and Windows 7, BitLocker was provisioned after the installation for system and data volumes. It used the `manage-bde` command line interface or the Control Panel user interface. With newer operating systems, BitLocker can be provisioned before the operating system is installed. Preprovisioning requires the computer have a TPM.
-
-To check the BitLocker status of a particular volume, administrators can look at the drive status in the BitLocker control panel applet or Windows Explorer. The "Waiting For Activation" status with a yellow exclamation icon means that the drive was preprovisioned for BitLocker. This status means that there was only a clear protector used when encrypting the volume. In this case, the volume isn't protected, and needs to have a secure key added to the volume before the drive is considered fully protected. Administrators can use the control panel options, the **manage-bde** tool, or WMI APIs to add an appropriate key protector. The volume status will be updated.
-
-When using the control panel options, administrators can choose to **Turn on BitLocker** and follow the steps in the wizard to add a protector, such as a PIN for an operating system volume (or a password if no TPM exists), or a password or smart card protector to a data volume. Then the drive security window is presented before changing the volume status.
-
-Administrators can enable BitLocker before to operating system deployment from the Windows Pre-installation Environment (WinPE). This step is done with a randomly generated clear key protector applied to the formatted volume. It encrypts the volume before running the Windows setup process. If the encryption uses the Used Disk Space Only option, then this step takes only a few seconds. And, it incorporates into the regular deployment processes.
-
-## Used Disk Space Only encryption
-
-The BitLocker Setup wizard provides administrators the ability to choose the Used Disk Space Only or Full encryption method when enabling BitLocker for a volume. Administrators can use the new BitLocker group policy setting to enforce either Used Disk Space Only or Full disk encryption.
-
-Launching the BitLocker Setup wizard prompts for the authentication method to be used (password and smart card are available for data volumes). Once the method is chosen and the recovery key is saved, the wizard asks to choose the drive encryption type. Select Used Disk Space Only or Full drive encryption.
-
-With Used Disk Space Only, just the portion of the drive that contains data will be encrypted. Unused space will remain unencrypted. This behavior causes the encryption process to be much faster, especially for new PCs and data drives. When BitLocker is enabled with this method, as data is added to the drive, the portion of the drive used is encrypted. So, there's never unencrypted data stored on the drive.
-
-With Full drive encryption, the entire drive is encrypted, whether data is stored on it or not. This option is useful for drives that have been repurposed, and may contain data remnants from their previous use.
-
-## Active Directory Domain Services considerations
-
-BitLocker integrates with Active Directory Domain Services (AD DS) to provide centralized key management. By default, no recovery information is backed up to Active Directory. Administrators can configure the following group policy setting for each drive type to enable backup of BitLocker recovery information:
-
-**Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > ***drive type*** > **Choose how BitLocker-protected drives can be recovered**.
-
-By default, only Domain Admins have access to BitLocker recovery information, but [access can be delegated to others](/archive/blogs/craigf/delegating-access-in-ad-to-bitlocker-recovery-information).
-
-The following recovery data is saved for each computer object:
-
-- **Recovery password**
-
- A 48-digit recovery password used to recover a BitLocker-protected volume. Users enter this password to unlock a volume when BitLocker enters recovery mode.
-
-- **Key package data**
-
- With this key package and the recovery password, portions of a BitLocker-protected volume can be decrypted if the disk is severely damaged. Each key package works only with the volume it was created on, which is identified by the corresponding volume ID.
-
-## FIPS support for recovery password protector
-
-Functionality introduced in Windows Server 2012 R2 and Windows 8.1 allows BitLocker to be fully functional in FIPS mode.
-
-> [!NOTE]
-> The United States Federal Information Processing Standard (FIPS) defines security and interoperability requirements for computer systems that are used by the U.S. Federal Government. The FIPS-140 standard defines approved cryptographic algorithms. The FIPS-140 standard also sets forth requirements for key generation and for key management. The National Institute of Standards and Technology (NIST) uses the Cryptographic Module Validation Program (CMVP) to determine whether a particular implementation of a cryptographic algorithm is compliant with the FIPS-140 standard. An implementation of a cryptographic algorithm is considered FIPS-140-compliant only if it has been submitted for and has passed NIST validation. An algorithm that has not been submitted cannot be considered FIPS-compliant even if the implementation produces identical data as a validated implementation of the same algorithm.
-
-Before these supported versions of Windows, when Windows was in FIPS mode, BitLocker prevented the creation or use of recovery passwords and instead forced the user to use recovery keys. For more information about these issues, see the support article [The recovery password for Windows BitLocker isn't available when FIPS compliant policy is set in Windows](/troubleshoot/windows-client/windows-security/bitlocker-recovery-password-not-fips-compliant).
-
-However, on computers running these supported systems with BitLocker enabled:
-
-- FIPS-compliant recovery password protectors can be created when Windows is in FIPS mode. These protectors use the FIPS-140 NIST SP800-132 algorithm.
-
-- Recovery passwords created in FIPS mode on Windows 8.1 can be distinguished from recovery passwords created on other systems.
-
-- Recovery unlock using the FIPS-compliant, algorithm-based recovery password protector works in all cases that currently work for recovery passwords.
-
-- When FIPS-compliant recovery passwords unlock volumes, the volume is unlocked to allow read/write access even while in FIPS mode.
-
-- FIPS-compliant recovery password protectors can be exported and stored in AD a while in FIPS mode.
-
-The BitLocker Group Policy settings for recovery passwords work the same for all Windows versions that support BitLocker, whether in FIPS mode or not.
-
-On Windows Server 2012 R2 and Windows 8.1 and older, recovery passwords generated on a system in FIPS mode can't be used. Recovery passwords created on Windows Server 2012 R2 and Windows 8.1 are incompatible with BitLocker on operating systems older than Windows Server 2012 R2 and Windows 8.1. So, recovery keys should be used instead.
-
-## Related articles
-
-- [BitLocker frequently asked questions (FAQ)](faq.yml)
-- [BitLocker](index.md)
-- [BitLocker Group Policy settings](bitlocker-group-policy-settings.md)
-- [BitLocker basic deployment](bitlocker-basic-deployment.md)
diff --git a/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
new file mode 100644
index 0000000000..a8446d34d2
--- /dev/null
+++ b/windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
@@ -0,0 +1,196 @@
+---
+title: BitLocker recovery overview
+description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks.
+ms.topic: how-to
+ms.date: 10/30/2023
+---
+
+# BitLocker recovery overview
+
+BitLocker recovery is the process by which access to a BitLocker-protected drive can be restored if the drive doesn't unlock using its default unlock mechanism.
+
+This article describes scenarios that trigger BitLocker recovery, how to configure devices to save recovery information, and the options to restore access to a locked drive.
+
+## BitLocker recovery scenarios
+
+The following list provides examples of common events that cause a device to enter BitLocker recovery mode when starting Windows:
+
+- Entering the wrong PIN too many times
+- Turning off the support for reading the USB device in the preboot environment from the BIOS or UEFI firmware if using USB-based keys instead of a TPM
+- Having the CD or DVD drive before the hard drive in the BIOS boot order (common with virtual machines)
+- Docking or undocking a portable computer
+- Changes to the NTFS partition table on the disk
+- Changes to the boot manager
+- Turning off, disabling, deactivating, or clearing the TPM
+- TPM self-test failure
+- Upgrading the motherboard to a new one with a new TPM
+- Upgrading critical early startup components, such as a BIOS or UEFI firmware upgrade
+- Hiding the TPM from the operating system
+- Modifying the Platform Configuration Registers (PCRs) used by the TPM validation profile
+- Moving a BitLocker-protected drive into a new computer
+- On devices with TPM 1.2, changing the BIOS or firmware boot device order
+
+As part of the [BitLocker recovery process](recovery-process.md), it's recommended to determine what caused a device to enter in recovery mode. Root cause analysis might help to prevent the problem from occurring again in the future. For instance, if you determine that an attacker modified a device by obtaining physical access, you can implement new security policies for tracking who has physical presence.
+
+For planned scenarios, such as a known hardware or firmware upgrades, initiating recovery can be avoided by temporarily suspending BitLocker protection. Suspending BitLocker leaves the drive fully encrypted, and the administrator can quickly resume BitLocker protection after the planned task is completed. Using *suspend* and *resume* also reseals the encryption key without requiring the entry of the recovery key.
+
+> [!NOTE]
+> If suspended, BitLocker automatically resumes protection when the device is rebooted, unless a reboot count is specified using PowerShell or the `manage-bde.exe` command line tool. For more information about suspending BitLocker, review the [BitLocker operations guide](operations-guide.md#suspend-and-resume).
+
+> [!TIP]
+> Recovery is described within the context of unplanned or undesired behavior. However, recovery can also be caused as an intended production scenario, for example in order to manage access control. When devices are redeployed to other departments or employees in the organization, BitLocker can be forced into recovery before the device is delivered to a new user.
+
+## BitLocker recovery options
+
+In a recovery scenario, the following options to restore access to the drive might be available, depending on the policy settings applied to the devices:
+
+:::row:::
+ :::column span="2":::
+ - **Recovery password**: a 48-digit number used to unlock a volume when it is in recovery mode. The recovery password might be saved as a text file, printed or stored in Microsoft Entra ID or Active Directory. The user can supply a recovery password, if available
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery.png" alt-text="Screenshot of the default BitLocker recovery screen asking enter the recovery password." lightbox="images/preboot-recovery.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="2":::
+ - **Recovery key**: an encryption key stored on removable media that can be used for recovering data encrypted on a BitLocker volume. The file name has a format of `.bek`. For the OS drive, the recovery key can be used to gain access to the device if BitLocker detects a condition that prevents it from unlocking the drive when the device is starting up. A recovery key can also be used to gain access to fixed data drives and removable drives that are encrypted with BitLocker, if for some reason the password is forgotten or the device can't access the drive
+ :::column-end:::
+ :::column span="2":::
+ :::image type="content" source="images/preboot-recovery-key.png" alt-text="Screenshot of the BitLocker recovery screen asking to plug a USB drive with the recovery key." lightbox="images/preboot-recovery-key.png" border="false":::
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+ - **Key package**: decryption key that can be used with the BitLocker Repair tool to reconstruct critical parts of a drive and salvage recoverable data. With the key package and either the *recovery password* or *recovery key*, portions of a corrupted BitLocker-protected drive can be decrypted. Each key package works only for a drive that has the corresponding drive identifier. A key package isn't generated automatically, and can be saved on a file or in Active Directory Domain Services. A key package can't be stored in Microsoft Entra ID
+ :::column-end:::
+:::row-end:::
+:::row:::
+ :::column span="4":::
+ - **Data Recovery Agent certificate**: a Data Recovery Agent (DRA) is a type of certificate that is associated with an Active Directory security principal and that can be used to access any BitLocker encrypted drives configured with the matching public key. DRAs can use their credentials to unlock the drive. If the drive is an OS drive, the drive must be mounted as a data drive on another device for the DRA to unlock it
+ :::column-end:::
+:::row-end:::
+
+> [!TIP]
+> Both the *Recovery password* and *Recovery key* can be supplied by users in the Control Panel applet (for data and removable drives), or in the preboot recovery screen. It's recommended to configure policy settings to customize the preboot recovery screen, for example by adding a custom message, URL, and help desk contact information. For more information, review the article [BitLocker preboot recovery screen](preboot-recovery-screen.md).
+
+When planning the BitLocker recovery process, first consult the organization's current best practices for recovering sensitive information. For example:
+
+| :ballot_box_with_check: | Question |
+|--|--|
+| :black_square_button: | *How does the organization handle lost or forgotten passwords?* |
+| :black_square_button: | *How does the organization perform smart card PIN resets?* |
+| :black_square_button: | *Are users allowed to save or retrieve recovery information for the devices that they own?* |
+| :black_square_button: | *How much do you want users to be involved in the BitLocker configuration process? Do you want users to interact with the process, be silent, or both?* |
+| :black_square_button: | *Where do you want to store the BitLocker recovery keys?* |
+| :black_square_button: | *Do you want to enable recovery password rotation?* |
+
+Answering the questions helps to determine the best BitLocker recovery process for the organization, and to configure BitLocker policy settings accordingly. For example, if the organization has a process for resetting passwords, a similar process can be used for BitLocker recovery. If users aren't allowed to save or retrieve recovery information, the organization can use a data recovery agents (DRAs), or automatically back up recovery information.
+
+The following policy settings define the recovery methods that can be used to restore access to a BitLocker-protected drive:
+
+- [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
+- [Choose how BitLocker-protected fixed drives can be recovered](configure.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
+- [Choose how BitLocker-protected removable drives can be recovered](configure.md?tabs=removable#choose-how-bitlocker-protected-removable-drives-can-be-recovered)
+
+> [!TIP]
+> In each of these policies, select **Save BitLocker recovery information to Active Directory Domain Services** and then choose which BitLocker recovery information to store in AD DS. Use the option **Do not enable BitLocker until recovery information is stored in AD DS** to prevent users from enabling BitLocker unless the backup of BitLocker recovery information for the drive to Microsoft Entra ID or AD DS succeeds.
+
+### BitLocker recovery password
+
+To recover BitLocker, a user can use a recovery password, if available. The BitLocker recovery password is unique to the device it was created on, and can be saved in different ways. Depending on the configured policy settings, the recovery password can be:
+
+- Saved in Microsoft Entra ID, for Microsoft Entra joined
+- Saved in AD DS, for devices that are joined to Active Directory
+- Saved on text file
+- Printed
+
+Having access to the recovery password allows the holder to unlock a BitLocker-protected volume and access all of its data. Therefore, it's important for your organization to establish procedures to control access to recovery passwords and ensure that they're stored securely, separate from the devices they protect.
+
+> [!NOTE]
+> There's an option for storing the BitLocker recovery key in a user's Microsoft account. The option is available for devices that aren't members of a domain and that the user is using a Microsoft account. Storing the recovery password in a Microsoft account is the default recommended recovery key storage method for devices that aren't Microsoft Entra joined or Active Directory joined.
+
+Backup of the recovery password should be configured before BitLocker is enabled, but can also be done after encryption, as described in the [BitLocker operations guide](operations-guide.md#reset-and-backup-a-recovery-password).\
+The preferred backup methodology in an organization is to automatically store BitLocker recovery information in a central location. Depending on the organization's requirements, the recovery information can be stored in Microsoft Entra ID, AD DS, or file shares.
+
+The recommendation is to use the following BitLocker backup methods:
+
+- For Microsoft Entra joined devices, store the recovery key in Microsoft Entra ID
+- For Active Directory joined devices, store the recovery key in AD DS
+
+> [!NOTE]
+> There's no automatic way to store the recovery key for removable storage devices in Microsoft Entra ID or AD DS. However, you can use PowerShell or the `manage.bde.exe` command to do so. For more information and examples, review the [BitLocker operations guide](operations-guide.md?tabs=powershell#reset-and-backup-a-recovery-password).
+
+### Data Recovery Agents
+
+DRAs can be used to recover OS drives, fixed data drives, and removable data drives. However, when used to recover OS drives, the operating system drive must be mounted on another device as a *data drive* for the DRA to be able to unlock the drive. Data recovery agents are added to the drive when it's encrypted, and can be updated after encryption occurs.
+
+The benefit of using a DRA over password or key recovery is that the DRA acts as a *master key* for BitLocker. With a DRA you can recover any volume protected by the policy, without having to find a specific password or key for each individual volume.
+
+To configure DRAs for devices that are joined to an Active Directory domain, the following steps are required:
+
+1. Obtain a DRA certificate. The following key usage and enhanced key usage attributes are inspected by BitLocker before using the certificate.
+ 1. If a key usage attribute is present, it must be either:
+ - `CERT_DATA_ENCIPHERMENT_KEY_USAGE`
+ - `CERT_KEY_AGREEMENT_KEY_USAGE`
+ - `CERT_KEY_ENCIPHERMENT_KEY_USAGE`
+ 1. If an enhanced key usage (EKU) attribute is present, it must be either:
+ - As specified in the policy setting, or the default `1.3.6.1.4.1.311.67.1.1`
+ - Any EKU object identifier supported by your certification authority (CA)
+1. Add the DRA via group policy using the path: **Computer configuration** > **Policies** > **Windows Settings** > **Security Settings** > **Public Key Policies** > **BitLocker Drive Encryption**
+1. Configure the [Provide the unique identifiers for your organization](configure.md?tabs=common#provide-the-unique-identifiers-for-your-organization) policy setting to associate a unique identifier to a new drive that is enabled with BitLocker. An identification field is a string that is used to uniquely identify a business unit or organization. Identification fields are required for management of data recovery agents on BitLocker-protected drives. BitLocker only manages and updates DRAs when an identification field is present on a drive, and is identical to the value configured on the device
+1. Configure the following policy settings to allow recovery using a DRA for each drive type:
+ - [Choose how BitLocker-protected operating system drives can be recovered](configure.md?tabs=os#choose-how-bitlocker-protected-operating-system-drives-can-be-recovered)
+ - [Choose how BitLocker-protected fixed drives can be recovered](configure.md?tabs=fixed#choose-how-bitlocker-protected-fixed-drives-can-be-recovered)
+ - [Choose how BitLocker-protected removable drives can be recovered](configure.md?tabs=removable#choose-how-bitlocker-protected-removable-drives-can-be-recovered)
+
+## BitLocker recovery information stored in Microsoft Entra ID
+
+The BitLocker recovery information for Microsoft Entra joined devices can be stored in Microsoft Entra ID. The advantage of storing the BitLocker recovery passwords in Microsoft Entra ID, is that users can easily retrieve the passwords for the devices assigned to them from the web, without involving the help desk.
+
+Access to recovery passwords can also be delegated to the help desk, to facilitate support scenarios.
+
+The BitLocker recovery password information stored in Microsoft Entra ID is a `bitlockerRecoveryKey` resource type. The resource can be retrieved from the Microsoft Entra admin center, the Microsoft Intune admin center (for devices enrolled in Microsoft Intune), using PowerShell, or using Microsoft Graph. For more information, see [bitlockerRecoveryKey resource type](/graph/api/resources/bitlockerrecoverykey).
+
+## BitLocker recovery information stored in AD DS
+
+The BitLocker recovery information for a device joined to an Active Directory domain can be stored in AD DS. The information is stored in a child object of the computer object itself. Each BitLocker recovery object includes the recovery password and other recovery information. More than one BitLocker recovery object can exist under each computer object, because there can be more than one recovery password associated with a BitLocker-enabled volume.
+
+The name of the BitLocker recovery object incorporates a globally unique identifier (GUID) and date and time information, for a fixed length of 63 characters. The syntax is `
FWP_IP_VERSION_V6
- 6
- 2001:4898:30:3:256c:e5ba:12f3:beb1
+ 6
+ 2001:4898:30:3:256c:e5ba:12f3:beb12620:1ec:c11::200521274430
-
+
5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
\\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
.f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
@@ -154,7 +152,7 @@ remote address, capabilities, etc.
0000000000000000
-
+FWP_CAPABILITIES_FLAG_INTERNET_CLIENTFWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVERFWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
@@ -168,9 +166,9 @@ remote address, capabilities, etc.
FWP_ACTION_PERMIT
- 121167
- FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
- FWP_ACTION_PERMIT
+ 121167
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
@@ -181,7 +179,8 @@ The following is the filter that permitted the packet to be sent to the target
address according to the **terminatingFiltersInfo** in the **netEvent**. This packet was
allowed by Filter #125918, from the InternetClient Default Rule.
-**InternetClient Default Rule Filter #125918, Wfpdiag-Case-1.xml**
+### InternetClient Default Rule Filter #125918, `Wfpdiag-Case-1.xml`
+
```xml
{3389708e-f7ae-4ebc-a61a-f659065ab24e}
@@ -196,7 +195,7 @@ allowed by Filter #125918, from the InternetClient Default Rule.
.+......FWPM_LAYER_ALE_AUTH_CONNECT_V6
- FWPM_SUBLAYER_MPSSVC_WSHFWPM_SUBLAYER_MPSSVC_WSH
FWP_EMPTY
@@ -211,61 +210,62 @@ allowed by Filter #125918, from the InternetClient Default Rule.
FWPM_CONDITION_IP_REMOTE_ADDRESS
- FWP_MATCH_RANGE
-
- FWP_RANGE_TYPE
-
-
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+ FWP_BYTE_ARRAY16_TYPE::FWP_BYTE_ARRAY16_TYPEffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-
-
-
-
-
- FWPM_CONDITION_ORIGINAL_PROFILE_ID
- FWP_MATCH_EQUAL
-
- FWP_UINT32
- 1
-
-
-
- FWPM_CONDITION_CURRENT_PROFILE_ID
- FWP_MATCH_EQUAL
-
- FWP_UINT32
- 1
-
-
-
- FWPM_CONDITION_ALE_USER_ID
- FWP_MATCH_EQUAL
-
- FWP_SECURITY_DESCRIPTOR_TYPE
- O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
-
-
-
-
- FWP_ACTION_PERMIT
-
-
- 0
-
- 125918
-
- FWP_UINT64
- 103079219136
-
+
+
+
+
+
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 125918
+
+ FWP_UINT64
+ 103079219136
+
```
-**Capabilities Condition in Filter \#125918, Wfpdiag-Case-1.xml**
+### Capabilities Condition in Filter #125918, `Wfpdiag-Case-1.xml`
+
```xml
FWPM_CONDITION_ALE_USER_ID
@@ -276,26 +276,23 @@ allowed by Filter #125918, from the InternetClient Default Rule.
```
+
This condition enables checking capabilities in this filter.
-The important part of this condition is **S-1-15-3-1**, which is the capability SID
-for **INTERNET_CLIENT** privileges.
+The important part of this condition is **S-1-15-3-1**, which is the capability SID for **INTERNET_CLIENT** privileges.
+
+From the **netEvent** capabilities section, capabilities from netEvent, Wfpdiag-Case-1.xml.
-From the **netEvent** capabilities section,
-capabilities from netEvent, Wfpdiag-Case-1.xml.
```xml
-
- FWP_CAPABILITIES_FLAG_INTERNET_CLIENTFWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVERFWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
```
-These capabilities show the packet came from an app with an Internet client token (**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**) which matches the capability SID in the
-filter. All the other conditions are also met for the filter, so the packet is
-allowed.
-Something to note is that the only capability token required for the packet to
-reach bing.com was the Internet client token, even though this example showed
-the packet having all capabilities.
+These capabilities show the packet came from an app with an Internet client token (**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**) which matches the capability SID in the filter. All the other conditions are also met for the filter, so the packet is
+allowed. Something to note is that the only capability token required for the packet to reach bing.com was the Internet client token, even though this example showed the packet having all capabilities.
## Case 2: UWP APP can't reach Internet target address and has no capabilities
@@ -304,7 +301,8 @@ In this example, the UWP app is unable to connect to bing.com
The following example is that of a drop netEvent that was captured in the trace.
-**Classify Drop netEvent, Wfpdiag-Case-2.xml**
+### Classify Drop netEvent, `Wfpdiag-Case-2.xml`
+
```xml
@@ -373,12 +371,11 @@ The following example is that of a drop netEvent that was captured in the trace.
```
-The first thing that you should check in the **netEvent** is the capabilities
-field. In this example, the capabilities field is empty, indicating that the
-UWP app wasn't configured with any capability tokens to allow it to connect to
-a network.
-**Internal Fields from netEvent, Wfpdiag-Case-2.xml**
+The first thing that you should check in the **netEvent** is the capabilities field. In this example, the capabilities field is empty, indicating that the UWP app wasn't configured with any capability tokens to allow it to connect to a network.
+
+### Internal Fields from netEvent, `Wfpdiag-Case-2.xml`
+
```xml
@@ -400,9 +397,11 @@ a network.
```
+
The **netEvent** also shows information about the filter that explicitly dropped this packet, like the **FilterId**, listed under classify drop.
-**Classify Drop from netEvent, Wfpdiag-Case-2.xml**
+### Classify Drop from netEvent, `Wfpdiag-Case-2.xml`
+
```xml
68893
@@ -417,71 +416,66 @@ The **netEvent** also shows information about the filter that explicitly dropped
0
```
+
If you search for the filter #68893 in Wfpdiag-Case2.xml, you'll see that
the packet was dropped by a Block Outbound Default Rule filter.
-**Block Outbound Default Rule Filter #68893, Wfpdiag-Case-2.xml**
+### Block Outbound Default Rule Filter #68893, `Wfpdiag-Case-2.xml`
```xml
- {6d51582f-bcf8-42c4-afc9-e2ce7155c11b}
+ {6d51582f-bcf8-42c4-afc9-e2ce7155c11b}
/t
- **Block Outbound Default Rule**
- Block Outbound Default Rule
-
-
- {4b153735-1049-4480-aab4-d1b9bdc03710}
-
- b001000000000000
- ........
-
- FWPM_LAYER_ALE_AUTH_CONNECT_V6
- {b3cdd441-af90-41ba-a745-7c6008ff2300}
-
- FWP_EMPTY
-
-
-
- FWPM_CONDITION_ALE_PACKAGE_ID
- FWP_MATCH_NOT_EQUAL
-
- FWP_SID
- S-1-0-0
-
-
-
-
- FWP_ACTION_BLOCK
-
-
- 0
-
- 68893
-
- FWP_UINT64
- 68719476736
-
+ **Block Outbound Default Rule**
+ Block Outbound Default Rule
+
+
+ {4b153735-1049-4480-aab4-d1b9bdc03710}
+
+ b001000000000000
+ ........
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V6
+ {b3cdd441-af90-41ba-a745-7c6008ff2300}
+
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+
+ FWP_ACTION_BLOCK
+
+
+ 0
+
+ 68893
+
+ FWP_UINT64
+ 68719476736
+
```
-A packet will reach a default block filter if the packet was unable to match any of the conditions of other filters, and not allowed by the other filters in
-the same sublayer.
+A packet will reach a default block filter if the packet was unable to match any of the conditions of other filters, and not allowed by the other filters in the same sublayer.
-If the packet had the correct capability token,
-**FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**, it would have matched a condition for a
-non-default block filter, and would have been permitted to reach bing.com.
-Without the correct capability tokens, the packet will be explicitly dropped by
-a default block outbound filter.
+If the packet had the correct capability token, **FWP_CAPABILITIES_FLAG_INTERNET_CLIENT**, it would have matched a condition for a non-default block filter, and would have been permitted to reach bing.com. Without the correct capability tokens, the packet will be explicitly dropped by a default block outbound filter.
## Case 3: UWP app can't reach Internet target address without Internet Client capability
In this example, the app is unable to connect to bing.com [2620:1ec:c11::200].
-The app in this scenario only has private network capabilities (Client and
-Server). The app is trying to connect to an Internet resource (bing.com), but
-only has a private network token. Therefore, the packet will be dropped.
+The app in this scenario only has private network capabilities (Client and Server). The app is trying to connect to an Internet resource (bing.com), but only has a private network token. Therefore, the packet will be dropped.
+
+### Classify Drop netEvent, `Wfpdiag-Case-3.xml`
-**Classify Drop netEvent, Wfpdiag-Case-3.xml**
```xml
@@ -555,489 +549,473 @@ only has a private network token. Therefore, the packet will be dropped.
## Case 4: UWP app can't reach Intranet target address without Private Network capability
-In this example, the UWP app is unable to reach the Intranet target address,
-10.50.50.50, because it doesn't have a Private Network capability.
+In this example, the UWP app is unable to reach the Intranet target address, 10.50.50.50, because it doesn't have a Private Network capability.
+
+### Classify Drop netEvent, `Wfpdiag-Case-4.xml`
-**Classify Drop netEvent, Wfpdiag-Case-4.xml**
```xml
- 2020-05-22T21:29:28.601Z
-
- FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
- FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
- FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
- FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
- FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
- FWPM_NET_EVENT_FLAG_APP_ID_SET
- FWPM_NET_EVENT_FLAG_USER_ID_SET
- FWPM_NET_EVENT_FLAG_IP_VERSION_SET
- FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
-
- FWP_IP_VERSION_V4
- 6
- 10.216.117.17
- 10.50.50.50
- 52998
- 53
- 0
-
- 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
- \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
- .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
-
- S-1-5-21-2993214446-1947230185-131795049-1000
- FWP_AF_INET
- S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
-
- 0
-
+ 2020-05-22T21:29:28.601Z
+
+ FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ FWPM_NET_EVENT_FLAG_APP_ID_SET
+ FWPM_NET_EVENT_FLAG_USER_ID_SET
+ FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V4
+ 6
+ 10.216.117.17
+ 10.50.50.50
+ 52998
+ 53
+ 0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310031002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.1...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+ S-1-5-21-2993214446-1947230185-131795049-1000
+ FWP_AF_INET
+ S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+ 0
+
- FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
-
- 121180
- 48
- 0
- 1
- 1
- MS_FWP_DIRECTION_OUT
- false
-
- 0
- 0
+ FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+ 121180
+ 48
+ 0
+ 1
+ 1
+ MS_FWP_DIRECTION_OUT
+ false
+
+ 0
+ 0
-
- 0000000000000000
-
- FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
- FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
-
- 0
-
-
-
- 121180
- FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
- FWP_ACTION_BLOCK
-
-
- 121165
- FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
- FWP_ACTION_PERMIT
-
-
+
+ 0000000000000000
+
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+
+ 0
+
+
+
+ 121180
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_BLOCK
+
+
+ 121165
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
```
-## Case 5: UWP app can't reach “Intranet” target address with Private Network capability
-In this example, the UWP app is unable to reach the Intranet target address,
-10.1.1.1, even though it has a Private Network capability token.
+## Case 5: UWP app can't reach "Intranet" target address with Private Network capability
+
+In this example, the UWP app is unable to reach the Intranet target address, 10.1.1.1, even though it has a Private Network capability token.
+
+### Classify Drop netEvent, `Wfpdiag-Case-5.xml`
-**Classify Drop netEvent, Wfpdiag-Case-5.xml**
```xml
-
- 2020-05-22T20:54:53.499Z
-
- FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
- FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
- FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
- FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
- FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
- FWPM_NET_EVENT_FLAG_APP_ID_SET
- FWPM_NET_EVENT_FLAG_USER_ID_SET
- FWPM_NET_EVENT_FLAG_IP_VERSION_SET
- FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
-
- FWP_IP_VERSION_V4
- 6
- 10.216.117.17
- 10.1.1.1
- 52956
- 53
- 0
-
- 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
- \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
- .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
-
- S-1-5-21-2993214446-1947230185-131795049-1000
- FWP_AF_INET
- S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
-
- 0
-
+
+ 2020-05-22T20:54:53.499Z
+
+ FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ FWPM_NET_EVENT_FLAG_APP_ID_SET
+ FWPM_NET_EVENT_FLAG_USER_ID_SET
+ FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V4
+ 6
+ 10.216.117.17
+ 10.1.1.1
+ 52956
+ 53
+ 0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310033002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.3...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+ S-1-5-21-2993214446-1947230185-131795049-1000
+ FWP_AF_INET
+ S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+ 0
+
- FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
-
- 121180
- 48
- 0
- 1
- 1
- MS_FWP_DIRECTION_OUT
- false
-
- 0
- 0
-
-
-
- 0000000000000000
-
- FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
-
- 0
-
-
-
- 121180
- FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
- FWP_ACTION_BLOCK
-
-
- 121165
- FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
- FWP_ACTION_PERMIT
-
-
-
+ FWPM_NET_EVENT_TYPE_CLASSIFY_DROP
+
+ 121180
+ 48
+ 0
+ 1
+ 1
+ MS_FWP_DIRECTION_OUT
+ false
+
+ 0
+ 0
+
+
+
+ 0000000000000000
+
+ FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+ 0
+
+
+
+ 121180
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_BLOCK
+
+
+ 121165
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
```
+
The following shows the filter that blocked the event:
-**Block Outbound Default Rule Filter \#121180, Wfpdiag-Case-5.xml**
+### Block Outbound Default Rule Filter #121180, `Wfpdiag-Case-5.xml`
```xml
- {e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}
-
- Block Outbound Default Rule
- Block Outbound Default Rule
-
-
- FWPM_PROVIDER_MPSSVC_WSH
-
- c029000000000000
- .)......
-
- FWPM_LAYER_ALE_AUTH_CONNECT_V4
- FWPM_SUBLAYER_MPSSVC_WSH
-
- FWP_EMPTY
-
-
-
- FWPM_CONDITION_ALE_PACKAGE_ID
- FWP_MATCH_NOT_EQUAL
-
- FWP_SID
- S-1-0-0
-
-
-
-
- FWP_ACTION_BLOCK
-
-
- 0
-
- 121180
-
- FWP_UINT64
- 274877906944
-
+ {e62a1a22-c80a-4518-a7f8-e7d1ef3a9ff6}
+
+ Block Outbound Default Rule
+ Block Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ c029000000000000
+ .)......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+
+ FWP_ACTION_BLOCK
+
+
+ 0
+
+ 121180
+
+ FWP_UINT64
+ 274877906944
+
```
-If the target was in the private range, then it should have been allowed by a
-PrivateNetwork Outbound Default Rule filter.
-The following PrivateNetwork Outbound Default Rule filters have conditions for matching Intranet IP addresses. Since the expected Intranet target address,
-10.1.1.1, isn't included in these filters it becomes clear that the address isn't in the private range. Check the policies that configure the private range
-on the device (MDM, Group Policy, etc.) and make sure it includes the private target address you wanted to reach.
+If the target was in the private range, then it should have been allowed by a PrivateNetwork Outbound Default Rule filter.
+
+The following PrivateNetwork Outbound Default Rule filters have conditions for matching Intranet IP addresses. Since the expected Intranet target address, 10.1.1.1, isn't included in these filters it becomes clear that the address isn't in the private range. Check the policies that configure the private range on the device (MDM, Group Policy, etc.) and make sure it includes the private target address you wanted to reach.
+
+### PrivateNetwork Outbound Default Rule Filters, `Wfpdiag-Case-5.xml`
-**PrivateNetwork Outbound Default Rule Filters, Wfpdiag-Case-5.xml**
```xml
- {fd65507b-e356-4e2f-966f-0c9f9c1c6e78}
-
- PrivateNetwork Outbound Default Rule
- PrivateNetwork Outbound Default Rule
-
-
- FWPM_PROVIDER_MPSSVC_WSH
-
- f22d000000000000
- .-......
-
- FWPM_LAYER_ALE_AUTH_CONNECT_V4
- FWPM_SUBLAYER_MPSSVC_WSH
-
- FWP_EMPTY
-
-
-
- FWPM_CONDITION_ALE_PACKAGE_ID
- FWP_MATCH_NOT_EQUAL
-
- FWP_SID
- S-1-0-0
-
-
-
- FWPM_CONDITION_IP_REMOTE_ADDRESS
- FWP_MATCH_EQUAL
-
- FWP_UINT32
- 1.1.1.1
-
-
-
- FWPM_CONDITION_ORIGINAL_PROFILE_ID
- FWP_MATCH_EQUAL
-
- FWP_UINT32
- 1
-
-
-
- FWPM_CONDITION_CURRENT_PROFILE_ID
- FWP_MATCH_EQUAL
-
- FWP_UINT32
- 1
-
-
-
- FWPM_CONDITION_ALE_USER_ID
- FWP_MATCH_EQUAL
-
- FWP_SECURITY_DESCRIPTOR_TYPE
- O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
-
-
-
-
- FWP_ACTION_PERMIT
-
-
- 0
-
- 129656
-
- FWP_UINT64
- 144115600392724416
-
-
-
- {b11b4f8a-222e-49d6-8d69-02728681d8bc}
-
- PrivateNetwork Outbound Default Rule
- PrivateNetwork Outbound Default Rule
-
-
- FWPM_PROVIDER_MPSSVC_WSH
-
- f22d000000000000
- .-......
-
- FWPM_LAYER_ALE_AUTH_CONNECT_V4
- FWPM_SUBLAYER_MPSSVC_WSH
-
- FWP_EMPTY
-
-
-
- FWPM_CONDITION_ALE_PACKAGE_ID
- FWP_MATCH_NOT_EQUAL
-
- FWP_SID
- S-1-0-0
-
-
-
- FWPM_CONDITION_IP_REMOTE_ADDRESS
- FWP_MATCH_RANGE
-
- FWP_RANGE_TYPE
-
-
- FWP_UINT32
- 172.16.0.0
-
-
- FWP_UINT32
- 172.31.255.255
-
-
-
-
-
- FWPM_CONDITION_ORIGINAL_PROFILE_ID
- FWP_MATCH_EQUAL
-
- FWP_UINT32
- 1
-
-
-
- FWPM_CONDITION_CURRENT_PROFILE_ID
- FWP_MATCH_EQUAL
-
- FWP_UINT32
- 1
-
-
-
- FWPM_CONDITION_ALE_USER_ID
- FWP_MATCH_EQUAL
-
- FWP_SECURITY_DESCRIPTOR_TYPE
- O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
-
-
-
-
- FWP_ACTION_PERMIT
-
-
- 0
-
- 129657
-
- FWP_UINT64
- 36029209335832512
-
+ {fd65507b-e356-4e2f-966f-0c9f9c1c6e78}
+
+ PrivateNetwork Outbound Default Rule
+ PrivateNetwork Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ f22d000000000000
+ .-......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1.1.1.1
+
+
+
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 129656
+
+ FWP_UINT64
+ 144115600392724416
+
+
+
+ {b11b4f8a-222e-49d6-8d69-02728681d8bc}
+
+ PrivateNetwork Outbound Default Rule
+ PrivateNetwork Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ f22d000000000000
+ .-......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_UINT32
+ 172.16.0.0
+
+
+ FWP_UINT32
+ 172.31.255.255
+
+
+
+
+
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 129657
+
+ FWP_UINT64
+ 36029209335832512
+
- {21cd82bc-6077-4069-94bf-750e5a43ca23}
-
- PrivateNetwork Outbound Default Rule
- PrivateNetwork Outbound Default Rule
-
-
- FWPM_PROVIDER_MPSSVC_WSH
-
- f22d000000000000
- .-......
-
- FWPM_LAYER_ALE_AUTH_CONNECT_V4
- FWPM_SUBLAYER_MPSSVC_WSH
-
- FWP_EMPTY
-
-
-
- FWPM_CONDITION_ALE_PACKAGE_ID
- FWP_MATCH_NOT_EQUAL
-
- FWP_SID
- S-1-0-0
-
-
-
- FWPM_CONDITION_IP_REMOTE_ADDRESS
- FWP_MATCH_RANGE
-
- FWP_RANGE_TYPE
-
-
- FWP_UINT32
- 192.168.0.0
-
-
- FWP_UINT32
- 192.168.255.255
-
-
-
-
-
- FWPM_CONDITION_ORIGINAL_PROFILE_ID
- FWP_MATCH_EQUAL
-
- FWP_UINT32
- 1
-
-
-
- FWPM_CONDITION_CURRENT_PROFILE_ID
- FWP_MATCH_EQUAL
-
- FWP_UINT32
- 1
-
-
-
- FWPM_CONDITION_ALE_USER_ID
- FWP_MATCH_EQUAL
-
- FWP_SECURITY_DESCRIPTOR_TYPE
- O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
-
-
-
-
- FWP_ACTION_PERMIT
-
-
- 0
-
- 129658
-
- FWP_UINT64
- 36029209335832512
-
+ {21cd82bc-6077-4069-94bf-750e5a43ca23}
+
+ PrivateNetwork Outbound Default Rule
+ PrivateNetwork Outbound Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ f22d000000000000
+ .-......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_UINT32
+ 192.168.0.0
+
+
+ FWP_UINT32
+ 192.168.255.255
+
+
+
+
+
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-3)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 129658
+
+ FWP_UINT64
+ 36029209335832512
+
```
-## Debugging Past Drops
-If you're debugging a network drop from the past or from a remote machine, you
-may have traces already collected from Feedback Hub, such as nettrace.etl and
-wfpstate.xml. Once nettrace.etl is converted, nettrace.txt will have the
-netEvents of the reproduced event, and wfpstate.xml will contain the filters
-that were present on the machine at the time.
+## Debugging Past Drops
-If you don't have a live repro or traces already collected, you can still
-collect traces after the UWP network connectivity issue has happened by running
-these commands in an admin command prompt
+If you're debugging a network drop from the past or from a remote machine, you may have traces already collected from Feedback Hub, such as nettrace.etl and wfpstate.xml. Once nettrace.etl is converted, nettrace.txt will have the netEvents of the reproduced event, and wfpstate.xml will contain the filters that were present on the machine at the time.
+
+If you don't have a live repro or traces already collected, you can still collect traces after the UWP network connectivity issue has happened by running these commands in an admin command prompt:
```xml
-
- Netsh wfp show netevents
- Netsh wfp show state
+
+ Netsh wfp show netevents
+ Netsh wfp show state
```
-**Netsh wfp show netevents** creates netevents.xml, which contains the past
-net events. **Netsh wfp show state** creates wfpstate.xml, which contains
-the current filters present on the machine.
+`Netsh wfp show netevents` creates `netevents.xml`, which contains the past net events. `Netsh wfp show state` creates wfpstate.xml, which contains the current filters present on the machine.
Unfortunately, collecting traces after the UWP network connectivity issue isn't always reliable.
-NetEvents on the device are stored in a buffer. Once that buffer has reached
-maximum capacity, the buffer will overwrite older net events. Due to the buffer
-overwrite, it's possible that the collected netevents.xml won't contain the
-net event associated with the UWP network connectivity issue. It could have been ov
-overwritten. Additionally, filters on the device can get deleted and re-added
-with different filterIds due to miscellaneous events on the device. Because of
-these implications, a **filterId** from **netsh wfp show netevents** may not necessarily match any
-filter in **netsh wfp show state** because that **filterId** may be outdated.
+NetEvents on the device are stored in a buffer. Once that buffer has reached maximum capacity, the buffer will overwrite older net events. Due to the buffer overwrite, it's possible that the collected netevents.xml won't contain the net event associated with the UWP network connectivity issue. It could have been overwritten. Additionally, filters on the device can get deleted and re-added with different filterIds due to miscellaneous events on the device. Because of these implications, a **filterId** from **netsh wfp show netevents** may not necessarily match any filter in **netsh wfp show state** because that **filterId** may be outdated.
-If you can reproduce the UWP network connectivity issue consistently, we
-recommend using the commands from Debugging Live Drops instead.
+If you can reproduce the UWP network connectivity issue consistently, we recommend using the commands from Debugging Live Drops instead.
-Additionally, you can still follow the examples from Debugging Live Drops
-section using the trace commands in this section, even if you don't have a live
-repro. The **netEvents** and filters are stored in one file in Debugging Live Drops
+Additionally, you can still follow the examples from Debugging Live Drops section using the trace commands in this section, even if you don't have a live repro. The **netEvents** and filters are stored in one file in Debugging Live Drops
as opposed to two separate files in the following Debugging Past Drops examples.
## Case 7: Debugging Past Drop - UWP app can't reach Internet target address and has no capabilities
In this example, the UWP app is unable to connect to bing.com.
-Classify Drop Net Event, NetEvents-Case-7.xml
+### Classify Drop Net Event, `NetEvents-Case-7.xml`
```xml
@@ -1108,15 +1086,12 @@ Classify Drop Net Event, NetEvents-Case-7.xml
```
-The Internal fields list no active capabilities, and the packet is dropped at
-filter 206064.
+The Internal fields list no active capabilities, and the packet is dropped at nfilter 206064.
-This filter is a default block rule filter, meaning the packet passed through every
-filter that could have allowed it, but because conditions didn’t match for any of
-those filters, the packet fell to the filter that blocks any packet that the
-Security Descriptor doesn’t match.
+This filter is a default block rule filter, meaning the packet passed through every filter that could have allowed it, but because conditions didn't match for any of those filters, the packet fell to the filter that blocks any packet that the
+Security Descriptor doesn't match.
-**Block Outbound Default Rule Filter \#206064, FilterState-Case-7.xml**
+### Block Outbound Default Rule Filter #206064, `FilterState-Case-7.xml`
```xml
@@ -1159,165 +1134,166 @@ Security Descriptor doesn’t match.
```
+
## Case 8: Debugging Past Drop - UWP app connects to Internet target address with all capabilities
In this example, the UWP app successfully connects to bing.com [204.79.197.200].
-**Classify Allow Net Event, NetEvents-Case-8.xml**
+### Classify Allow Net Event, `NetEvents-Case-8.xml`
```xml
-
- 2020-05-04T18:49:55.101Z
-
- FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
- FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
- FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
- FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
- FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
- FWPM_NET_EVENT_FLAG_APP_ID_SET
- FWPM_NET_EVENT_FLAG_USER_ID_SET
- FWPM_NET_EVENT_FLAG_IP_VERSION_SET
- FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
-
- FWP_IP_VERSION_V4
- 6
- 10.195.36.30
- 204.79.197.200
- 61673
- 443
- 0
-
- 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
- \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
- .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
-
- S-1-5-21-1578316205-4060061518-881547182-1000
- FWP_AF_INET
- S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
-
- 0
-
-
- FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW
-
- 208757
- 48
- 0
- 1
- 1
-
-
-
- 0000000000000000
-
- FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
- FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
- FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
-
- 0
-
-
-
- 208757
- FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
- FWP_ACTION_PERMIT
-
-
- 206049
- FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
- FWP_ACTION_PERMIT
-
-
-
+
+ 2020-05-04T18:49:55.101Z
+
+ FWPM_NET_EVENT_FLAG_IP_PROTOCOL_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_ADDR_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_ADDR_SET
+ FWPM_NET_EVENT_FLAG_LOCAL_PORT_SET
+ FWPM_NET_EVENT_FLAG_REMOTE_PORT_SET
+ FWPM_NET_EVENT_FLAG_APP_ID_SET
+ FWPM_NET_EVENT_FLAG_USER_ID_SET
+ FWPM_NET_EVENT_FLAG_IP_VERSION_SET
+ FWPM_NET_EVENT_FLAG_PACKAGE_ID_SET
+
+ FWP_IP_VERSION_V4
+ 6
+ 10.195.36.30
+ 204.79.197.200
+ 61673
+ 443
+ 0
+
+ 5c006400650076006900630065005c0068006100720064006400690073006b0076006f006c0075006d00650031005c00700072006f006700720061006d002000660069006c00650073005c00770069006e0064006f007700730061007000700073005c00610066003600390032006200660066002d0036003700370039002d0034003200340066002d0038003700300065002d006600360065003500390063003500300032003300340039005f0031002e0031002e00310030002e0030005f007800360034005f005f00350063003000330037006a0061007200350038003300390072005c0075007700700073006f0063006b006500740063006c00690065006e0074002e006500780065000000
+ \\.d.e.v.i.c.e.\\.h.a.r.d.d.i.s.k.v.o.l.u.m.e.1.\\.p.r.o.g.r.a.m.
+ .f.i.l.e.s.\\.w.i.n.d.o.w.s.a.p.p.s.\\.a.f.6.9.2.b.f.f.-.6.7.7.9.-.4.2.4.f.-.8.7.0.e.-.f.6.e.5.9.c.5.0.2.3.4.9._.1...1...1.0...0._.x.6.4._._.5.c.0.3.7.j.a.r.5.8.3.9.r.\\.u.w.p.s.o.c.k.e.t.c.l.i.e.n.t...e.x.e...
+
+ S-1-5-21-1578316205-4060061518-881547182-1000
+ FWP_AF_INET
+ S-1-15-2-4163697451-3176919390-1155390458-2883473650-3020241727-522149888-4067122936
+
+ 0
+
+
+ FWPM_NET_EVENT_TYPE_CLASSIFY_ALLOW
+
+ 208757
+ 48
+ 0
+ 1
+ 1
+
+
+
+ 0000000000000000
+
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT
+ FWP_CAPABILITIES_FLAG_INTERNET_CLIENT_SERVER
+ FWP_CAPABILITIES_FLAG_PRIVATE_NETWORK
+
+ 0
+
+
+
+ 208757
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WSH
+ FWP_ACTION_PERMIT
+
+
+ 206049
+ FWPP_SUBLAYER_INTERNAL_FIREWALL_WF
+ FWP_ACTION_PERMIT
+
+
+
```
+
All capabilities are enabled and the resulting filter determining the flow of the packet is 208757.
The filter stated above with action permit:
-**InternetClient Default Rule Filter \#208757, FilterState-Case-8.xml**
+### InternetClient Default Rule Filter #208757, `FilterState-Case-8.xml`
+
```xml
- {e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}
-
- InternetClient Default Rule
- InternetClient Default Rule
-
-
- FWPM_PROVIDER_MPSSVC_WSH
-
- e167000000000000
- .g......
-
- FWPM_LAYER_ALE_AUTH_CONNECT_V4
- FWPM_SUBLAYER_MPSSVC_WSH
-
- FWP_EMPTY
-
-
-
- FWPM_CONDITION_ALE_PACKAGE_ID
- FWP_MATCH_NOT_EQUAL
-
- FWP_SID
- S-1-0-0
-
-
-
- FWPM_CONDITION_IP_REMOTE_ADDRESS
- FWP_MATCH_RANGE
-
- FWP_RANGE_TYPE
-
-
- FWP_UINT32
- 0.0.0.0
-
-
- FWP_UINT32
- 255.255.255.255
-
-
-
-
-
- FWPM_CONDITION_ORIGINAL_PROFILE_ID
- FWP_MATCH_EQUAL
-
- FWP_UINT32
- 1
-
-
-
- FWPM_CONDITION_CURRENT_PROFILE_ID
- FWP_MATCH_EQUAL
-
- FWP_UINT32
- 1
-
-
-
- FWPM_CONDITION_ALE_USER_ID
- FWP_MATCH_EQUAL
-
- FWP_SECURITY_DESCRIPTOR_TYPE
- O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
-
-
-
-
- FWP_ACTION_PERMIT
-
-
- 0
-
- 208757
-
- FWP_UINT64
- 412316868544
-
-
+ {e0f6f24e-1f0a-4f1a-bdd8-b9277c144fb5}
+
+ InternetClient Default Rule
+ InternetClient Default Rule
+
+
+ FWPM_PROVIDER_MPSSVC_WSH
+
+ e167000000000000
+ .g......
+
+ FWPM_LAYER_ALE_AUTH_CONNECT_V4
+ FWPM_SUBLAYER_MPSSVC_WSH
+
+ FWP_EMPTY
+
+
+
+ FWPM_CONDITION_ALE_PACKAGE_ID
+ FWP_MATCH_NOT_EQUAL
+
+ FWP_SID
+ S-1-0-0
+
+
+
+ FWPM_CONDITION_IP_REMOTE_ADDRESS
+ FWP_MATCH_RANGE
+
+ FWP_RANGE_TYPE
+
+
+ FWP_UINT32
+ 0.0.0.0
+
+
+ FWP_UINT32
+ 255.255.255.255
+
+
+
+
+
+ FWPM_CONDITION_ORIGINAL_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_CURRENT_PROFILE_ID
+ FWP_MATCH_EQUAL
+
+ FWP_UINT32
+ 1
+
+
+
+ FWPM_CONDITION_ALE_USER_ID
+ FWP_MATCH_EQUAL
+
+ FWP_SECURITY_DESCRIPTOR_TYPE
+ O:LSD:(A;;CC;;;S-1-15-3-1)(A;;CC;;;WD)(A;;CC;;;AN)
+
+
+
+
+ FWP_ACTION_PERMIT
+
+
+ 0
+
+ 208757
+
+ FWP_UINT64
+ 412316868544
+
+
```
-The capabilities field in a netEvent was added to the traces in the Windows 10
-May 2019 Update.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md b/windows/security/operating-system-security/network-security/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
deleted file mode 100644
index 91091b431c..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
-description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
-
-
-To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
-
-**Administrative credentials**
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-
-## To enable Windows Defender Firewall and configure the default behavior
-
-1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
-
-2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
-
-3. For each network location type (Domain, Private, Public), perform the following steps.
-
- >**Note:** The steps shown here indicate the recommended values for a typical deployment. Use the settings that are appropriate for your firewall design.
-
- 1. Click the tab that corresponds to the network location type.
-
- 2. Change **Firewall state** to **On (recommended)**.
-
- 3. Change **Inbound connections** to **Block (default)**.
-
- 4. Change **Outbound connections** to **Allow (default)**.
-
-
-
-
-
-
-
-
-
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md b/windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
deleted file mode 100644
index e397c3d8a7..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
+++ /dev/null
@@ -1,24 +0,0 @@
----
-title: Understand WFAS Deployment
-description: Resources for helping you understand the Windows Defender Firewall with Advanced Security (WFAS) Design Process
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Understanding the Windows Defender Firewall with Advanced Security Design Process
-
-Designing any deployment starts by performing several important tasks:
-
-- [Identifying your windows defender firewall with advanced security design goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
-
-- [Mapping your implementation goals to a Windows Defender Firewall with Advanced Security design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
-
-
-After you identify your implementation goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
-
-- [Designing A Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
-
-- [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
-
-**Next:** [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/verify-that-network-traffic-is-authenticated.md b/windows/security/operating-system-security/network-security/windows-firewall/verify-that-network-traffic-is-authenticated.md
deleted file mode 100644
index 686e2d1efc..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/verify-that-network-traffic-is-authenticated.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Verify That Network Traffic Is Authenticated
-description: Learn how to confirm that network traffic is being protected by IPsec authentication after you configure your domain isolation rule to require authentication.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Verify That Network Traffic Is Authenticated
-
-
-After you've configured your domain isolation rule to request, rather than require, authentication, you must confirm that the network traffic sent by the devices on the network is being protected by IPsec authentication as expected. If you switch your rules to require authentication before all of the devices have received and applied the correct GPOs, or if there are any errors in your rules, then communications on the network can fail. By first setting the rules to request authentication, any network connections that fail authentication can continue in clear text while you diagnose and troubleshoot.
-
-In these procedures, you confirm that the rules you deployed are working correctly. Your next steps depend on which zone you're working on:
-
-- **Main domain isolation zone.** Before you convert your main domain isolation IPsec rule from request mode to require mode, you must make sure that the network traffic is protected according to your design. By configuring your rules to request and not require authentication at the beginning of operations, devices on the network can continue to communicate even when the main mode authentication or quick mode integrity and encryption rules aren't working correctly. For example, if your encryption zone contains rules that require a certain encryption algorithm, but that algorithm isn't included in a security method combination on the clients, then those clients can't successfully negotiate a quick mode security association, and the server refuses to accept network traffic from the client. By first using request mode only, you have the opportunity to deploy your rules and then examine the network traffic to see if they're working as expected without risking a loss of communications.
-
-- **Boundary zone.** Confirming correct operation of IPsec is the last step if you're working on the boundary zone GPO. You don't convert the GPO to require mode at any time.
-
-- **Encryption zone.** Similar to the main isolation zone, after you confirm that the network traffic to zone members is properly authenticated and encrypted, you must convert your zone rules from request mode to require mode.
-
-> [!NOTE]
-> In addition to the steps shown in this procedure, you can also use network traffic capture tools such as [Microsoft Network Monitor](https://www.microsoft.com/download/4865). Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your device. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them.
-
-**Administrative credentials**
-
-To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-
-## To verify that network connections are authenticated by using the Windows Defender Firewall with Advanced Security console
-
-1. Open the Windows Defender Firewall with Advanced Security
-console.
-
-2. In the navigation pane, expand **Monitoring**, and then click **Connection Security Rules**.
-
- The details pane displays the rules currently in effect on the device.
-
-3. **To display the Rule Source column**
-
- 1. In the **Actions** pane, click **View**, and then click **Add/Remove Columns**.
-
- 2. In the **Available columns** list, select **Rule Source**, and then click **Add**.
-
- 3. Use the **Move up** and **Move down** buttons to rearrange the order. Click **OK** when you're finished.
-
- It can take a few moments for the list to be refreshed with the newly added column.
-
-4. Examine the list for the rules from GPOs that you expect to be applied to this device.
-
- >**Note:** If the rules do not appear in the list, then troubleshoot the GPO security group and the WMI filters that are applied to the GPO. Make sure that the local device is a member of the appropriate groups and meets the requirements of the WMI filters.
-5. In the navigation pane, expand **Security Associations**, and then click **Main Mode**.
-
- The current list of main mode associations that have been negotiated with other devices appears in the details column.
-
-6. Examine the list of main mode security associations for sessions between the local device and the remote device. Make sure that the **1st Authentication Method** and **2nd Authentication Method** columns contain expected values. If your rules specify only a first authentication method, then the **2nd Authentication Method** column displays **No authentication**. If you double-click the row, then the **Properties** dialog box appears with more details about the security association.
-
-7. In the navigation pane, click **Quick mode**.
-
-8. Examine the list of quick mode security associations for sessions between the local device and the remote device. Make sure that the **AH Integrity**, **ESP integrity**, and **ESP Confidentiality** columns contain expected values.
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
deleted file mode 100644
index 7e97506932..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
+++ /dev/null
@@ -1,50 +0,0 @@
----
-title: Windows Defender Firewall with Advanced Security deployment overview
-description: Use this guide to deploy Windows Defender Firewall with Advanced Security for your enterprise to help protect devices and data that they share across a network.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Windows Defender Firewall with Advanced Security deployment overview
-
-
-You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
-
-You can use Windows Defender Firewall to control access to the device from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from device to device.
-
-## About this guide
-
-This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Defender Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected.
-
-Begin by reviewing the information in [Planning to Deploy Windows Defender Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md).
-
-If you haven't yet selected a design, we recommend that you wait to follow the instructions in this guide until after you've reviewed the design options in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization.
-
-After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Defender Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide:
-
-- [Basic Firewall Policy Design](basic-firewall-policy-design.md)
-
-- [Domain Isolation Policy Design](domain-isolation-policy-design.md)
-
-- [Server Isolation Policy Design](server-isolation-policy-design.md)
-
-- [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
-
-Use the checklists in [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design.
-> [!CAUTION]
-> We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
-
-In a large enterprise environment with hundreds or thousands of GPOs, using this technique with too many GPOs can result in user or device accounts that are members of an excessive number of groups; this creation of accounts can result in network connectivity problems if network protocol limits are exceeded.
-
-## What this guide doesn't provide
-
-This guide doesn't provide:
-
-- Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Defender Firewall with Advanced Security Design Guide.
-
-- Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy.
-
-- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication.
-
-For more information about Windows Defender Firewall with Advanced Security, see [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).
diff --git a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide.md b/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
deleted file mode 100644
index 02d6c56ae0..0000000000
--- a/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
+++ /dev/null
@@ -1,93 +0,0 @@
----
-title: Windows Defender Firewall with Advanced Security design guide
-description: Learn about common goals for using Windows Defender Firewall with Advanced Security to choose or create a design for deploying the firewall in your enterprise.
-ms.prod: windows-client
-ms.topic: conceptual
-ms.date: 09/08/2021
----
-
-# Windows Defender Firewall with Advanced Security design guide
-
-
-Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that can't authenticate can't communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
-
-The interface for Windows Defender Firewall is much more capable and flexible than the consumer-friendly interface found in the Windows Defender Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel meets the needs for protecting a single device in a home environment, it doesn't provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
-
-For more overview information, see [Windows Defender Firewall with Advanced Security](windows-firewall-with-advanced-security.md).
-
-## About this guide
-
-This guide provides recommendations to help you to choose or create a design for deploying Windows Defender Firewall in your enterprise environment. The guide describes some of the common goals for using Windows Defender Firewall, and then helps you map the goals that apply to your scenario to the designs that are presented in this guide.
-
-This guide is intended for the IT professional who has been assigned the task of deploying firewall and IPsec technologies on an organization's network to help meet the organization's security goals.
-
-Windows Defender Firewall should be part of a comprehensive security solution that implements various security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules.
-
-To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Defender Firewall, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory.
-
-You can use the implementation goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those goals presented here:
-
-- **Basic firewall policy design**. Restricts network traffic in and out of your devices to only that which is needed and authorized.
-
-- **Domain isolation policy design**. Prevents devices that are domain members from receiving unsolicited network traffic from devices that aren't domain members. More "zones" can be established to support the special requirements of some devices, such as:
-
- - A "boundary zone" for devices that must be able to receive requests from non-isolated devices.
-
- - An "encryption zone" for devices that store sensitive data that must be protected during network transmission.
-
-- **Server isolation policy design**. Restricts access to a server to only a limited group of authorized users and devices. This server can be commonly configured as a zone in a domain isolation design, but can also be configured as a stand-alone design, providing many of the benefits of domain isolation to a small set of devices.
-
-- **Certificate-based isolation policy design**. This design is a complement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the Kerberos V5 authentication used by default in Active Directory. This design enables devices that aren't part of an Active Directory domain, such as devices running operating systems other than Windows, to participate in your isolation solution.
-
-In addition to descriptions and example for each design, you'll find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Defender Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Defender Firewall using the guidance in the Windows Defender Firewall with Advanced Security Deployment Guide.
-
-You can find the Windows Defender Firewall with Advanced Security
-Deployment Guide at these locations:
-
-- [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md)
-
-- (Downloadable Word document)
-
-## In this section
-
-| Topic | Description
-| - | - |
-| [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Defender Firewall with Advanced Security design process. |
-| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security implementation goals. |
-| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security implementation goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. |
-| [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. |
-| [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you've gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. |
-| [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). |
-
-## Terminology used in this guide
-
-The following table identifies and defines terms used throughout this guide.
-
-| Term | Definition |
-| - | - |
-| Active Directory domain | A group of devices and users managed by an administrator by using Active Directory Domain Services (AD DS). Devices in a domain share a common directory database and security policies. Multiple domains can co-exist in a "forest," with trust relationships that establish the forest as the security boundary. |
-| Authentication | A process that enables the sender of a message to prove its identity to the receiver. For connection security in Windows, authentication is implemented by the IPsec protocol suite.|
-| Boundary zone | A subset of the devices in an isolated domain that must be able to receive unsolicited and non-authenticated network traffic from devices that aren't members of the isolated domain. Devices in the boundary zone request but don't require authentication. They use IPsec to communicate with other devices in the isolated domain.|
-| Connection security rule | A rule in Windows Defender Firewall that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this rule was called an *IPsec rule*.|
-| Certificate-based isolation | A way to add devices that can't use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that can't use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).|
-| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that can't authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see "Isolated domain" in this table.|
-| Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.|
-| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall. By default, the firewall rules in Windows Server 2016. Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 11, Windows 10, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
-| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
-| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
-| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones). In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|
-| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The extra protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.|
-| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Defender Firewall allows all solicited network traffic through.|
-| Unsolicited network traffic | Network traffic that isn't a response to an earlier request, and that the receiving device can't necessarily anticipate. By default, Windows Defender Firewall blocks all unsolicited network traffic. |
-| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted. This term zone isn't related to the one used by Domain Name System (DNS). |
-
-**Next:** [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
index b0da2402b2..3daa0cbf86 100644
--- a/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
+++ b/windows/security/operating-system-security/system-security/secure-the-windows-10-boot-process.md
@@ -4,7 +4,6 @@ description: This article describes how Windows security features help protect y
ms.topic: conceptual
ms.date: 08/11/2023
ms.collection:
- - highpri
- tier1
---
@@ -121,7 +120,7 @@ Figure 2 illustrates the Measured Boot and remote attestation process.
*Figure 2. Measured Boot proves the PC's health to a remote server*:
-Windows includes the application programming interfaces to support Measured Boot. However, to take advanted of it, you need non-Microsoft tools to implement a remote attestation client and trusted attestation server. For example, see the following tools from Microsoft Research:
+Windows includes the application programming interfaces to support Measured Boot. However, to take advantage of it, you need non-Microsoft tools to implement a remote attestation client and trusted attestation server. For example, see the following tools from Microsoft Research:
- [TPM Platform Crypto-Provider Toolkit](https://www.microsoft.com/download/details.aspx?id=52487)
- [TSS.MSR](https://github.com/microsoft/TSS.MSR#tssmsr)
diff --git a/windows/security/operating-system-security/system-security/trusted-boot.md b/windows/security/operating-system-security/system-security/trusted-boot.md
index 364719eebb..431c65c17d 100644
--- a/windows/security/operating-system-security/system-security/trusted-boot.md
+++ b/windows/security/operating-system-security/system-security/trusted-boot.md
@@ -2,7 +2,7 @@
title: Secure Boot and Trusted Boot
description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11
ms.topic: conceptual
-ms.date: 09/21/2021
+ms.date: 10/30/2023
ms.reviewer: jsuther
appliesto:
- "✅ Windows 11"
diff --git a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
index 1970d566b4..5ff128f685 100644
--- a/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/operating-system-security/system-security/windows-defender-security-center/windows-defender-security-center.md
@@ -3,9 +3,6 @@ title: Windows Security
description: Windows Security brings together common Windows security features into one place.
ms.date: 08/11/2023
ms.topic: article
-ms.collection:
- - highpri
- - tier2
---
# Windows Security
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
index 38961897cb..313b641bca 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md
@@ -1,7 +1,7 @@
---
title: Enhanced Phishing Protection in Microsoft Defender SmartScreen
description: Learn how Enhanced Phishing Protection for Microsoft Defender SmartScreen helps protect Microsoft school or work passwords against phishing and unsafe usage on sites and apps.
-ms.date: 09/25/2023
+ms.date: 11/02/2023
ms.topic: conceptual
appliesto:
- ✅ Windows 11, version 22H2
@@ -37,43 +37,51 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc
## Configure Enhanced Phishing Protection for your organization
-Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP.
+Enhanced Phishing Protection can be configured via Microsoft Intune, Group Policy Objects (GPO) or Configuration Service Providers (CSP) with an MDM service. These settings are available to configure your devices using either Microsoft Intune, GPO or CSP.
+
+| Setting | Description |
+|--|--|
+| Automatic Data Collection | This policy setting determines whether Enhanced Phishing Protection can collect additional information-such as content displayed, sounds played, and application memory-when your users enter their work or school password into a suspicious website or app. This information is used only for security purposes and helps SmartScreen determine whether the website or app is malicious.
If you enable this policy setting, Enhanced Phishing Protection may automatically collect additional content for security analysis from a suspicious website or app when your users enter their work or school password into that website or app.
If you disable this policy setting, Enhanced Phishing Protection won't collect additional content for security analysis when your users enter their work or school password into a suspicious site or app.
If this policy isn't set, Enhanced Phishing Protection automatic data collection honors the end user's settings.
|
+| Service Enabled | This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
|
+| Notify Malicious | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above. |
+| Notify Password Reuse | This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password. |
+| Notify Unsafe App | This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps. |
+
+Follow these instructions to configure your devices using either Microsoft Intune, GPO or CSP.
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To configure devices using Microsoft Intune, create a [**Settings catalog** policy][MEM-2], and use the settings listed under the category **`SmartScreen > Enhanced Phishing Protection`**:
-|Setting|Description|
-|---------|---------|
-|Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
|
-|Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.|
-|Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.|
-|Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
+- Automatic Data Collection
+- Service Enabled
+- Notify Malicious
+- Notify Password Reuse
+- Notify Unsafe App
Assign the policy to a security group that contains as members the devices or users that you want to configure.
#### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
-Enhanced Phishing Protection can be configured using the following Administrative Templates policy settings:
+Enhanced Phishing Protection can be configured using the following group policy settings found under **Administrative Templates > Windows Components > Windows Defender SmartScreen > Enhanced Phishing Protection**:
-|Setting|Description|
-|---------|---------|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled |This policy setting determines whether Enhanced Phishing Protection is in audit mode or off. Users don't see any notifications for any protection scenarios when Enhanced Phishing Protection is in audit mode. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender.
If you enable or don't configure this setting, Enhanced Phishing Protection is enabled in audit mode, preventing users to turn it off.
If you disable this policy setting, Enhanced Phishing Protection is off. When off, Enhanced Phishing Protection doesn't capture events, send data, or notify users. Additionally, your users are unable to turn it on.
|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate
If you enable this policy setting, Enhanced Phishing Protection warns your users if they type their work or school password into one of the malicious scenarios described above and encourages them to change their password.
If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they type their work or school password into one of the malicious scenarios described above.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse |This policy setting determines whether Enhanced Phishing Protection warns your users if they reuse their work or school password.
If you enable this policy setting, Enhanced Phishing Protection warns users if they reuse their work, or school password and encourages them to change it.
If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they reuse their work or school password.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|This policy setting determines whether Enhanced Phishing Protection warns your users if they type their work or school passwords in Notepad or Microsoft 365 Office Apps.
If you enable this policy setting, Enhanced Phishing Protection warns your users if they store their password in Notepad or Microsoft 365 Office Apps.
If you disable or don't configure this policy setting, Enhanced Phishing Protection doesn't warn users if they store their password in Notepad or Microsoft 365 Office Apps.|
+- Automatic Data Collection
+- Service Enabled
+- Notify Malicious
+- Notify Password Reuse
+- Notify Unsafe App
#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][WIN-1].
-| Setting | OMA-URI | Data type |
-|-------------------------|---------------------------------------------------------------------------|-----------|
-| **AutomaticDataCollection** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection` | Integer |
-| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer |
-| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer |
-| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer |
-| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
+| Setting | OMA-URI | Data type |
+|-----------------------------|-------------------------------------------------------------------------------|-----------|
+| **AutomaticDataCollection** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/AutomaticDataCollection` | Integer |
+| **NotifyMalicious** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyMalicious` | Integer |
+| **NotifyPasswordReuse** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyPasswordReuse` | Integer |
+| **NotifyUnsafeApp** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/NotifyUnsafeApp` | Integer |
+| **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer |
---
@@ -82,33 +90,44 @@ Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][
By default, Enhanced Phishing Protection is deployed in audit mode, preventing notifications to the users for any protection scenarios. In audit mode, Enhanced Phishing Protection captures unsafe password entry events and sends diagnostic data through Microsoft Defender. Users aren't warned if they enter their work or school password into a phishing site, if they reuse their password, or if they unsafely store their password in applications. Because of this possibility, it's recommended that you configure Enhanced Phishing Protection to warn users during all protection scenarios.
To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings.
+
+| Setting | Recommendation |
+|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| Automatic Data Collection | **Enabled**: Turns on collection of additional content for security analysis from a suspicious website or app to improve Microsoft's threat intelligence |
+| Service Enabled | **Enabled**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users. |
+| Notify Malicious | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password. |
+| Notify Password Reuse | **Enabled**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password. |
+| Notify Unsafe App | **Enabled**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps. |
+
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
-|Settings catalog element|Recommendation|
-|---------|---------|
-|Service Enabled|**Enable**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
-|Notify Malicious|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
-|Notify Password Reuse|**Enable**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
-|Notify Unsafe App|**Enable**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
+| Settings catalog element | Recommended value |
+|---------------------------|-------------------|
+| Automatic Data Collection | **Enabled** |
+| Service Enabled | **Enabled** |
+| Notify Malicious | **Enabled** |
+| Notify Password Reuse | **Enabled** |
+| Notify Unsafe App | **Enabled** |
#### [:::image type="icon" source="images/icons/group-policy.svg"::: **GPO**](#tab/gpo)
-|Group Policy setting|Recommendation|
-|---------|---------|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Service Enabled| **Enable**: Enhanced Phishing Protection is enabled in audit mode and your users are unable to turn it off.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Malicious|**Enable**: Enhanced Phishing Protection warns your users if they type their work or school password into one of the following malicious scenarios: into a reported phishing site, into a sign-in URL with an invalid certificate, or into an application connecting to either a reported phishing site or a sign-in URL with an invalid certificate. It encourages users to change their password.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Password Reuse|**Enable**: Enhanced Phishing Protection warns users if they reuse their work or school password and encourages them to change it.|
-|Administrative Templates\Windows Components\Windows Defender SmartScreen\Enhanced Phishing Protection\Notify Unsafe App|**Enable**: Enhanced Phishing Protection warns users if they store their password in Notepad and Microsoft 365 Office Apps.|
+| Group Policy setting | Recommended value |
+|---------------------------|-------------------|
+| Automatic Data Collection | **Enabled** |
+| Service Enabled | **Enabled** |
+| Notify Malicious | **Enabled** |
+| Notify Password Reuse | **Enabled** |
+| Notify Unsafe App | **Enabled** |
#### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp)
-|MDM setting|Recommendation|
-|---------|---------|
-|ServiceEnabled|**1**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.|
-|NotifyMalicious|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school password into one of the previously described malicious scenarios and encourages them to change their password.|
-|NotifyPasswordReuse|**1**: Turns on Enhanced Phishing Protection notifications when users reuse their work or school password and encourages them to change their password.|
-|NotifyUnsafeApp|**1**: Turns on Enhanced Phishing Protection notifications when users type their work or school passwords in Notepad and Microsoft 365 Office Apps.|
-
+| MDM setting | Recommended value |
+|-------------------------|-------------------|
+| AutomaticDataCollection | **1** |
+| ServiceEnabled | **1** |
+| NotifyMalicious | **1** |
+| NotifyPasswordReuse | **1** |
+| NotifyUnsafeApp | **1** |
---
@@ -121,7 +140,4 @@ To better help you protect your organization, we recommend turning on and using
[WIN-1]: /windows/client-management/mdm/policy-csp-webthreatdefense
-
[MEM-2]: /mem/intune/configuration/settings-catalog
-
-
diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
index 9b52d9fb84..b5af241045 100644
--- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
+++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md
@@ -2,11 +2,7 @@
title: Microsoft Defender SmartScreen overview
description: Learn how Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files.
ms.date: 08/11/2023
-ms.topic: article
-ms.localizationpriority: high
-ms.collection:
- - tier2
- - highpri
+ms.topic: conceptual
appliesto:
- ✅ Windows 11
- ✅ Windows 10
diff --git a/windows/security/security-foundations/certification/fips-140-validation.md b/windows/security/security-foundations/certification/fips-140-validation.md
index 1cb3c7c91f..295dd13ce0 100644
--- a/windows/security/security-foundations/certification/fips-140-validation.md
+++ b/windows/security/security-foundations/certification/fips-140-validation.md
@@ -1,18 +1,10 @@
---
title: Federal Information Processing Standard (FIPS) 140 Validation
description: Learn how Microsoft products and cryptographic modules follow the U.S. Federal government standard FIPS 140.
-ms.prod: windows-client
-ms.date: 08/18/2023
-manager: aaroncz
+ms.date: 11/13/2023
+ms.topic: reference
ms.author: paoloma
author: paolomatarazzo
-ms.collection:
- - highpri
- - tier3
-ms.topic: reference
-ms.localizationpriority: medium
-ms.reviewer:
-ms.technology: itpro-security
---
# FIPS 140-2 Validation
@@ -21,7 +13,7 @@ ms.technology: itpro-security
The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products.
-The [Cryptographic Module Validation Program (CMVP)][HTTP-1]) is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
+The [Cryptographic Module Validation Program (CMVP)][HTTP-1] is a joint effort of the U.S. National Institute of Standards and Technology (NIST) and the Canadian Centre for Cyber Security (CCCS). It validates cryptographic modules against the Security Requirements for Cryptographic Modules (part of FIPS 140-2) and related FIPS cryptography standards. The FIPS 140-2 security requirements cover 11 areas related to the design and implementation of a cryptographic module. The NIST Information Technology Laboratory operates a related program that validates the FIPS approved cryptographic algorithms in the module.
## Microsoft's approach to FIPS 140-2 validation
diff --git a/windows/security/security-foundations/certification/windows-platform-common-criteria.md b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
index 0f426874c2..d342773f2c 100644
--- a/windows/security/security-foundations/certification/windows-platform-common-criteria.md
+++ b/windows/security/security-foundations/certification/windows-platform-common-criteria.md
@@ -1,17 +1,13 @@
---
title: Common Criteria Certifications
description: This topic details how Microsoft supports the Common Criteria certification program.
-ms.prod: windows-client
ms.author: sushmanemali
author: s4sush
-manager: aaroncz
ms.topic: reference
-ms.localizationpriority: medium
ms.date: 11/4/2022
ms.reviewer: paoloma
-ms.technology: itpro-security
ms.collection:
- - tier3
+- tier3
---
# Common Criteria certifications
diff --git a/windows/security/security-foundations/zero-trust-windows-device-health.md b/windows/security/security-foundations/zero-trust-windows-device-health.md
index 65cc2e9e7d..f80e2bf591 100644
--- a/windows/security/security-foundations/zero-trust-windows-device-health.md
+++ b/windows/security/security-foundations/zero-trust-windows-device-health.md
@@ -1,14 +1,11 @@
---
title: Zero Trust and Windows device health
description: Describes the process of Windows device health attestation
-ms.reviewer:
ms.topic: conceptual
manager: aaroncz
ms.author: paoloma
author: paolomatarazzo
-ms.prod: windows-client
-ms.technology: itpro-security
-ms.date: 12/31/2017
+ms.date: 11/07/2023
---
# Zero Trust and Windows device health
@@ -17,11 +14,9 @@ Organizations need a security model that more effectively adapts to the complexi
The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
-- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies.
-
-- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity.
-
-- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses.
+- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies
+- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity
+- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses
The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources.
@@ -45,25 +40,19 @@ Windows includes many security features to help protect users from malware and a
A summary of the steps involved in attestation and Zero Trust on the device side are as follows:
-1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event.
+1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event
+1. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. The measurements in both these components together form the attestation evidence that is then sent to the attestation service
+1. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation)
+1. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Microsoft Entra Conditional Access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device
+1. The attestation service does the following tasks:
-2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. The measurements in both these components together form the attestation evidence that is then sent to the attestation service.
+ - Verify the integrity of the evidence. This verification is done by validating the PCRs that match the values recomputed by replaying the TCG log
+ - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM
+ - Verify that the security features are in the expected states
-3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation).
-
-4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with Microsoft Entra Conditional Access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device.
-
-5. The attestation service does the following tasks:
-
- - Verify the integrity of the evidence. This verification is done by validating the PCRs that match the values recomputed by replaying the TCG log.
- - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM.
- - Verify that the security features are in the expected states.
-
-6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service.
-
-7. The device then sends the report to the Microsoft Intune cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules.
-
-8. Conditional access, along with device-compliance state then decides to allow or deny access.
+1. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service
+1. The device then sends the report to the Microsoft Intune cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules
+1. Conditional access, along with device-compliance state then decides to allow or deny access
## Other Resources
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index 726f71bbbd..5ca11d5d60 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -166,83 +166,9 @@ Typically, **Primary Group** field for new user accounts has the following value
> **Note** **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. **Old UAC value** always **“0x0”** for new user accounts. This parameter contains the previous value of **userAccountControl** attribute of user object.
+- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts.
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the value of **userAccountControl** attribute of new user object.
-
-To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
-
-- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new user accounts, when the object for this account was created, the **userAccountControl** value was considered to be **“0x0”**, and then it was changed from **“0x0”** to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4720 event.
-
-| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text |
-|------------------------------------|-----------------------------------|-------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------|
-| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4720 events. |
-| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled Account Enabled |
-| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4720 events. |
-| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled 'Home Directory Required' - Disabled |
-| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4720 events. |
-| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled 'Password Not Required' - Disabled |
-| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4720 events. |
-| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password. Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled 'Encrypted Text Password Allowed' - Enabled |
-| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. |
-| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled 'Normal Account' - Enabled |
-| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. |
-| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled 'Workstation Trust Account' - Enabled |
-| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled 'Server Trust Account' - Disabled |
-| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account. Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled 'Don't Expire Password' - Enabled |
-| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled 'MNS Logon Account' - Enabled |
-| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled 'Smartcard Required' - Enabled |
-| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account. If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled 'Trusted For Delegation' - Disabled |
-| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation. Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled 'Not Delegated' - Enabled |
-| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled 'Use DES Key Only' - Enabled |
-| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on. Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled 'Don't Require Preauth' - Enabled |
-| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4720 events. |
-| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network. If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled 'Trusted To Authenticate For Delegation' - Enabled |
-| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. |
-
-For new, manually created, domain or local user accounts typical flags are:
-
-- Account Disabled
-
-- 'Password Not Required' - Enabled
-
-- 'Normal Account' – Enabled
-
- After new user creation event you will typically see couple of “[4738](event-4738.md): A user account was changed.” events with new flags:
-
-- 'Password Not Required' – Disabled
-
-- Account Enabled
-
-
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of user’s account properties, then you will see **<value changed, but not displayed>** in this field in “[4738](event-4738.md): A user account was changed.” This parameter might not be captured in the event, and in that case appears as “-”. For new local accounts this field typically has value “**<value not set>**”.
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index 61cd4e80e6..be3bf1a1e5 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -192,39 +192,9 @@ Typical **Primary Group** values for user accounts:
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. This parameter contains the previous value of **userAccountControl** attribute of user object.
+- **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD).
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user account. If the value of **userAccountControl** attribute of user object was changed, you will see the new value here.
-
-To decode this value, you can go through the property value definitions in the [User’s or Computer’s account UAC flags.](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties) from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: [User’s or Computer’s account UAC flags](/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties). In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4738 event.
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index a245d7e5ce..e26b0c96b3 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -170,69 +170,9 @@ Typically, **Primary Group** field for new computer accounts has the following v
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. **Old UAC value** always `0x0` for new computer accounts. This parameter contains the previous value of **userAccountControl** attribute of computer object.
+- **Old UAC Value** [Type = UnicodeString]: is always “0x0” for new accounts.
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of **userAccountControl** attribute of new computer object.
-
-To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
-
-- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. For new computer accounts, when the object for this account was created, the **userAccountControl** value was considered to be `0x0`, and then it was changed from `0x0` to the real value for the account's **userAccountControl** attribute. See possible values in the table below. In the “User Account Control field text” column, you can see the text that will be displayed in the **User Account Control** field in 4741 event.
-
-| Flag Name | userAccountControl in hexadecimal | userAccountControl in decimal | Description | User Account Control field text |
-|---|---|---|---|---|
-| SCRIPT | 0x0001 | 1 | The logon script will be run. | Changes of this flag do not show in 4741 events. |
-| ACCOUNTDISABLE | 0x0002 | 2 | The user account is disabled. | Account Disabled Account Enabled |
-| Undeclared | 0x0004 | 4 | This flag is undeclared. | Changes of this flag do not show in 4741 events. |
-| HOMEDIR\_REQUIRED | 0x0008 | 8 | The home folder is required. | 'Home Directory Required' - Enabled 'Home Directory Required' - Disabled |
-| LOCKOUT | 0x0010 | 16 | | Changes of this flag do not show in 4741 events. |
-| PASSWD\_NOTREQD | 0x0020 | 32 | No password is required. | 'Password Not Required' - Enabled 'Password Not Required' - Disabled |
-| PASSWD\_CANT\_CHANGE | 0x0040 | 64 | The user cannot change the password. This is a permission on the user's object. | Changes of this flag do not show in 4741 events. |
-| ENCRYPTED\_TEXT\_PWD\_ALLOWED | 0x0080 | 128 | The user can send an encrypted password. Can be set using “Store password using reversible encryption” checkbox. | 'Encrypted Text Password Allowed' - Disabled 'Encrypted Text Password Allowed' - Enabled |
-| TEMP\_DUPLICATE\_ACCOUNT | 0x0100 | 256 | This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account. | Cannot be set for computer account. |
-| NORMAL\_ACCOUNT | 0x0200 | 512 | This is a default account type that represents a typical user. | 'Normal Account' - Disabled 'Normal Account' - Enabled |
-| INTERDOMAIN\_TRUST\_ACCOUNT | 0x0800 | 2048 | This is a permit to trust an account for a system domain that trusts other domains. | Cannot be set for computer account. |
-| WORKSTATION\_TRUST\_ACCOUNT | 0x1000 | 4096 | This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain. | 'Workstation Trust Account' - Disabled 'Workstation Trust Account' - Enabled |
-| SERVER\_TRUST\_ACCOUNT | 0x2000 | 8192 | This is a computer account for a domain controller that is a member of this domain. | 'Server Trust Account' - Enabled 'Server Trust Account' - Disabled |
-| DONT\_EXPIRE\_PASSWORD | 0x10000 | 65536 | Represents the password, which should never expire on the account. Can be set using “Password never expires” checkbox. | 'Don't Expire Password' - Disabled 'Don't Expire Password' - Enabled |
-| MNS\_LOGON\_ACCOUNT | 0x20000 | 131072 | This is an MNS logon account. | 'MNS Logon Account' - Disabled 'MNS Logon Account' - Enabled |
-| SMARTCARD\_REQUIRED | 0x40000 | 262144 | When this flag is set, it forces the user to log on by using a smart card. | 'Smartcard Required' - Disabled 'Smartcard Required' - Enabled |
-| TRUSTED\_FOR\_DELEGATION | 0x80000 | 524288 | When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account. If you enable Kerberos constraint or unconstraint delegation or disable these types of delegation in Delegation tab you will get this flag changed. | 'Trusted For Delegation' - Enabled 'Trusted For Delegation' - Disabled |
-| NOT\_DELEGATED | 0x100000 | 1048576 | When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation. Can be set using “Account is sensitive and cannot be delegated” checkbox. | 'Not Delegated' - Disabled 'Not Delegated' - Enabled |
-| USE\_DES\_KEY\_ONLY | 0x200000 | 2097152 | Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys. Can be set using “Use Kerberos DES encryption types for this account” checkbox. | 'Use DES Key Only' - Disabled 'Use DES Key Only' - Enabled |
-| DONT\_REQ\_PREAUTH | 0x400000 | 4194304 | This account does not require Kerberos pre-authentication for logging on. Can be set using “Do not require Kerberos preauthentication” checkbox. | 'Don't Require Preauth' - Disabled 'Don't Require Preauth' - Enabled |
-| PASSWORD\_EXPIRED | 0x800000 | 8388608 | The user's password has expired. | Changes of this flag do not show in 4741 events. |
-| TRUSTED\_TO\_AUTH\_FOR\_DELEGATION | 0x1000000 | 16777216 | The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network. If you enable Kerberos protocol transition delegation or disable this type of delegation in Delegation tab you will get this flag changed. | 'Trusted To Authenticate For Delegation' - Disabled 'Trusted To Authenticate For Delegation' - Enabled |
-| PARTIAL\_SECRETS\_ACCOUNT | 0x04000000 | 67108864 | The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server. | No information. |
-
-> Table 7. User’s or Computer’s account UAC flags.
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `` in this field in “[4742](event-4742.md)(S): A computer account was changed.” This parameter might not be captured in the event, and in that case appears as `-`.
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index 6d58542822..4a82933448 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -197,43 +197,9 @@ Typical **Primary Group** values for computer accounts:
> [!NOTE]
> **Service Principal Name (SPN)** is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.
-- **Old UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of **userAccountControl** attribute of computer object.
+- **Old UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the previous value of the SAM implementation of account flags (definition differs from userAccountControl in AD).
-- **New UAC Value** \[Type = UnicodeString\]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. If the value of **userAccountControl** attribute of computer object was changed, you will see the new value here.
-
-To decode this value, you can go through the property value definitions in the “Table 7. User’s or Computer’s account UAC flags.” from largest to smallest. Compare each property value to the flags value in the event. If the flags value in the event is greater than or equal to the property value, then the property is "set" and applies to that event. Subtract the property value from the flags value in the event and note that the flag applies and then go on to the next flag.
-
-Here's an example: Flags value from event: 0x15
-
-Decoding:
-
-• PASSWD\_NOTREQD 0x0020
-
-• LOCKOUT 0x0010
-
-• HOMEDIR\_REQUIRED 0x0008
-
-• (undeclared) 0x0004
-
-• ACCOUNTDISABLE 0x0002
-
-• SCRIPT 0x0001
-
-0x0020 > 0x15, so PASSWD\_NOTREQD does not apply to this event
-
-0x10 < 0x15, so LOCKOUT applies to this event. 0x15 - 0x10 = 0x5
-
-0x4 < 0x5, so the undeclared value is set. We'll pretend it doesn't mean anything. 0x5 - 0x4 = 0x1
-
-0x2 > 0x1, so ACCOUNTDISABLE does not apply to this event
-
-0x1 = 0x1, so SCRIPT applies to this event. 0x1 - 0x1 = 0x0, we're done.
-
-So this UAC flags value decodes to: LOCKOUT and SCRIPT
-
-- **User Account Control** \[Type = UnicodeString\]**:** shows the list of changes in **userAccountControl** attribute. You will see a line of text for each change. See possible values in here: “Table 7. User’s or Computer’s account UAC flags.”. In the “User Account Control field text” column, you can see text that will be displayed in the **User Account Control** field in 4742 event.
-
-
+- **New UAC Value** [Type = UnicodeString]: specifies flags that control password, lockout, disable/enable, script, and other behavior for the user or computer account. This parameter contains the value of the SAM implementation of account flags (definition differs from userAccountControl in AD). If the value was changed, you will see the new value here. For a list of account flags you may see here, refer to [[MS-SAMR]: USER_ACCOUNT Codes](/openspecs/windows_protocols/ms-samr/b10cfda1-f24f-441b-8f43-80cb93e786ec).
- **User Parameters** \[Type = UnicodeString\]: if you change any setting using Active Directory Users and Computers management console in Dial-in tab of computer’s account properties, then you will see `` in this field.
diff --git a/windows/whats-new/TOC.yml b/windows/whats-new/TOC.yml
index 2bd556b46f..c9468c7091 100644
--- a/windows/whats-new/TOC.yml
+++ b/windows/whats-new/TOC.yml
@@ -12,7 +12,9 @@
- name: Prepare for Windows 11
href: windows-11-prepare.md
- name: Windows 11 enterprise feature control
- href: temporary-enterprise-feature-control.md
+ href: temporary-enterprise-feature-control.md
+ - name: What's new in Windows 11, version 23H2
+ href: whats-new-windows-11-version-23h2.md
- name: What's new in Windows 11, version 22H2
href: whats-new-windows-11-version-22h2.md
- name: Windows 10
@@ -36,6 +38,6 @@
- name: Deprecated Windows features
href: deprecated-features.md
- name: Resources for deprecated features
- href: deprecated-features-resources.md
+ href: deprecated-features-resources.md
- name: Removed Windows features
href: removed-features.md
\ No newline at end of file
diff --git a/windows/whats-new/deprecated-features.md b/windows/whats-new/deprecated-features.md
index 487d603e5c..db9fd0dbb9 100644
--- a/windows/whats-new/deprecated-features.md
+++ b/windows/whats-new/deprecated-features.md
@@ -1,7 +1,7 @@
---
title: Deprecated features in the Windows client
description: Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.
-ms.date: 10/31/2023
+ms.date: 11/16/2023
ms.prod: windows-client
ms.technology: itpro-fundamentals
ms.localizationpriority: medium
@@ -34,17 +34,22 @@ The features in this article are no longer being actively developed, and might b
> [!NOTE]
> If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332).
-|Feature | Details and mitigation | Deprecation announced |
-| ----------- | --------------------- | ---- |
-| Microsoft Defender Application Guard for Office | [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard) is deprecated and is no longer being updated. This deprecation also includes the [Windows.Security.Isolation APIs](/uwp/api/windows.security.isolation) that are used for Microsoft Defender Application Guard for Office. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/protect-against-threats#safe-attachments-policies-in-microsoft-defender-for-office-365) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | October 2023 |
+| Feature | Details and mitigation | Deprecation announced |
+|---|---|---|
+| Microsoft Defender Application Guard for Office | [Microsoft Defender Application Guard for Office](/microsoft-365/security/office-365-security/install-app-guard) is deprecated and is no longer being updated. This deprecation also includes the [Windows.Security.Isolation APIs](/uwp/api/windows.security.isolation) that are used for Microsoft Defender Application Guard for Office. We recommend transitioning to Microsoft Defender for Endpoint [attack surface reduction rules](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction) along with [Protected View](/microsoft-365/security/office-365-security/protect-against-threats#safe-attachments-policies-in-microsoft-defender-for-office-365) and [Windows Defender Application Control](/windows/security/application-security/application-control/windows-defender-application-control/wdac). | November 2023 |
+| Steps Recorder (psr.exe) | Steps Recorder is no longer being updated and will be removed in a future release of Windows. For screen recording, we recommend the Snipping Tool, Xbox Game Bar, or Microsoft Clipchamp. | November 2023 |
+| Tips | The Tips app is deprecated and will be removed in a future release of Windows. Content in the app will continue to be updated with information about new Windows features until the app is removed. | November 2023 |
+| Computer Browser | The Computer Browser driver and service are deprecated. The browser (browser protocol and service) is a dated and insecure device location protocol. This protocol, service, and driver were first disabled by default in Windows 10 with the removal of the SMB1 service. For more information on Computer Browser, see [MS-BRWS Common Internet File System](/openspecs/windows_protocols/ms-brws/3cfbad92-09b3-4abc-808f-c6f6347d5677). | November 2023 |
+| Webclient (WebDAV) Service | The Webclient (WebDAV) service is deprecated. The Webclient service isn't started by default in Windows. For more information on WebDAV, see [WebDAV - Win32 apps](/windows/win32/webdav/webdav-portal). | November 2023 |
+| Remote Mailslots | Remote Mailslots are deprecated. The Remote Mailslot protocol is a dated, simple, unreliable, insecure IPC method first introduced in MS DOS. This protocol was first disabled by default in [Windows 11 Insider Preview Build ](https://blogs.windows.com/windows-insider/2023/03/08/announcing-windows-11-insider-preview-build-25314/). For more information on Remote Mailslots, see [About Mailslots](/windows/win32/ipc/about-mailslots) and [[MS-MAIL]: Remote Mailslot Protocol](/openspecs/windows_protocols/ms-mail/8ea19aa4-6e5a-4aed-b628-0b5cd75a1ab9).| November 2023 |
| Timeline for Microsoft Entra accounts | Cross-device syncing of Microsoft Entra user activity history will stop starting in January 2024. Microsoft will stop storing this data in the cloud, aligning with [the previous change for Microsoft accounts (MSA)](https://blogs.windows.com/windows-insider/2021/04/14/announcing-windows-10-insider-preview-build-21359) in 2021. The timeline user experience was retired in Windows 11, although it remains in Windows 10. The timeline user experience and all your local activity history still remains on Windows 10 devices. Users can access web history using their browser and access recent files through OneDrive and Office. | October 2023 |
-| VBScript | VBScript is being deprecated. In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system. For more information, see [Resources for deprecated features](deprecated-features-resources.md#vbscript). | October 2023 |
+| VBScript | VBScript is deprecated. In future releases of Windows, VBScript will be available as a feature on demand before its removal from the operating system. For more information, see [Resources for deprecated features](deprecated-features-resources.md#vbscript). | October 2023 |
| WordPad | WordPad is no longer being updated and will be removed in a future release of Windows. We recommend Microsoft Word for rich text documents like .doc and .rtf and Windows Notepad for plain text documents like .txt. | September 1, 2023 |
| AllJoyn | Microsoft's implementation of AllJoyn which included the [Windows.Devices.AllJoyn API namespace](/uwp/api/windows.devices.alljoyn), a [Win32 API](/windows/win32/api/_alljoyn/), a [management configuration service provider (CSP)](/windows/client-management/mdm/alljoynmanagement-csp), and an [Alljoyn Router Service](/windows-server/security/windows-services/security-guidelines-for-disabling-system-services-in-windows-server#alljoyn-router-service) has been deprecated. [AllJoyn](https://openconnectivity.org/technology/reference-implementation/alljoyn/), sponsored by AllSeen Alliance, was an open source discovery and communication protocol for Internet of Things scenarios such as turning on/off lights or reading temperatures.AllSeen Alliance promoted the AllJoyn project from 2013 until 2016 when it merged with the Open Connectivity Foundation (OCF), the sponsors of [Iotivity.org](https://iotivity.org/), another protocol for Internet of Things scenarios. Customers should refer to the [Iotivity.org](https://iotivity.org/) website for alternatives such as [Iotivity Lite](https://github.com/iotivity/iotivity-lite) or [Iotivity](https://github.com/iotivity/iotivity). | August 17, 2023 |
| TLS 1.0 and 1.1 | Over the past several years, internet standards and regulatory bodies have [deprecated or disallowed](https://www.ietf.org/rfc/rfc8996.html) TLS versions 1.0 and 1.1 due to various security issues. Starting in Windows 11 Insider Preview builds for September 2023 and continuing in future Windows OS releases, TLS 1.0 and 1.1 will be disabled by default. This change increases the security posture of Windows customers and encourages modern protocol adoption. For organizations that need to use these versions, there's an option to re-enable TLS 1.0 or TLS 1.1. For more information, see [Resources for deprecated features](deprecated-features-resources.md). | August 1, 2023|
| Cortana in Windows | Cortana in Windows as a standalone app is deprecated. This change only impacts Cortana in Windows, and your productivity assistant, Cortana, will continue to be available in Outlook mobile, Teams mobile, Microsoft Teams display, and Microsoft Teams rooms. | June 2023 |
| Microsoft Support Diagnostic Tool (MSDT) | [MSDT](/windows-server/administration/windows-commands/msdt) is deprecated and will be removed in a future release of Windows. MSDT is used to gather diagnostic data for analysis by support professionals. For more information, see [Resources for deprecated features](deprecated-features-resources.md) | January 2023 |
-| Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content is not applicable. If you are not sure which type of processor you have, check **Settings** > **System** > **About**. Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
+| Universal Windows Platform (UWP) Applications for 32-bit Arm | This change is applicable only to devices with an Arm processor, for example Snapdragon processors from Qualcomm. If you have a PC built with a processor from Intel or AMD, this content isn't applicable. If you aren't sure which type of processor you have, check **Settings** > **System** > **About**. Support for 32-bit Arm versions of applications will be removed in a future release of Windows 11. After this change, for the small number of applications affected, app features might be different and you might notice a difference in performance. For more technical details about this change, see [Update app architecture from Arm32 to Arm64](/windows/arm/arm32-to-arm64). | January 2023 |
| Update Compliance | [Update Compliance](/windows/deployment/update/update-compliance-monitor), a cloud-based service for the Windows client, is no longer being developed. This service has been replaced with [Windows Update for Business reports](/windows/deployment/update/wufb-reports-overview), which provides reporting on client compliance with Microsoft updates from the Azure portal. | November 2022|
| Windows Information Protection | [Windows Information Protection](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) will no longer be developed in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection (WIP)](https://go.microsoft.com/fwlink/?linkid=2202124).
For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). | July 2022 |
| BitLocker To Go Reader | **Note: BitLocker to Go as a feature is still supported.** Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows client. The following items might not be available in a future release of Windows client: - ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows** - Command line parameter: [`manage-bde -DiscoveryVolumeType`](/windows-server/administration/windows-commands/manage-bde-on) (-dv) - Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents** - BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
diff --git a/windows/whats-new/index.yml b/windows/whats-new/index.yml
index 193ffc24a8..88f1b323b1 100644
--- a/windows/whats-new/index.yml
+++ b/windows/whats-new/index.yml
@@ -15,12 +15,12 @@ metadata:
author: aczechowski
ms.author: aaroncz
manager: aaroncz
- ms.date: 11/14/2022
+ ms.date: 10/31/2023
localization_priority: medium
landingContent:
- - title: Windows 11
+ - title: Windows 11 planning
linkLists:
- linkListType: overview
links:
@@ -35,9 +35,18 @@ landingContent:
- text: Windows commercial licensing overview
url: windows-licensing.md
+ - title: Windows 11
+ linkLists:
+ - linkListType: whats-new
+ links:
+ - text: What's new in Windows 11, version 23H2
+ url: whats-new-windows-11-version-23h2.md
+ - text: What's new in Windows 11, version 22H2
+ url: whats-new-windows-11-version-22h2.md
+
- title: Windows 10
linkLists:
- - linkListType: overview
+ - linkListType: whats-new
links:
- text: What's new in Windows 10, version 22H2
url: whats-new-windows-10-version-22h2.md
diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md
index 65ebf38755..ba0ca795c1 100644
--- a/windows/whats-new/temporary-enterprise-feature-control.md
+++ b/windows/whats-new/temporary-enterprise-feature-control.md
@@ -8,7 +8,7 @@ author: mestew
manager: aaroncz
ms.localizationpriority: medium
ms.topic: reference
-ms.date: 09/26/2023
+ms.date: 11/01/2023
ms.collection:
- highpri
- tier2
@@ -39,7 +39,7 @@ Features that are behind temporary enterprise control will be enabled when one o
### Policy settings for temporary enterprise feature control
-You can use a policy to enable features that are behind temporary enterprise feature control. When this policy is enabled, all features that were disabled behind temporary enterprise feature control are turned on when the device next reboots. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/en-us/topic/february-14-2023-kb5022845-os-build-22621-1265-90a807f4-d2e8-486e-8a43-d09e66319f38) and later:
+You can use a policy to enable features that are behind temporary enterprise feature control. When this policy is enabled, all features that were disabled behind temporary enterprise feature control are turned on when the device next reboots. The following polices apply to Windows 11, version 22H2 with [KB5022845](https://support.microsoft.com/kb/5022845) and later:
- **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default**
@@ -52,12 +52,12 @@ The following features are behind temporary enterprise control in Windows 11:
| Feature | KB article where the feature was introduced | Feature update that ends temporary control | Notes |
|---|---|---|---|
-| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9) | 2023 annual feature update | |
-| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | |
-| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature also has a permanent control: **CSP**: ./User/Vendor/MSFT/Policy/Config/Experience/[AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Cloud Content\\**Turn off all Windows spotlight features**|
-| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has a permanent control. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section. |
-| Dev Home | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | `Get-AppxPackage -Name Microsoft.Windows.DevHome` |
-|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | 2023 annual feature update | This feature has multiple permanent controls. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section |
+| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | |
+| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | |
+| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | This feature also has a permanent control: **CSP**: ./User/Vendor/MSFT/Policy/Config/Experience/[AllowWindowsSpotlight](/windows/client-management/mdm/policy-csp-experience#allowwindowsspotlight) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Cloud Content\\**Turn off all Windows spotlight features**|
+| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | This feature has a permanent control. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section. |
+| Dev Home | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | `Get-AppxPackage -Name Microsoft.Windows.DevHome` |
+| Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | [Feature Update to Windows 11, version 23H2](https://support.microsoft.com/kb/5027397) | This feature has multiple permanent controls. For more information, see the [Windows 11 features with permanent enterprise feature control](#windows-11-features-with-permanent-enterprise-feature-control) section |
## Permanent enterprise feature control
@@ -69,9 +69,9 @@ The following features introduced through the monthly cumulative updates allow p
| Feature | KB article where the feature was introduced | Feature enabled by default | CSP and Group Policy |
|---|---|---|---|
-| Configure search on the taskbar | [February 28, 2023 - KB5022913](https://support.microsoft.com/topic/february-28-2023-kb5022913-os-build-22621-1344-preview-3e38c0d9-924d-4f3f-b0b6-3bd49b2657b9)| Yes | **CSP**: ./Device/Vendor/MSFT/Policy/Config/Search/[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\Search\\**Configures search on the taskbar**|
+| Configure search on the taskbar | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913) | Yes | **CSP**: ./Device/Vendor/MSFT/Policy/Config/Search/[ConfigureSearchOnTaskbarMode](/windows/client-management/mdm/policy-csp-search#configuresearchontaskbarmode) **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\Search\\**Configures search on the taskbar**|
| The **Recommended** section of the **Start Menu** displays personalized website recommendations |[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)| No |**CSP**: ./Device/Vendor/MSFT/Policy/Config/Start/[HideRecoPersonalizedSites](/windows/client-management/mdm/policy-csp-start) **Group Policy**: Computer Configuration\Administrative Templates\Start Menu and Taskbar\\**Remove Personalized Website Recommendations from the Recommended section in the Start Menu**|
| **Recommended** section added to File Explorer Home for users signed into Windows with an Azure AD account. | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes | **CSP**:./Device/Vendor/MSFT/Policy/Config/FileExplorer/[DisableGraphRecentItems](/windows/client-management/mdm/policy-csp-fileexplorer#disablegraphrecentitems) **Group Policy**: Computer Configuration\Administrative Templates\Windows Components\File Explorer\\**Turn off files from Office.com in Quick Access View** **Note**: This control disables additional items beyond the **Recommended** items. Review the policy before implementing this control. |
| Transfer files to another PC using WiFi direct|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)|Yes|**CSP**: ./Device/Vendor/MSFT/Policy/Config/Wifi/[AllowWiFiDirect](/windows/client-management/mdm/policy-csp-wifi#allowwifidirect)|
-| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**|
+| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot) **Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**|
|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSPs**: - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[EnableDevDrive](/windows/client-management/mdm/policy-csp-filesystem#enableeeverive) - ./Device/Vendor/MSFT/Policy/Config/FileSystem/[DevDriveAttachPolicy](/windows/client-management/mdm/policy-csp-filesystem#devdriveattachpolicy) **Group Policies**: - Computer Configuration\Administrative Templates\System\FileSystem\\**Enable dev drive** - Computer Configuration\Administrative Templates\System\FileSystem\\**Dev drive filter attach policy**|
diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md
index d40de13c9d..5ab89168fd 100644
--- a/windows/whats-new/whats-new-windows-10-version-1909.md
+++ b/windows/whats-new/whats-new-windows-10-version-1909.md
@@ -55,7 +55,7 @@ Windows 10, version 1909 also includes two new features called **Key-rolling** a
### Transport Layer Security (TLS)
-An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
+An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog.
>[!NOTE]
>The experiental implementation of TLS 1.3 isn't supported. TLS 1.3 is only supported on Windows 11 and Server 2022. For more information, see [Protocols in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-).
diff --git a/windows/whats-new/whats-new-windows-11-version-23h2.md b/windows/whats-new/whats-new-windows-11-version-23h2.md
new file mode 100644
index 0000000000..a6c474e939
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-11-version-23h2.md
@@ -0,0 +1,125 @@
+---
+title: What's new in Windows 11, version 23H2 for IT pros
+description: Learn more about what's new in Windows 11 version 23H2, including servicing updates, Windows Subsystem for Linux, the latest CSPs, and more.
+manager: aaroncz
+ms.prod: windows-client
+ms.author: mstewart
+author: mestew
+ms.localizationpriority: medium
+ms.topic: conceptual
+ms.collection:
+ - highpri
+ - tier2
+ms.technology: itpro-fundamentals
+ms.date: 10/31/2023
+appliesto:
+ - ✅ Windows 11, version 23H2
+---
+
+# What's new in Windows 11, version 23H2
+
+Windows 11, version 23H2 is a feature update for Windows 11. It includes all features and fixes in previous cumulative updates to Windows 11, version 22H2. This article lists the new and updated features IT Pros should know.
+
+Windows 11, version 23H2 follows the [Windows 11 servicing timeline](/lifecycle/faq/windows#windows-11):
+
+- **Windows 11 Pro**: Serviced for 24 months from the release date.
+- **Windows 11 Enterprise**: Serviced for 36 months from the release date.
+
+Devices updating from Windows 11, version 22H2 use an enablement package. Most the files for the 23H2 update already exist on Windows 11, version 22H2 devices that have installed a recent monthly security update. Many of the new features have already been enabled on Windows 11, version 22H2 clients. However, some features are just in an inactive and dormant state because they are under [temporary enterprise feature control](temporary-enterprise-feature-control.md). These new features remain dormant until they're turned on through the enablement package, a small, quick-to-install switch that activates all of the Windows 11, version 23H2 features.
+
+Windows 11, version 23H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 11, version 23H2 update](https://blogs.windows.com/windowsexperience/?p=178531). Review the [Windows 11, version 23H2 Windows IT Pro blog post](https://aka.ms/new-in-23H2) to discover information about available deployment resources such as the [Windows Deployment Kit (Windows ADK)](/windows-hardware/get-started/adk-install).
+
+
+To learn more about the status of the update rollout, known issues, and new information, see [Windows release health](/windows/release-health/).
+
+## Features no longer under temporary enterprise control
+
+[Temporary enterprise feature control](temporary-enterprise-feature-control.md) temporarily turns off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For the purposes of temporary enterprise control, a system is considered managed if it's configured to get updates from Windows Update for Business or [Windows Server Update Services (WSUS)](/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus). Clients that get updates from Microsoft Configuration Manager and Microsoft Intune are considered managed since their updates ultimately come from WSUS or Windows Updates for Business.
+
+When a manged Windows 11, version 22H2 device installs [version 23H2](https://support.microsoft.com/kb/5027397), the following features will no longer under be under temporary enterprise feature control:
+
+| Feature | KB article where the feature was introduced |
+|---|---|
+| Touch-optimized taskbar for 2-in-1 devices | [February 28, 2023 - KB5022913](https://support.microsoft.com/kb/5022913) |
+| Selecting **Uninstall** for a Win32 app from the right-click menu uses the **Installed Apps** page in **Settings** rather than **Programs and Features** under the **Control Panel** | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) |
+| Windows Spotlight provides a minimized experience, opportunities to learn more about each image, and allows users to preview images at full screen.| [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) |
+| Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) |
+| [Dev Home](/windows/dev-home/) | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) |
+| [Dev Drive](/windows/dev-drive/) | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) |
+
+## Features added to Windows 11 since version 22H2
+
+Starting with Windows 11, version 22H2, new features and enhancements were introduced periodically to provide continuous innovation for Windows 11. These features and enhancements use the normal update servicing channels you're already familiar with. At first, new features are introduced with an optional nonsecurity preview release and gradually rolled out to clients. These new features are released later as part of a monthly security update release. For more information about continuous innovation, see [Update release cycle for Windows clients](/windows/deployment/update/release-cycle#continuous-innovation-for-windows-11) Some of the features were released within the past year's continuous innovation updates and carry forward into the 23H2 annual feature update include:
+
+
+### Passkeys in Windows
+
+Windows provides a native experience for passkey management. You can use the Settings app to view and manage passkeys saved for apps or websites. For more information, see [Support for passkeys in Windows](/windows/security/identity-protection/passkeys).
+
+### Windows passwordless experience
+
+Windows passwordless experience is a security policy that promotes a user experience without passwords on Microsoft Entra joined devices.
+When the policy is enabled, certain Windows authentication scenarios don't offer users the option to use a password, helping organizations and preparing users to gradually move away from passwords. For more information, see [Windows passwordless experience](/windows/security/identity-protection/passwordless-experience/).
+
+### Web sign-in for Windows
+
+You can enable a web-based sign-in experience on Microsoft Entra joined devices, unlocking new sign-in options and capabilities. For more information, see [Web sign-in for Windows](/windows/security/identity-protection/web-sign-in).
+
+### Declared configuration protocol
+
+**Declared configuration protocol** is a new protocol for device configuration management that's based on a desired state model and uses OMA-DM SyncML protocol. It allows the server to provide the device with a collection of settings for a specific scenario, and the device to handle the configuration request and maintain its state. For more information, see [What is the declared configuration protocol](/windows/client-management/declared-configuration).
+
+### Education themes
+
+You can deploy education themes to your devices. The education themes are designed for students using devices in a school. For more information, see [Configure education themes for Windows 11](/education/windows/edu-themes).
+
+### Temporary enterprise feature control
+
+Controls were added to temporarily turn off certain features that were introduced during monthly cumulative updates for managed Windows 11, version 22H2 devices. For more information, see [Temporary enterprise feature control](temporary-enterprise-feature-control.md).
+
+### Multi-app kiosk
+
+
+You can configure a multi-app kiosk, which displays a customized start menu of allowed apps. For more information, see [Set up a multi-app kiosk on Windows 11 devices](/windows/configuration/lock-down-windows-11-to-specific-apps).
+
+### Copilot in Windows
+
+Copilot in Windows provides centralized generative AI assistance to your users right from the Windows desktop. For more information, see [Manage Copilot in Windows](/windows/client-management/manage-windows-copilot).
+
+### Windows Hello for Business authentication improvement
+
+Peripheral face and fingerprint sensors can be used for Windows Hello for Business authentication on devices where Enhanced Sign-in Security (Secure Biometrics) has been enabled at the factory. Previously this functionality was blocked. For more information, see [Common questions about Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-faq).
+
+### LAPS native integration
+
+Use Windows Local Administrator Password Solution (LAPS) to regularly rotate and manage local administrator account passwords. For more information, see [Local Administrator Password Solution (LAPS)](/windows-server/identity/laps/laps-overview)
+
+### Federated sign-in
+
+You can sign into Windows using a federated identity, which simplifies the experience for students. For example, students and educators can use QR code badges to sign-in. This feature is designed specifically for Education editions of Windows. For more information, see [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in).
+
+### Customize Windows 11 taskbar buttons
+
+[Policies to customize Windows 11 taskbar buttons](/windows/configuration/supported-csp-taskbar-windows#csp-policies-to-customize-windows-11-taskbar-buttons) were added to provide you with more control over the taskbar search experience across your organization.
+
+### Braille displays
+
+The compatibility of braille displays was expanded. Braille displays work seamlessly and reliably across multiple screen readers, improving the end user experience. We also added support for new braille displays and new braille input and output languages in Narrator. For more information, see [Accessibility information for IT professionals](/windows/configuration/windows-accessibility-for-ITPros).
+
+### Dev Drive
+
+Dev Drive is a new form of storage volume available to improve performance for key developer workloads. For more information, see [Set up a Dev Drive on Windows 11](/windows/dev-drive/).
+
+### Additional features
+
+
+- **Tabs for File Explorer**: File Explorer includes tabs to help you organize your File Explorer sessions.
+- **Taskbar overflow menu**: The taskbar offers an entry point to a menu that shows all of your overflowed apps in one spot.
+- **Suggested actions**: Copied text in certain formats, such as phone numbers or dates, offer suggested actions such as calling the number or adding the event to your calendar.
+- **Task Manager enhancements**: Process filtering, theme settings, and the ability to opt out of efficiency mode notification were added to Task Manager.
+- **Narrator improvements**: Scripting functionality was added to Narrator. Narrator includes more natural voices.
+
+### In-box apps
+
+- **Microsoft Teams**: Chat is being removed from the Microsoft Teams in-box app. Teams will no longer be pinned to the taskbar for enterprise editions of Windows 11, version 23H2 or later. To identify the appx package: `Get-AppxPackage -Name MicrosoftTeams`
+- **Dev Home**: Dev Home is a new app that provides a central location for developers to start building, testing, and deploying Windows apps. For more information, see [Dev Home](/windows/dev-home/). To identify the appx package: `Get-AppxPackage -Name Microsoft.Windows.DevHome`