deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-27 00:03:45 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into dep-mixreal-8412877

Browse Source
This commit is contained in:
Meghan Stewart
2023-11-13 15:58:30 -08:00
parent 49e5a30f1a e36ae5f8eb
commit 3759a64b80
202 changed files with 1111 additions and 5326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
.openpublishing.redirection.education.json
View File

@ -159,6 +159,21 @@
"source_path": "education/windows/windows-automatic-redeployment.md",
"redirect_url": "/education/windows/autopilot-reset",
"redirect_document_id": false
},
{
"source_path": "education/windows/tutorial-school-deployment/enroll-aadj.md",
"redirect_url": "/education/windows/tutorial-school-deployment/enroll-entra-join",
"redirect_document_id": false
},
{
"source_path": "education/windows/tutorial-school-deployment/set-up-azure-ad.md",
"redirect_url": "/education/windows/tutorial-school-deployment/set-up-microsoft-entra-id",
"redirect_document_id": false
},
{
"source_path": "education/windows/set-up-school-pcs-whats-new.md",
"redirect_url": "/education/windows",
"redirect_document_id": false
}
]
}

477
.openpublishing.redirection.windows-security.json
View File

@ -7479,6 +7479,481 @@
"source_path": "windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md",
"redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker#device-encryption",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/basic-firewall-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721530(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/boundary-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725978(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/boundary-zone-gpos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770729(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731463(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771822(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/documenting-the-zones.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753825(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725818(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design-example.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732933(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/encryption-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753367(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/encryption-zone-gpos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770426(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/exemption-list.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732202(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/firewall-gpos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771233(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/firewall-policy-design-example.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731164(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-boundary.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770565(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-encryption.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754085(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-firewall.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731123(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-clients.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770836(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-servers.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731908(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/isolated-domain.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731788(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/isolated-domain-gpos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731447(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721532(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-certificate-based-authentication.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc730835(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-domain-isolation-zones.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771044(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-gpo-deployment.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771733(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732752(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-isolation-groups-for-the-zones.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725693(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-network-access-groups.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771664(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-server-isolation-zones.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732615(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-settings-for-a-basic-firewall-policy.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc754986(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-the-gpos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771716(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947826(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc730841(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732486(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj721528(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732413(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770289(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947845(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947794(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947848(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947836(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947800(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947783(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947791(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947799(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947827(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc947819(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717261(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717238(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717284(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717277(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732023(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717256(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc772556(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770865(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-specified-users-or-devices.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753064(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-trusted-devices.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc725659(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731951(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717241(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc732024(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717262(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717263(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717260(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717237(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717279(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717293(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717253(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717249(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717270(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717275(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717278(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/confirm-that-certificates-are-deployed-correctly.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717245(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717246(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-a-group-account-in-active-directory.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717247(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717274(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-exemption-list-rule.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717243(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-request-rule.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717283(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717288(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-inbound-rules.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717281(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-outbound-rules.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717259(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/exempt-icmp-from-authentication.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717292(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/link-the-gpo-to-the-domain.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717264(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717265(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717290(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717269(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717266(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/open-windows-firewall-with-advanced-security.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717254(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/restrict-server-access-to-members-of-a-group-only.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717267(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717251(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/verify-that-network-traffic-is-authenticated.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj717273(v=ws.11)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-the-information-you-need.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc731454(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-current-network-infrastructure.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc770899(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-active-directory-deployment.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771366(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-devices.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc726039(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/gathering-other-relevant-information.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc771791(v=ws.10)",
"redirect_document_id": false
},
{
"source_path": "windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices.md",
"redirect_url": "/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/cc753540(v=ws.10)",
"redirect_document_id": false
}
]
}
}

19
education/includes/education-content-updates.md
View File

@ -2,20 +2,13 @@
## Week of November 06, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 9/11/2023 | [Configure education themes for Windows 11](/education/windows/edu-themes) | modified |
| 9/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
## Week of September 04, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 9/5/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified |
| 9/5/2023 | [Windows for Education documentation](/education/windows/index) | modified |
|------|------------|--------|
| 11/7/2023 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
| 11/9/2023 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified |
| 11/9/2023 | What's new in the Windows Set up School PCs app | removed |
| 11/9/2023 | [Management functionalities for Surface devices](/education/windows/tutorial-school-deployment/manage-surface-devices) | modified |

6
education/windows/autopilot-reset.md
View File

@ -5,10 +5,6 @@ ms.date: 08/10/2022
ms.topic: how-to
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
ms.collection:
- highpri
- tier2
- education
---
# Reset devices with Autopilot Reset
@ -60,7 +56,7 @@ You can set the policy using one of these methods:
## Trigger Autopilot Reset
Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use.
]
To trigger Autopilot Reset:
1. From the Windows device lock screen, enter the keystroke: <kbd>CTRL</kbd> + <kbd>WIN</kbd> + <kbd>R</kbd>.

16
education/windows/edu-stickers.md
View File

@ -1,21 +1,17 @@
---
title: Configure Stickers for Windows 11 SE
description: Learn about the Stickers feature and how to configure it via Intune and provisioning package.
ms.date: 09/15/2022
ms.date: 11/09/2023
ms.topic: how-to
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
- highpri
- education
- tier2
---
# Configure Stickers for Windows 11 SE
Starting in **Windows 11 SE, version 22H2**, *Stickers* is a new feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
Starting in **Windows 11 SE, version 22H2**, *Stickers* is a feature that allows students to decorate their desktop with digital stickers. Students can choose from over 500 cheerful, education-friendly digital stickers. Stickers can be arranged, resized, and customized on top of the desktop background. Each student's stickers remain, even when the background changes.
Similar to the [education theme packs](edu-themes.md "my tooltip example that opens in a new tab"), Stickers is a personalization feature that helps the device feel like it was designed for students.
Similar to the [education theme packs](edu-themes.md), Stickers is a personalization feature that helps the device feel like it was designed for students.
:::image type="content" source="./images/win-11-se-stickers.png" alt-text="Windows 11 SE desktop with 3 stickers" border="true":::
@ -35,9 +31,9 @@ Stickers aren't enabled by default. Follow the instructions below to configure y
[!INCLUDE [intune-custom-settings-1](../../includes/configure/intune-custom-settings-1.md)]
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Stickers/EnableStickers`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
[!INCLUDE [intune-custom-settings-2](../../includes/configure/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](../../includes/configure/intune-custom-settings-info.md)]

2
education/windows/edu-take-a-test-kiosk-mode.md
View File

@ -1,7 +1,7 @@
---
title: Configure Take a Test in kiosk mode
description: Learn how to configure Windows to execute the Take a Test app in kiosk mode, using Intune and provisioning packages.
ms.date: 09/30/2022
ms.date: 11/08/2023
ms.topic: how-to
---

1
education/windows/index.yml
View File

@ -10,7 +10,6 @@ metadata:
ms.technology: itpro-edu
ms.collection:
- education
- highpri
- tier1
author: paolomatarazzo
ms.author: paoloma

97
education/windows/set-up-school-pcs-whats-new.md
View File

@ -1,97 +0,0 @@
---
title: What's new in the Windows Set up School PCs app
description: Find out about app updates and new features in Set up School PCs.
ms.topic: whats-new
ms.date: 08/10/2022
---
# What's new in Set up School PCs
Learn what's new with the Set up School PCs app each week. Find out about new app features and functionality, see updated screenshots, and find information about past releases.
## Week of August 24, 2020
### Longer device names supported in app
You can now give devices running Windows 10, version 2004 and later a name that's up to 53 characters long.
## Week of September 23, 2019
### Easier way to deploy Office 365 to your classroom devices
Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Microsoft 365 Apps for enterprise. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams.
## Week of June 24, 2019
### Resumed support for Windows 10, version 1903 and later
The previously mentioned provisioning problem was resolved, so the Set up School PCs app once again supports Windows 10, version 1903 and later. The Windows 10 settings that were removed are now back in the app.
### Device rename made optional for Azure AD-joined devices
When you set up your Azure AD join devices in the app, you no longer need to rename your devices. You can keep existing device names.
## Week of May 23, 2019
### Suspended support for Windows 10, version 1903 and later
Due to a provisioning problem, Set up School PCs has temporarily stopped support for Windows 10, version 1903 and later. All settings in the app that were for Windows 10, version 1903 and later have been removed. When the problem is resolved, support will resume again.
### Mandatory device rename for Azure AD-joined devices
If you configure Azure AD Join, you're now required to rename your devices during setup. You can't keep existing device names.
## Week of April 15, 2019
### Support for Minecraft Education Edition upgrade
Set up School PCs only adds apps to the provisioning package that meet the minimum supported version for Windows 10. For example, Minecraft is the most recent store app to upgrade; it's only installed on devices running Windows 10, version 1709 and later. If you select an earlier version of Windows, Minecraft won't be included in the provisioning package.
## Week of April 8, 2019
### Apps configured as non-removeable
Apps that you deploy with Set up School PCs are configured as non-removable apps. This feature prevents students from unpinning or uninstalling the apps they need.
### Domain name automatically added during sign-in
Specify your preferred Azure Active Directory tenant domain name to automatically append it to the username on the sign-in screen. With this setting, students don't need to type out long school domain names. To sign in, they type only their unique usernames.
### Set up devices with hidden Wi-Fi network
Set up devices so that they connect to a hidden Wi-Fi network. To configure a hidden network, open the app. When you get to **Wireless network**, choose **Add a Wi-Fi network**. Enter in your Wi-Fi information and select **Hidden network**.
## Week of December 31, 2018
### Add Microsoft Whiteboard to provisioning package
Microsoft Whiteboard is now a Microsoft-recommended app for schools. Whiteboard is a freeform digital canvas where ideas, content, and people come together; students can create and collaborate in real time in the classroom. Add the app to your provisioning package on the **Add apps** page. For more information, see [Use Set up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package).
## Week of November 5, 2018
### Sync school app inventory from Microsoft Store
During setup, you can now add apps from your school's Microsoft Store inventory. After you sign in with your school's Office 365 account, Set up School PCs will sync the apps from Microsoft Store, and make them visible on the **Add apps** page. For more information about adding apps, see [Use Set Up School PCs app](use-set-up-school-pcs-app.md#create-the-provisioning-package).
## Week of October 15, 2018
The Set up School PCs app was updated with the following changes:
### Three new setup screens added to the app
The following screens and functionality were added to the setup workflow. Select a screen name to view the relevant steps and screenshots in the Set Up School PCs docs.
* [**Package name**](use-set-up-school-pcs-app.md#package-name): Customize a package name to make it easy to recognize it from your school's other packages. Azure Active Directory generates the name. It appears as the filename, and as the token name in Azure AD in the Azure portal.
* [**Product key**](use-set-up-school-pcs-app.md#product-key): Enter a product key to upgrade your current edition of Windows 10, or change the existing product key.
* [**Personalization**](use-set-up-school-pcs-app.md#personalization): Upload images from your computer to customize how the lock screen and background appears on student devices.
### Azure AD token expiration extended to 180 days
Packages now expire 180 days from the date you create them.
### Updated apps with more helpful, descriptive text
The **Skip** buttons in the app now communicate the intent of each action. An **Exit** button also appears on the last page of the app.
### Option to keep existing device names
The [**Name these devices** screen](use-set-up-school-pcs-app.md#device-names) now gives you the option to keep the original or existing names of your student devices.
### Skype and Messaging apps to be removed from student PCs by default
The Skype and Messaging apps are part of a selection of apps that are, by default, removed from student devices.
## Next steps
Learn how to create provisioning packages and set up devices in the app.
* [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md)
* [Set up School PCs technical reference](set-up-school-pcs-technical.md)
* [Set up Windows 10 devices for education](set-up-windows-10.md)
When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md).

6
education/windows/tutorial-school-deployment/configure-device-settings.md
View File

@ -1,7 +1,7 @@
---
title: Configure and secure devices with Microsoft Intune
description: Learn how to configure policies with Microsoft Intune in preparation for device deployment.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---
@ -88,7 +88,7 @@ To create a security policy:
- Windows SmartScreen
For more information, see [Security][INT-4].
> [!NOTE]
> If you require more sophisticated security policies, you can create them in Microsoft Intune. For more information:
> - [<u>Antivirus</u>][MEM-2]
@ -98,7 +98,7 @@ For more information, see [Security][INT-4].
> - [<u>Attack surface reduction</u>][MEM-6]
> - [<u>Account protection</u>][MEM-7]
________________________________________________________
---
## Next steps

2
education/windows/tutorial-school-deployment/configure-devices-overview.md
View File

@ -1,7 +1,7 @@
---
title: Configure devices with Microsoft Intune
description: Learn how to configure policies and applications in preparation for device deployment.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---

6
education/windows/tutorial-school-deployment/enroll-aadj.md → education/windows/tutorial-school-deployment/enroll-entra-join.md
View File

@ -1,9 +1,10 @@
---
title: Enrollment in Intune with standard out-of-box experience (OOBE)
description: Learn how to join devices to Microsoft Entra ID from OOBE and automatically get them enrolled in Intune.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---
# Automatic Intune enrollment via Microsoft Entra join
If you're setting up a Windows device individually, you can use the out-of-box experience to join it to your school's Microsoft Entra tenant, and automatically enroll it in Intune.
@ -21,7 +22,8 @@ With this process, no advance preparation is needed:
:::image type="content" source="./images/win11-login-screen.png" alt-text="Windows 11 login screen" border="false":::
________________________________________________________
---
## Next steps
With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.

6
education/windows/tutorial-school-deployment/enroll-overview.md
View File

@ -1,7 +1,7 @@
---
title: Device enrollment overview
description: Learn about the different options to enroll Windows devices in Microsoft Intune
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: overview
---
@ -22,9 +22,9 @@ This [table][INT-1] describes the ideal scenarios for using either option. It's
Select one of the following options to learn the next steps about the enrollment method you chose:
> [!div class="op_single_selector"]
> - [Automatic Intune enrollment via Microsoft Entra join](enroll-aadj.md)
> - [Automatic Intune enrollment via Microsoft Entra join](enroll-entra-join.md)
> - [Bulk enrollment with provisioning packages](enroll-package.md)
> - [Enroll devices with Windows Autopilot ](enroll-autopilot.md)
> - [Enroll devices with Windows Autopilot](enroll-autopilot.md)
<!-- Reference links in article -->

5
education/windows/tutorial-school-deployment/enroll-package.md
View File

@ -1,7 +1,7 @@
---
title: Enrollment of Windows devices with provisioning packages
description: Learn about how to enroll Windows devices with provisioning packages using SUSPCs and Windows Configuration Designer.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---
@ -49,7 +49,8 @@ All settings defined in the package and in Intune will be applied to the device,
:::image type="content" source="./images/win11-oobe-ppkg.gif" alt-text="Windows 11 OOBE - enrollment with provisioning package animation." border="false":::
________________________________________________________
---
## Next steps
With the devices joined to Microsoft Entra tenant and managed by Intune, you can use Intune to maintain them and report on their status.

7
education/windows/tutorial-school-deployment/index.md
View File

@ -1,7 +1,7 @@
---
title: Introduction to the tutorial deploy and manage Windows devices in a school
description: Introduction to deployment and management of Windows devices in education environments.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---
@ -60,13 +60,14 @@ In the remainder of this document, we'll discuss the key concepts and benefits o
- **Device enrollment:** Setting up Windows devices for deployment and enrolling them in Intune for Education
- **Device reset:** Resetting managed devices with Intune for Education
________________________________________________________
---
## Next steps
Let's begin with the creation and configuration of your Microsoft Entra tenant and Intune environment.
> [!div class="nextstepaction"]
> [Next: Set up Microsoft Entra ID >](set-up-azure-ad.md)
> [Next: Set up Microsoft Entra ID >](set-up-microsoft-entra-id.md)
<!-- Reference links in article -->

2
education/windows/tutorial-school-deployment/manage-overview.md
View File

@ -1,7 +1,7 @@
---
title: Manage devices with Microsoft Intune
description: Overview of device management capabilities in Intune for Education, including remote actions, remote assistance and inventory/reporting.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---

18
education/windows/tutorial-school-deployment/manage-surface-devices.md
View File

@ -1,7 +1,7 @@
---
title: Management functionalities for Surface devices
description: Learn about the management capabilities offered to Surface devices, including firmware management and the Surface Management Portal.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
appliesto:
-<b>Surface devices</b>
@ -9,7 +9,7 @@ appliesto:
# Management functionalities for Surface devices
Microsoft Surface devices offer many advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
Microsoft Surface devices offer advanced management functionalities, including the possibility to manage firmware settings and a web portal designed for them.
## Manage device firmware for Surface devices
@ -27,20 +27,18 @@ When Surface devices are enrolled in cloud management and users sign in for the
To access and use the Surface Management Portal:
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
2. Select **All services** > **Surface Management Portal**
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
1. Select **All services** > **Surface Management Portal**
:::image type="content" source="./images/surface-management-portal.png" alt-text="Surface Management Portal within Microsoft Intune" lightbox="./images/surface-management-portal-expanded.png" border="true":::
3. To obtain insights for all your Surface devices, select **Monitor**
1. To obtain insights for all your Surface devices, select **Monitor**
- Devices that are out of compliance or not registered, have critically low storage, require updates, or are currently inactive, are listed here
4. To obtain details on each insights category, select **View report**
1. To obtain details on each insights category, select **View report**
- This dashboard displays diagnostic information that you can customize and export
5. To obtain the device's warranty information, select **Device warranty and coverage**
6. To review a list of support requests and their status, select **Support requests**
1. To obtain the device's warranty information, select **Device warranty and coverage**
1. To review a list of support requests and their status, select **Support requests**
<!-- Reference links in article -->
[INT-1]: /intune/configuration/device-firmware-configuration-interface-windows
[MEM-1]: /mem/autopilot/dfci-management
[SURF-1]: /surface/surface-manage-dfci-guide

3
education/windows/tutorial-school-deployment/reset-wipe.md
View File

@ -1,7 +1,7 @@
---
title: Reset and wipe Windows devices
description: Learn about the reset and wipe options for Windows devices using Intune for Education, including scenarios when to delete devices.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---
@ -104,6 +104,7 @@ Repairing Autopilot-enrolled devices can be complex, as OEM requirements must be
For more information, see [Autopilot motherboard replacement scenario guidance][MEM-4].
<!-- Reference links in article -->
[MEM-1]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
[MEM-2]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-intune-portal
[MEM-3]: /mem/intune/remote-actions/devices-wipe#delete-devices-from-the-azure-active-directory-portal

5
education/windows/tutorial-school-deployment/set-up-azure-ad.md → education/windows/tutorial-school-deployment/set-up-microsoft-entra-id.md
View File

@ -1,7 +1,7 @@
---
title: Set up Microsoft Entra ID
description: Learn how to create and prepare your Microsoft Entra tenant for an education environment.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
appliesto:
---
@ -86,6 +86,7 @@ There are two options for adding users manually, either individually or in bulk:
- Select **Microsoft Entra ID** > **Users** > **All users** > **Bulk operations** > **Bulk create**
For more information, see [Add multiple users in the Microsoft 365 admin center][M365-4].
### Create groups
Creating groups is important to simplify multiple tasks, like assigning licenses, delegating administration, deploy settings, applications or to distribute assignments to students. To create groups:
@ -143,7 +144,7 @@ To allow provisioning packages to complete the Microsoft Entra join process:
1. Select Save
:::image type="content" source="images/entra-device-settings.png" alt-text="Configure device settings from Microsoft Entra admin center." lightbox="images/entra-device-settings.png":::
________________________________________________________
---
## Next steps

4
education/windows/tutorial-school-deployment/set-up-microsoft-intune.md
View File

@ -1,7 +1,7 @@
---
title: Set up device management
description: Learn how to configure the Intune service and set up the environment for education.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
appliesto:
---
@ -74,7 +74,7 @@ To disable Windows Hello for Business at the tenant level:
For more information how to enable Windows Hello for Business on specific devices, see [Create a Windows Hello for Business policy][MEM-4].
________________________________________________________
---
## Next steps

4
education/windows/tutorial-school-deployment/toc.yml
View File

@ -4,7 +4,7 @@ items:
- name: 1. Prepare your tenant
items:
- name: Set up Microsoft Entra ID
href: set-up-azure-ad.md
href: set-up-microsoft-entra-id.md
- name: Set up Microsoft Intune
href: set-up-microsoft-intune.md
- name: 2. Configure settings and applications
@ -20,7 +20,7 @@ items:
- name: Overview
href: enroll-overview.md
- name: Enroll devices via Microsoft Entra join
href: enroll-aadj.md
href: enroll-entra-join.md
- name: Enroll devices with provisioning packages
href: enroll-package.md
- name: Enroll devices with Windows Autopilot

7
education/windows/tutorial-school-deployment/troubleshoot-overview.md
View File

@ -1,7 +1,7 @@
---
title: Troubleshoot Windows devices
description: Learn how to troubleshoot Windows devices from Intune and contact Microsoft Support for issues related to Intune and other services.
ms.date: 08/31/2022
ms.date: 11/09/2023
ms.topic: tutorial
---
@ -25,10 +25,9 @@ Here's a collection of resources to help you troubleshoot Windows devices manage
Microsoft provides global technical, pre-sales, billing, and subscription support for cloud-based device management services. This support includes Microsoft Intune, Configuration Manager, Windows 365, and Microsoft Managed Desktop.
Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices.
:
Follow these steps to obtain support in Microsoft Intune provides many tools that can help you troubleshoot Windows devices:
- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
- Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431)
- Select **Troubleshooting + support** > **Help and support**
:::image type="content" source="images/advanced-support.png" alt-text="Screenshot that shows how to obtain support from Microsoft Intune." lightbox="images/advanced-support.png":::
- Select the required support scenario: Configuration Manager, Intune, Co-management, or Windows 365

307
education/windows/use-set-up-school-pcs-app.md
View File

@ -2,88 +2,90 @@
title: Use Set up School PCs app
description: Learn how to use the Set up School PCs app and apply the provisioning package.
ms.topic: how-to
ms.date: 08/10/2022
ms.date: 11/09/2023
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
---
# Use the Set up School PCs app
IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows 10 PCs for students. The app configures PCs with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student PC into a mobile device management (MDM) provider, such as Intune for Education. You can then manage all the settings the app configures through the MDM.
IT administrators and technical teachers can use the **Set up School PCs** app to quickly set up Windows devices for students. The app configures devices with the apps and features students need, and it removes the ones they don't need. During setup, if licensed in your tenant, the app enrolls each student device in Microsoft Intune. You can then manage all the settings the app configures through Intune.
Set up School PCs also:
* Joins each student PC to your organization's Office 365 and Microsoft Entra tenant.
* Enables the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state.
* Utilizes Windows Update and maintenance hours to keep student PCs up-to-date, without interfering with class time.
* Locks down the student PC to prevent activity that isn't beneficial to their education.
With Set up School PCs you can:
This article describes how to fill out your school's information in the Set up School PCs app. To learn more about the app's functionality, start with the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
- Joins student devices to your organization's Microsoft Entra tenant
- Enable the optional Autopilot Reset feature, to return devices to a fully configured or known IT-approved state
- Use Windows Update and maintenance hours to keep student devices up-to-date, without interfering with class time
- Lock down student devices to prevent activity that aren't beneficial to their education
## Requirements
Before you begin, make sure that you, your computer, and your school's network are configured with the following requirements.
This article describes how to use the Set up School PCs app. To learn more about the app's functionality, review the [Technical reference for the Set up School PCs app](set-up-school-pcs-technical.md).
* Office 365 and Microsoft Entra ID
* [Latest Set up School PCs app](https://www.microsoft.com/store/apps/9nblggh4ls40)
* A NTFS-formatted USB drive that is at least 1 GB, if not installing Office; and at least 8 GB, if installing Office
* Student PCs must either:
* Be within range of the Wi-Fi network that you configured in the app.
* Have a wired Ethernet connection when you set them up.
## Requirements
### Configure USB drive for additional space
USB drives are, by default, FAT32-formatted, and are unable to save more than 4 GB of data. If you plan to install several apps, or large apps like Microsoft Office, you'll need more space. To create more space on the USB drive, reformat it to NTFS.
1. Insert the USB drive into your computer.
2. Go to the **Start** > **This PC**.
3. In the **Devices and drives** section, find your USB drive. Right-click to see its options.
4. Select **Format** from the list to bring up the **Format drive name** window.
5. Set **File system** to **NTFS**.
6. Click **Start** to format the drive.
Before you begin, make sure that your devices and your school's network are configured with the following requirements:
### Prepare existing PC account for new setup
Apply new packages to factory reset or new PCs. If you apply it to a PC that's already set up, you may lose the accounts and data.
- Microsoft Entra ID and Microsoft 365 licenses
- [Latest Set up School PCs app](https://apps.microsoft.com/detail/9NBLGGH4LS40)
- A NTFS-formatted USB drive that is at least 1 GB
- Student devices must either:
- Be within range of the Wi-Fi network that you configured in the app
- Have a wired Ethernet connection when you set them up
If a PC has already been set up, and you want to apply a new package, reset the PC to a clean state.
### Prepare existing PC account for new setup
To begin, go to the **Settings** app on the appropriate PC.
1. Click **Update & Security** > **Recovery**.
2. In the **Reset this PC** section, click **Get started**.
3. Click **Remove everything**.
Apply new packages to factory reset or new devices. If you apply it to a device that's already set up, you may lose the accounts and data.
You can also go to **Start** > **Power** icon. Hold down the Shift key and click **Restart** to load the Windows boot user experience. From there, follow these steps:
1. Click **Troubleshoot** and then choose **Reset this PC**.
2. Select **Remove everything**.
3. If the option appears, select **Only the drive where Windows is installed**.
4. Click **Just remove my files**.
5. Click **Reset**.
If a device is already set up, and you want to apply a new package, reset the device to a clean state. To reset a device, follow these steps:
## Recommendations
This section offers recommendations to prepare you for the best possible setup experience.
### Run the same Windows 10 build on the admin device and the student PCs
We recommend you run the IT administrator or technical teacher's device on the same Windows 10 build as the student PCs.
1. Open the **Settings** app on target device
1. Select **Update & Security** > **Recovery**
1. In the **Reset this PC** section, select **Get started**
1. Select **Remove everything**
### Student PCs should meet OS requirements for the app
Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows 10 images on the student PCs.
Alternatively, you can also select **Start** > **Power** icon. Hold down <kbd>Shift</kbd> while selecting **Restart** to load the Windows boot user experience:
To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements > OS**.
1. Select **Troubleshoot** > **Reset this PC**
1. Select **Remove everything**
1. If the option appears, select **Only the drive where Windows is installed**
1. Select **Just remove my files**
1. Select **Reset**
## Recommendations
This section offers recommendations to prepare you for the best possible setup experience.
### Run the same Windows build on the admin device and the student devices
We recommend you run the IT administrator or technical teacher's device on the same Windows build as the student devices.
### Student devices must meet OS requirements for the app
Check the OS requirements in the Set up School PCs app. We recommend using the latest Set up School PCs app along with the latest Windows images on the student devices.
To check the app's OS requirements, go to the Microsoft Store and locate the Set up School PCs app. In the app's description, go to **System Requirements** > **OS**.
### Use app on a PC that is connected to your school's network
We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you'll need to enter the information manually.
> [!NOTE]
> Don't use the **Set up Schools PCs** app for PCs that must connect to:
>* Enterprise networks that require the user to accept Terms of Use.
>* Open Wi-Fi networks that require the user to accept Terms of Use.
We recommend that you run the Set up School PCs app on a computer that's connected to your school's network. That way the app can gather accurate information about your school's wireless networks and cloud subscriptions. If it's not connected, you need to enter the information manually.
>[!NOTE]
>Don't use the **Set up Schools PCs** app for devices that must connect to enterprise or open Wi-Fi networds that require the user to accept Terms of Use.
### Run app on an open network or network that requires a basic password
Don't use Set up School PCs over a certification-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it.
We recommend that you:
* Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses will allow you to set up many devices simultaneously.
* Configure your IP addresses to expire after a short time--about 30 minutes. IP addresses will free up quickly so you can continue to set up devices without network issues.
Don't use Set up School PCs over a certificate-based network, or one where you have to enter credentials in a browser. If you need to set up many devices over Wi-Fi, make sure that your network configuration can support it.
> > [!WARNING]
> > Only use the provisioning package on PCs that you want to configure and lock down for students. After you apply the provisioning package to a student PC, the PC must be reset to remove the settings.
We recommend that you:
### Use an additional USB drive
To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup.
- Configure your DHCP so at least 200 IP addresses are available for your devices. Having available IP addresses allow you to set up many devices simultaneously
- Configure your IP addresses to expire after a short time, for example 30 minutes. IP addresses free up quickly so you can continue to set up devices without network issues.
>[!WARNING]
>Only use the provisioning package on devices that you want to configure and lock down for students. After you apply the provisioning package to a student device, the PC must be reset to remove the settings.
### Use an additional USB drive
To set up more than one PC at the same time, save the provisioning package to additional USB drives. Then plug the USBs in at the same time during setup.
### Limit changes to school-optimized settings
@ -91,191 +93,172 @@ We strongly recommend that you avoid changing preset policies. Changes can slow
## Create the provisioning package
The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your PC and click **Get started**.
![Launch the Set up School PCs app.](images/suspcs/suspc_getstarted_050817.png)
The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your device and select **Get started**.
![Launch the Set up School PCs app.](images/suspcs/suspc_getstarted_050817.png)
### Package name
### Package name
Type a unique name to help distinguish your school's provisioning packages. The name appears:
* On the local package folder
* In your tenant's Microsoft Entra account in the Azure portal
- On the local package folder
- In your tenant's Microsoft Entra account in the Azure portal
A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 4-16-2019)*. The expiration date is 180 days after you create your package.
A package expiration date is also attached to the end of each package. For example, *Set_Up_School_PCs (Expires 1-1-2024)*. The expiration date is 180 days after you create your package.
![Example screenshot of the Set up School PCs app, Name your package screen.](images/suspcs/1810_Name_Your_Package_SUSPC.png)
After you click **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.
To change an existing package's name, right-click the package folder on your device and select **Rename**. This action does not change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there.
After you select **Next**, you can no longer change the name in the app. To create a package with a different name, reopen the Set up School PCs app.
To change an existing package's name, right-click the package folder on your device and select **Rename**. This action doesn't change the name in Microsoft Entra ID. If you have Global Admin permissions, you can go to Microsoft Entra ID in the Azure portal, and rename the package there.
### Sign in
1. Select how you want to sign in.
a. (Recommended) To enable student PCs to automatically be connect to Office 365, Microsoft Entra ID, and management services like Intune for Education, click **Sign-in**. Then go to step 3.
b. To complete setup without signing in, click **Continue without account**. Student PCs won't be connected to your school's cloud services and managing them will be more difficult later. Continue to [Wireless network](#wireless-network).
2. In the new window, select the account you want to use throughout setup.
1. Select how you want to sign in
1. (Recommended) To enable student device to automatically connect and authenticate to Microsoft Entra ID, and management services like Microsoft Intune, select **Sign-in**. Then go to step 3
1. To complete setup without signing in, select **Continue without account**. Student devices won't connect to your school's cloud services and their management will be more difficult later. Continue to [Wireless network](#wireless-network)
1. In the new window, select the account you want to use throughout setup.
![Sign-in screen showing the option to "Use this account" or use a different "Work or school account."](images/suspcs/1810_choose_account_suspc.png)
To add an account not listed:
a. Click **Work or school account** > **Continue**.
b. Type in the account username and click **Next**.
c. Verify the user account and password, if prompted.
1. Select **Work or school account** > **Continue**.
1. Type in the account username and select **Next**.
1. Verify the user account and password, if prompted.
3. Click **Accept** to allow Set up School PCs to access your account throughout setup.
2. When your account name appears on the page, as shown in the image below, click **Next.**
1. Select **Accept** to allow Set up School PCs to access your account throughout setup
1. When your account name appears on the page, select **Next**
![Example screenshot of the Set up School PC app, Sign in screen, showing that the user's account name appears at the bottom of the page.](images/suspcs/1810_Sign_In_SUSPC.png)
### Wireless network
Add and save the wireless network profile that you want student PCs to connect to. Only skip Wi-Fi setup if you have an Ethernet connection.
Select your school's Wi-Fi network from the list of available wireless networks, or click **Add a wireless network** to manually configure it. Then click **Next.**
Add and save the wireless network profile that you want student devices to connect to. Only skip Wi-Fi setup if you have an Ethernet connection.
Select your organization's Wi-Fi network from the list of available wireless networks, or select **Add a wireless network** to manually configure it. Then select **Next**
![Example screenshot of the Set up School PC app, Wireless network page with two Wi-Fi networks listed, one of which is selected.](images/suspcs/1810_SUSPC_select_Wifi.png)
### Device names
Create a short name to add as a prefix to each PC. This name will help you recognize and manage this specific group of devices in your mobile device manager. The name must be five (5) characters or less.
To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *Math4* as the prefix, the device names will appear as *Math4* followed by a random string of letters and numbers.
Create a name to add as a prefix to each device. This name helps you recognize and manage this group of devices in Intune.
To keep the default name for your devices, click **Continue with existing names**.
To make sure all device names are unique, Set up School PCs automatically appends `_%SERIAL%` to the name. For example, if you add *MATH4* as the prefix, the device names appear as *MATH4* followed by the device serial number.
To keep the default name for your devices, select **Continue with existing names**.
!["Name these devices" screen with the device field filled in with example device name, "Grd8."](images/suspcs/1810_name-devices_SUSPC.png)
### Settings
Select additional settings to include in the provisioning package. To begin, select the operating system on your student PCs.
Select more settings to include in the provisioning package. To begin, select the operating system on your student PCs.
![Screenshot of the Current OS version page with the Select OS version menu selected, showing 7 Windows 10 options. All other settings on page are unavailable to select.](images/suspcs/1810_suspc_settings.png)
Setting selections vary based on the OS version you select. The example screenshot below shows the settings that become available when you select **Windows 10 version 1703**. The option to **Enable Autopilot Reset** is not available for this version of Windows 10.
Setting selections vary based on the OS version you select.
![Example screenshot of the Current OS version page, with Windows 10 version 1803 selected. 4 available settings and 1 unavailable setting are shown, and none are selected.](images/suspcs/1810_SUSPC_available_settings.png)
The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column.
> [!NOTE]
> The [**Time zone** setting](use-set-up-school-pcs-app.md#time-zone), shown in the sidebar of the screenshot above, is not made available to versions of Windows 10 in S mode. If you select a version in S mode, **Time zone** will become disabled.
| Setting | What happens if I select it? | Note |
|--|--|--|
| Remove apps preinstalled by the device manufacturer | Uninstalls apps that came loaded on the computer by the device's manufacturer. | Adds about 30 minutes to the provisioning process. |
| Allow local storage (not recommended for shared devices) | Lets students save files to the Desktop and Documents folder on the Student PC. | Not recommended if the device are shared between different students. |
| Optimize device for a single student, instead of a shared cart or lab | Optimizes the device for use by a single student, rather than many students. | Recommended if the device are shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
| Let guests sign in to these PCs | Allows guests to use student PCs without a school account. | Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to. |
| Enable Autopilot Reset | Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM). | WinRE must be enabled on the device. |
| Lock screen background | Change the default screen lock background to a custom image. | Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png. |
The following table describes each setting and lists the applicable Windows 10 versions. To find out if a setting is available in your version of Windows 10, look for an *X* in the setting row and in the version column.
|Setting |1703|1709|1803|1809|What happens if I select it? |Note|
|---------|---------|---------|---------|---------|---------|---------|
|Remove apps pre-installed by the device manufacturer |X|X|X|X| Uninstalls apps that came loaded on the computer by the device's manufacturer. |Adds about 30 minutes to the provisioning process.|
|Allow local storage (not recommended for shared devices) |X|X|X|X| Lets students save files to the Desktop and Documents folder on the Student PC. |Not recommended if the device will be shared between different students.|
|Optimize device for a single student, instead of a shared cart or lab |X|X|X|X|Optimizes the device for use by a single student, rather than many students. |Recommended if the device will be shared between different students. Single-optimized accounts are set to expire, and require a sign-in, 180 days after setup. This setting increases the maximum PC storage to 100% of the available disk space. In this case, student accounts aren't deleted unless the account has been inactive for 180 days. |
|Let guests sign in to these PCs |X|X|X|X|Allows guests to use student PCs without a school account. |Common to use within a public, shared space, such as a library. Also used when a student loses their password. Adds a **Guest** account to the PC sign-in screen that anyone can sign in to.|
|Enable Autopilot Reset |Not available|X|X|X|Lets you remotely reset a student's PC from the lock screen, apply the device's original settings, and enroll it in device management (Microsoft Entra ID and MDM). |Requires Windows 10, version 1709 and WinRE must be enabled on the PC. Setup will fail if both requirements aren't met.|
|Lock screen background|X|X|X|X|Change the default screen lock background to a custom image.|Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.|
After you've made your selections, click **Next**.
After you've made your selections, select **Next**.
### Time zone
> [!WARNING]
> If you are using the Autounattend.xml file to reimage your school PCs, do not specify a time zone in the file. If you set the time zone in the file *and* in this app, you will encounter an error.
Choose the time zone where your school's PCs are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, click **Next**.
Choose the time zone where your school's devices are used. This setting ensures that all PCs are provisioned in the same time zone. When you're done, select **Next**.
![Choose PC time zone page with the time zone menu expanded to show all time zone selections.](images/suspcs/1810_suspc_timezone.png)
### Product key
Optionally, type in a 25-digit product key to:
* Upgrade your current edition of Windows. For example, if you want to upgrade from Windows 10 Education to Windows 10 Education Pro, enter the product key for the Pro edition.
* Change the product key. If you want to associate student devices with a new or different Windows 10 product key, enter it now.
### Product key
Optionally, type in a 25-digit product key to upgrade or change the edition of Windows on your student devices. If you don't have a product key, select **Continue without change**.
![Example screenshot of the Set up School PC app, Product key screen, showing a value field, Next button, and Continue without change option.](images/suspcs/1810_suspc_product_key.png)
### Take a Test
Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student PC so that students can't access anything else on the device.
### Take a Test
1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' PCs.
Set up the Take a Test app to give online quizzes and high-stakes assessments. During assessments, Windows locks down the student devices so that students can't access anything else on the device.
![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspcs/1810_SUSPC_Take_Test.png)
1. Select **Yes** to create a Take a Test button on the sign-in screens of your students' devices
2. Select from the advanced settings. Available settings include:
* Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the PC's keyboard.
* Allow teachers to monitor online tests: Enables screen capture in the Take a Test app.
3. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to click or enter the link to view the assessment.
4. Click **Next**.
![Set up Take a Test app page with "Yes" selected to create an app button. Page also has two checkboxes for additional settings and one text field for the assessment URL.](images/suspcs/1810_SUSPC_Take_Test.png)
### Add apps
Choose from Microsoft recommended apps and your school's own Microsoft Store inventory. The apps you select here are added to the provisioning package and installed on student PCs. After they're assigned, apps are pinned to the device's Start menu.
1. Select from the advanced settings. Available settings include:
- Allow keyboard auto-suggestions: Allows app to suggest words as the student types on the device's keyboard
- Allow teachers to monitor online tests: Enables screen capture in the Take a Test app
1. Enter the URL where the test is hosted. When students log in to the Take a Test account, they'll be able to select or enter the link to view the assessment
1. Select **Next**
If there aren't any apps in your Microsoft Store inventory, or you don't have the permissions to add apps, you'll need to contact your school admin for help. If you receive a message that you can't add the selected apps, click **Continue without apps**. Contact your school admin to get these apps later.
### Personalization
After you've made your selections, click **Next**.
Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Select **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.
If you don't want to upload custom images or use the images that appear in the app, select **Continue without personalization**. This option doesn't apply any customizations, and instead uses the devices' default or preset images.
![Example screenshots of the Add apps screen with selection of recommended apps and school inventory apps.](images/suspcs/1812_Add_Apps_SUSPC.png)
![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png)
The following table lists the recommended apps you'll see.
### Summary
|App |Note |
|---------|---------|
|Office 365 for Windows 10 in S mode (Education Preview) | Setup is only successful on student PCs that run Windows 10 in S mode. The PC you running the Set up School PCs app is not required to have Windows 10 in S mode. |
|Microsoft Whiteboard | None|
|Minecraft: Education Edition | Free trial|
Review all of the settings for accuracy and completeness
1. To make changes now, select any page along the left side of the window
2. When finished, select **Accept**
![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspcs/1810_SUSPC_summary.png)
### Personalization
Upload custom images to replace the student devices' default desktop and lock screen backgrounds. Click **Browse** to search for an image file on your computer. Accepted image formats are jpg, jpeg, and png.
If you don't want to upload custom images or use the images that appear in the app, click **Continue without personalization**. This option does not apply any customizations, and instead uses the devices' default or preset images.
![Example image of the Set up School PCs app, Personalization screen, showing the default desktop and lock screen background photos, a Browse button under each photo, a blue Next button, and a Continue without personalization button.](images/suspcs/1810_SUSPC_personalization.png)
### Summary
Review all of the settings for accuracy and completeness. Check carefully. To make changes to a saved package, you have to start over.
1. To make changes now, click any page along the left side of the window.
2. When finished, click **Accept**.
![Example image of the Summary screen, showing the user's configurations for Sign-in, Wireless network, Device names, Settings, Time zone, Take a Test. Accept button is available and the page contains three links on the right-hand side to help and support.](images/suspcs/1810_SUSPC_summary.png)
> [!NOTE]
> To make changes to a saved package, you have to start over.
### Insert USB
1. Insert a USB drive. The **Save** button will light up when your computer detects the USB.
2. Choose your USB drive from the list and click **Save**.
![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspcs/1810_SUSPC_USB.png)
1. Insert a USB drive. The **Save** button lights up when your computer detects the USB
1. Choose your USB drive from the list and select **Save**
3. When the package is ready, you'll see the filename and package expiration date. You can also click **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and click **Next**.
![Insert a USB drive now screen with USB drive selection highlighted. Save button is blue and active.](images/suspcs/1810_SUSPC_USB.png)
![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png)
1. When the package is ready, you see the filename and package expiration date. You can also select **Add a USB** to save the same provisioning package to another USB drive. When you're done, remove the USB drive and select **Next**
## Run package - Get PCs ready
Complete each step on the **Get PCs ready** page to prepare student PCs for set-up. Then click **Next**.
![Your provisioning package is ready! screen with 3 steps to get student PCs ready for setup. Save button is active.](images/suspcs/suspc_runpackage_getpcsready.png)
![Your provisioning package is ready screen with package filename and expiration date. Shows an active blue, Next button, and a gray Add a USB button.](images/suspcs/1810_SUSPC_Package_ready.png)
## Run package - Get PCs ready
Complete each step on the **Get PCs ready** page to prepare student devices for set-up. Then select **Next**.
![Your provisioning package is ready! screen with 3 steps to get student devices ready for setup. Save button is active.](images/suspcs/suspc_runpackage_getpcsready.png)
## Run package - Install package on PC
The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows 10 without reimaging the device.
The provisioning package on your USB drive is named SetupSchoolPCs_<*devicename*>(Expires <*expiration date*>.ppkg. A provisioning package applies settings to Windows without reimaging the device.
When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student PC. This section describes how to apply the settings to a PC in your school.
When used in context of the Set up School PCs app, the word *package* refers to your provisioning package. The word *provisioning* refers to the act of installing the package on the student device. This section describes how to apply the settings to a device in your school.
> [!IMPORTANT]
> The PC must have a new or reset Windows 10 image and must not already have been through first-run setup (also referred to as OOBE). For instructions about how to reset a computer's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup).
> The devices must have a new or reset Windows image and must not already have been through first-run setup experience (which is referred to as *OOBE*). For instructions about how to reset a devices's image, see [Prepare existing PC account for new setup](use-set-up-school-pcs-app.md#prepare-existing-pc-account-for-new-setup).
1. Start with the student PC turned off or with the PC on the first-run setup screen. In Windows 10 version 1803, the first-run setup screen reads, **Let's start with region. Is this right?**
1. Start with the student device turned off or with the device on the first-run setup screen. If the device is past the account setup screen, reset the device to start over. To reset the it, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**
If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/suspcs/win10_1703_oobe_firstscreen.png)
![Example screenshot of the first screen the Windows 10 PC setup for OOBE. United States is selected as the region and the Yes button is active.](images/suspcs/win10_1703_oobe_firstscreen.png)
2. Insert the USB drive. Windows automatically recognizes and installs the package.
![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspcs/suspc_studentpcsetup_installingsetupfile.png)
3. When you receive the message that it's okay to remove the USB drive, remove it from the PC. If there are more PCs to set up, insert the USB drive into the next PC.
1. Insert the USB drive. Windows automatically recognizes and installs the package
![Screen showing that the installation is automatically beginning, with a loading bar showing the status on the installation.](images/suspcs/suspc_studentpcsetup_installingsetupfile.png)
1. When you receive the message that it's okay to remove the USB drive, remove it from the device. If there are more devices to set up, insert the USB drive into the next one
![Screen with message telling user to remove the USB drive.](images/suspcs/suspc_setup_removemediamessage.png)
4. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience. If you did configure the package with Microsoft Entra join, the computer is ready for use and no further configurations are required.
1. If you didn't set up the package with Microsoft Entra join, continue the Windows device setup experience. If you did configure the package with Microsoft Entra join, the device is ready for use and no further configurations are required
If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources.
If successful, you'll see a setup complete message. The PCs start up on the lock screen, with your school's custom background. Upon first use, students and teachers can connect to your school's network and resources.

1
education/windows/windows-11-se-overview.md
View File

@ -6,7 +6,6 @@ ms.date: 11/02/2023
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
- highpri
- education
- tier1
---

1
windows/application-management/index.yml
View File

@ -14,7 +14,6 @@ metadata:
ms.prod: windows-client
ms.collection:
- tier1
- highpri
# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | tutorial | overview | quickstart | reference | sample | tutorial | video | whats-new

1
windows/client-management/mdm/index.yml
View File

@ -10,7 +10,6 @@ metadata:
ms.technology: itpro-manage
ms.prod: windows-client
ms.collection:
- highpri
- tier1
author: vinaypamnani-msft
ms.author: vinpa

8
windows/configuration/configure-windows-10-taskbar.md
View File

@ -1,18 +1,10 @@
---
title: Configure Windows 10 taskbar
description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file.
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: how-to
ms.localizationpriority: medium
ms.date: 08/18/2023
ms.reviewer:
manager: aaroncz
ms.collection:
- highpri
- tier2
ms.technology: itpro-configure
---
# Configure Windows 10 taskbar

1
windows/configuration/customize-and-export-start-layout.md
View File

@ -10,7 +10,6 @@ ms.topic: how-to
ms.localizationpriority: medium
ms.date: 08/18/2023
ms.collection:
- highpri
- tier1
ms.technology: itpro-configure
---

7
windows/configuration/customize-start-menu-layout-windows-11.md
View File

@ -1,16 +1,9 @@
---
title: Add or remove pinned apps on the Start menu in Windows 11
description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
manager: aaroncz
author: lizgt2000
ms.author: lizlong
ms.reviewer: ericpapa
ms.prod: windows-client
ms.localizationpriority: medium
ms.collection:
- highpri
- tier1
ms.technology: itpro-configure
ms.date: 01/10/2023
ms.topic: article
---

1
windows/configuration/customize-taskbar-windows-11.md
View File

@ -8,7 +8,6 @@ ms.prod: windows-client
author: lizgt2000
ms.localizationpriority: medium
ms.collection:
- highpri
- tier1
ms.technology: itpro-configure
ms.date: 08/17/2023

7
windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
View File

@ -3,15 +3,8 @@ title: Customize Windows 10 Start and taskbar with group policy
description: In Windows 10, you can use a Group Policy Object (GPO) to deploy a customized Start layout to users in a domain.
ms.reviewer:
manager: aaroncz
ms.prod: windows-client
author: lizgt2000
ms.localizationpriority: medium
ms.author: lizlong
ms.topic: article
ms.collection:
- highpri
- tier2
ms.technology: itpro-configure
ms.date: 12/31/2017
---

2
windows/configuration/docfx.json
View File

@ -42,6 +42,8 @@
"uhfHeaderId": "MSDocsHeader-Windows",
"ms.technology": "itpro-configure",
"ms.topic": "article",
"ms.prod": "windows-client",
"manager": "aaroncz",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",
"feedback_product_url": "https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332",

7
windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
View File

@ -1,17 +1,10 @@
---
title: Find the Application User Model ID of an installed app
ms.reviewer: sybruckm
manager: aaroncz
description: To configure assigned access (kiosk mode), you need the Application User Model ID (AUMID) of apps installed on a device.
author: lizgt2000
ms.author: lizlong
ms.topic: article
ms.localizationpriority: medium
ms.prod: windows-client
ms.collection:
- highpri
- tier2
ms.technology: itpro-configure
ms.date: 12/31/2017
---
# Find the Application User Model ID of an installed app

6
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -1,16 +1,10 @@
---
title: Guidelines for choosing an app for assigned access
description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience.
ms.prod: windows-client
author: lizgt2000
ms.localizationpriority: medium
ms.author: lizlong
ms.topic: article
ms.reviewer: sybruckm
manager: aaroncz
ms.collection:
- highpri
- tier2
ms.technology: itpro-configure
ms.date: 12/31/2017
---

1
windows/configuration/index.yml
View File

@ -9,7 +9,6 @@ metadata:
ms.topic: landing-page # Required
ms.prod: windows-client
ms.collection:
- highpri
- tier1
author: aczechowski
ms.author: aaroncz

5
windows/configuration/kiosk-single-app.md
View File

@ -2,16 +2,11 @@
title: Set up a single-app kiosk on Windows
description: A single-use device is easy to set up in Windows Pro, Enterprise, and Education editions.
ms.reviewer: sybruckm
manager: aaroncz
ms.author: lizlong
ms.prod: windows-client
author: lizgt2000
ms.localizationpriority: medium
ms.topic: article
ms.collection:
- highpri
- tier1
ms.technology: itpro-configure
ms.date: 07/12/2023
---
<!--8107263-->

77
windows/configuration/lock-down-windows-10-to-specific-apps.md
View File

@ -1,26 +1,19 @@
---
title: Set up a multi-app kiosk on Windows 10
description: Learn how to configure a kiosk device running Windows 10 so that users can only run a few specific apps.
ms.prod: windows-client
ms.technology: itpro-configure
author: lizgt2000
ms.author: lizlong
manager: aaroncz
ms.reviewer: sybruckm
ms.localizationpriority: medium
ms.topic: how-to
ms.collection:
- highpri
- tier2
ms.date: 12/31/2017
ms.date: 11/08/2023
appliesto:
- <b>Windows 10 Pro</b>
-<b>Windows 10 Enterprise</b>
-<b>Windows 10 Education</b>
---
# Set up a multi-app kiosk on Windows 10 devices
**Applies to**
- Windows 10 Pro, Enterprise, and Education
> [!NOTE]
> The use of multiple monitors isn't supported for multi-app kiosk mode in Windows 10.
@ -33,13 +26,13 @@ The following table lists changes to multi-app kiosk in recent updates.
| - Configure [a single-app kiosk profile](#profile) in your XML file<br><br>- Assign [group accounts to a config profile](#config-for-group-accounts)<br><br>- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 |
| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)<br><br>- [Automatically launch an app](#allowedapps) when the user signs in<br><br>- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809<br><br>**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. |
>[!WARNING]
>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
> [!WARNING]
> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
>[!TIP]
>Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
> [!TIP]
> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
<span id="intune"/>
@ -62,7 +55,7 @@ Process:
Watch how to use a provisioning package to configure a multi-app kiosk.
>[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
> [!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
@ -71,8 +64,8 @@ If you don't want to use a provisioning package, you can deploy the configuratio
- Windows Configuration Designer (Windows 10, version 1709 or later)
- The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later
>[!NOTE]
>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
> [!NOTE]
> For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
### Create XML file
@ -198,7 +191,7 @@ Starting in Windows 10 version 1809, you can explicitly allow some known folders
The following example shows how to allow user access to the Downloads folder in the common file dialog box.
>[!TIP]
> [!TIP]
> To grant access to the Downloads folder through File Explorer, add "Explorer.exe" to the list of allowed apps, and pin a file explorer shortcut to the kiosk start menu.
```xml
@ -278,8 +271,8 @@ The following example pins Groove Music, Movies & TV, Photos, Weather, Calculato
</StartLayout>
```
>[!NOTE]
>If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
> [!NOTE]
> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
![What the Start screen looks like when the XML sample is applied.](images/sample-start.png)
@ -299,8 +292,8 @@ The following example hides the taskbar:
<Taskbar ShowTaskbar="false"/>
```
>[!NOTE]
>This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
> [!NOTE]
> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
##### KioskModeApp
@ -310,8 +303,8 @@ The following example hides the taskbar:
<KioskModeApp AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>
```
>[!IMPORTANT]
>The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.
> [!IMPORTANT]
> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Microsoft Entra account could potentially compromise confidential information.
#### Configs
@ -325,8 +318,8 @@ You can assign:
- [An individual account, which can be local, domain, or Microsoft Entra ID](#config-for-individual-accounts)
- [A group account, which can be local, Active Directory (domain), or Microsoft Entra ID](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
>[!NOTE]
>Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
> [!NOTE]
> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
##### Config for AutoLogon Account
@ -356,8 +349,8 @@ Starting with Windows 10 version 1809, you can configure the display name that w
On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
>[!IMPORTANT]
>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
> [!IMPORTANT]
> When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
##### Config for individual accounts
@ -367,13 +360,13 @@ Individual accounts are specified using `<Account>`.
- Domain account should be entered as `domain\account`.
- Microsoft Entra account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Microsoft Entra ID email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
>[!WARNING]
>Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
> [!WARNING]
> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
>[!NOTE]
>For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
> [!NOTE]
> For both domain and Microsoft Entra accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Microsoft Entra joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
```xml
<Configs>
@ -415,8 +408,8 @@ Group accounts are specified using `<UserGroup>`. Nested groups aren't supported
</Config>
```
>[!NOTE]
>If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
> [!NOTE]
> If a Microsoft Entra group is configured with a lockdown profile on a device, a user in the Microsoft Entra group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
<span id="add-xml" />
@ -488,8 +481,8 @@ Before you add the XML file to a provisioning package, you can [validate your co
Use the Windows Configuration Designer tool to create a provisioning package. [Learn how to install Windows Configuration Designer.](provisioning-packages/provisioning-install-icd.md)
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
1. Open Windows Configuration Designer. By default: `%systemdrive%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`.
@ -619,8 +612,8 @@ Remove Sign Out option in Security Options UI | Enabled
Remove All Programs list from the Start Menu | Enabled - Remove and disable setting
Prevent access to drives from My Computer | Enabled - Restrict all drivers
>[!NOTE]
>When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
> [!NOTE]
> When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
### MDM policy
@ -663,8 +656,8 @@ In Windows Configuration Designer, under **ProvisioningCommands** > **DeviceCont
- Under **CommandFiles**, upload your batch file, your .lnk file, and your desktop app installation file.
>[!IMPORTANT]
>Paste the full file path to the .lnk file in the **CommandFiles** field. If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk.
> [!IMPORTANT]
> Paste the full file path to the .lnk file in the **CommandFiles** field. If you browse to and select the .lnk file, the file path will be changed to the path of the target of the .lnk.
- Under **CommandLine**, enter `cmd /c *FileName*.bat`.

10
windows/configuration/provisioning-packages/diagnose-provisioning-packages.md
View File

@ -1,7 +1,6 @@
---
title: Diagnose Provisioning Packages
description: Diagnose general failures in provisioning.
ms.reviewer:
manager: aaroncz
ms.author: lizlong
ms.topic: article
@ -9,7 +8,6 @@ ms.prod: windows-client
ms.technology: itpro-manage
author: lizgt2000
ms.date: 01/18/2023
ms.collection: highpri
---
# Diagnose Provisioning Packages
@ -26,16 +24,16 @@ To apply the power settings successfully with the [correct security context](/wi
## Unable to perform bulk enrollment in Microsoft Entra ID
When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request will be rejected, if the user requesting a bulk token is not authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
When [enrolling devices into Microsoft Entra ID using provisioning packages](https://techcommunity.microsoft.com/t5/intune-customer-success/bulk-join-a-windows-device-to-azure-ad-and-microsoft-endpoint/ba-p/2381400), the bulk token request is rejected, if the user requesting a bulk token isn't authorized to grant application consent. For more information, see [Configure how users consent to applications](/azure/active-directory/manage-apps/configure-user-consent).
> [!NOTE]
> When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request may be rejected.
> When obtaining the bulk token, you should select "No, sign in to this app only" when prompted for authentication. If you select "OK" instead without also selecting "Allow my organization to manage my device", the bulk token request might be rejected.
## Unable to apply a multivariant provisioning package
When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it may be difficult to diagnose why a certain target did not get applied. There may have been improperly authored conditions that did not evaluate as expected.
When applying a [multivariant package](/windows/configuration/provisioning-packages/provisioning-multivariant), it might be difficult to diagnose why a certain target didn't get applied. There may have been improperly authored conditions that didn't evaluate as expected.
Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package was not applied.
Starting in Windows 11, version 22H2, [MdmDiagnosticsTool](/windows/client-management/diagnose-mdm-failures-in-windows-10) includes multivariant condition values to diagnose problems with multivariant packages to determine why the package wasn't applied.
You can use the following PowerShell example to review the multivariant conditions in the `MDMDiagReport.xml` report:

7
windows/configuration/provisioning-packages/provisioning-install-icd.md
View File

@ -1,17 +1,10 @@
---
title: Install Windows Configuration Designer
description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11.
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
ms.localizationpriority: medium
ms.reviewer: kevinsheehan
manager: aaroncz
ms.collection:
- highpri
- tier2
ms.technology: itpro-configure
ms.date: 12/31/2017
---

7
windows/configuration/provisioning-packages/provisioning-packages.md
View File

@ -2,16 +2,9 @@
title: Provisioning packages overview
description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do.
ms.reviewer: kevinsheehan
manager: aaroncz
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
ms.localizationpriority: medium
ms.collection:
- highpri
- tier2
ms.technology: itpro-configure
ms.date: 12/31/2017
---

8
windows/configuration/set-up-shared-or-guest-pc.md
View File

@ -1,16 +1,12 @@
---
title: Set up a shared or guest Windows device
description: Description of how to configured Shared PC mode, which is a Windows feature that optimizes devices for shared use scenarios.
ms.date: 11/06/2023
ms.date: 11/08/2023
ms.prod: windows-client
ms.technology: itpro-configure
ms.topic: reference
ms.localizationpriority: medium
ms.topic: how-to
author: paolomatarazzo
ms.author: paoloma
ms.reviewer:
manager: aaroncz
ms.collection: tier2
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>

18
windows/configuration/shared-devices-concepts.md
View File

@ -1,14 +1,10 @@
---
title: Manage multi-user and guest Windows devices
description: options to optimize Windows devices used in shared scenarios, such touchdown spaces in an enterprise, temporary customer use in retail or shared devices in a school.
ms.date: 08/18/2023
ms.prod: windows-client
ms.technology: itpro-configure
ms.date: 11/08/2023
ms.topic: concept-article
author: paolomatarazzo
ms.author: paoloma
manager: aaroncz
ms.collection: tier2
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>
@ -61,12 +57,10 @@ Shared devices require special considerations regarding power settings. Shared P
- To learn how to configure Shared PC, see [Set up a shared or guest Windows device](set-up-shared-or-guest-pc.md).
- For a list of settings configured by the different options offered by Shared PC, see the [Shared PC technical reference](shared-pc-technical.md).
- For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-3].
- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-4].
- For a list of settings exposed by the SharedPC configuration service provider, see [SharedPC CSP][WIN-1].
- For a list of settings exposed by Windows Configuration Designer, see [SharedPC CSP][WIN-2].
-----------
<!--links-->
[WIN-1]: /windows/configuration/provisioning-packages/provisioning-create-package
[WIN-2]: /windows/configuration/provisioning-packages/provisioning-apply-package
[WIN-3]: /windows/client-management/mdm/sharedpc-csp
[WIN-4]: /windows/configuration/wcd/wcd-sharedpc
[WIN-1]: /windows/client-management/mdm/sharedpc-csp
[WIN-2]: /windows/configuration/wcd/wcd-sharedpc

8
windows/configuration/shared-pc-technical.md
View File

@ -1,16 +1,10 @@
---
title: Shared PC technical reference
description: List of policies and settings applied by the Shared PC options.
ms.date: 11/06/2023
ms.prod: windows-client
ms.technology: itpro-configure
ms.date: 11/08/2023
ms.topic: reference
ms.localizationpriority: medium
author: paolomatarazzo
ms.author: paoloma
ms.reviewer:
manager: aaroncz
ms.collection: tier2
appliesto:
-<b>Windows 10</b>
-<b>Windows 11</b>

8
windows/configuration/stop-employees-from-using-microsoft-store.md
View File

@ -1,18 +1,10 @@
---
title: Configure access to Microsoft Store
description: Learn how to configure access to Microsoft Store for client computers and mobile devices in your organization.
ms.reviewer:
manager: aaroncz
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: conceptual
ms.localizationpriority: medium
ms.date: 11/29/2022
ms.collection:
- highpri
- tier2
ms.technology: itpro-configure
---
# Configure access to Microsoft Store

8
windows/configuration/windows-10-start-layout-options-and-policies.md
View File

@ -1,18 +1,10 @@
---
title: Customize and manage the Windows 10 Start and taskbar layout
description: On Windows devices, customize the start menu layout and taskbar using XML, group policy, provisioning package, or MDM policy. You can add pinned folders, add a start menu size, pin apps to the taskbar, and more.
ms.reviewer:
manager: aaroncz
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
ms.localizationpriority: medium
ms.date: 08/05/2021
ms.collection:
- highpri
- tier2
ms.technology: itpro-configure
---
# Customize the Start menu and taskbar layout on Windows 10 and later devices

7
windows/configuration/windows-spotlight.md
View File

@ -1,17 +1,10 @@
---
title: Configure Windows Spotlight on the lock screen
description: Windows Spotlight is an option for the lock screen background that displays different background images on the lock screen.
ms.reviewer:
manager: aaroncz
ms.prod: windows-client
author: lizgt2000
ms.author: lizlong
ms.topic: article
ms.localizationpriority: medium
ms.date: 04/30/2018
ms.collection:
- highpri
- tier2
ms.technology: itpro-configure
---

BIN
windows/deployment/do/images/assigning-ip-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.6 KiB

BIN
windows/deployment/do/images/external-switch-1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/deployment/do/images/installation-complete-7.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 59 KiB

BIN
windows/deployment/do/images/installation-info-4.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/deployment/do/images/memory-storage-5.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/deployment/do/images/portal-installation-instructions-6.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 29 KiB

BIN
windows/deployment/do/images/use-custom-dns-3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 7.6 KiB

129
windows/deployment/do/mcc-enterprise-deploy.md
View File

@ -13,7 +13,7 @@ appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
-<a href=https://learn.microsoft.com/windows/deployment/do/waas-microsoft-connected-cache target=_blank>Microsoft Connected Cache for Enterprise and Education</a>
ms.date: 03/10/2023
ms.date: 11/09/2023
---
# Deploy your cache node
@ -29,7 +29,7 @@ To deploy MCC to your server:
1. [Create an MCC Node](#create-an-mcc-node-in-azure)
1. [Edit Cache Node Information](#edit-cache-node-information)
1. [Install MCC on a physical server or VM](#install-mcc-on-windows)
1. [Verify proper functioning MCC server](#verify-proper-functioning-mcc-server)
1. [Verify MCC functionality](#verify-mcc-server-functionality)
1. [Review common Issues](#common-issues) if needed.
For questions regarding these instructions contact [msconnectedcache@microsoft.com](mailto:msconnectedcache@microsoft.com)
@ -194,12 +194,15 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
> </br>
> </br> [D] Do not run **[R] Run once** [S] Suspend [?] Help (default is "D"):
1. Choose whether you would like to create a new virtual switch or select an existing one. Name your switch and select the Net Adapter to use for the switch. A computer restart will be required if you're creating a new switch.
1. Choose whether you would like to create a new external virtual switch or select an existing external virtual switch.
If creating a new external virtual switch, name your switch and be sure to choose a Local Area Connection (USB adapters work as well however, we do not recommend using Wi-Fi). A computer restart will be required if you're creating a new switch.
> [!NOTE]
> Restarting your computer after creating a switch is recommended. You'll notice network delays during installation if the computer has not been restarted.
If you restarted your computer after creating a switch, start from Step 2 above and skip step 5.
If you restarted your computer after creating a switch, start from step 2 above and skip to step 5.
If you opt to use an existing external switch, select the switch from the presented options. Local Area Connection (or USB) is preferable to Wi-Fi.
:::image type="content" source="./images/ent-mcc-script-new-switch.png" alt-text="Screenshot of the installer script running in PowerShell when a new switch is created." lightbox="./images/ent-mcc-script-new-switch.png":::
@ -207,34 +210,46 @@ Installing MCC on your Windows device is a simple process. A PowerShell script p
:::image type="content" source="./images/ent-mcc-script-existing-switch.png" alt-text="Screenshot of the installer script running in PowerShell when using an existing switch." lightbox="./images/ent-mcc-script-existing-switch.png":::
1. Decide whether you would like to use dynamic or static address for the Eflow VM
1. Decide whether you would like to use dynamic or static address for the Eflow VM. If you choose to use a static IP, do not use the IP address of the server. It is a VM, and it will have its own IP.
:::image type="content" source="./images/ent-mcc-script-dynamic-address.png" alt-text="Screenshot of the installer script running in PowerShell asking if you'd like to use a dynamic address." lightbox="./images/ent-mcc-script-dynamic-address.png":::
> [!NOTE]
> Choosing a dynamic IP address might assign a different IP address when the MCC restarts. A static IP address is recommended so you don't have to change this value in your management solution when MCC restarts.
1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for all prompts.
1. Follow the Azure Device Login link and sign into the Azure portal.
:::image type="content" source="./images/ent-mcc-script-device-code.png" alt-text="Screenshot of the installer script running in PowerShell displaying the code and URL to use for the Azure portal." lightbox="./images/ent-mcc-script-device-code.png":::
1. If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
The IP address you assign to the EFLOW VM should be within the same subnet as the host server (based on the subnet mask) and not used by any other machine on the network.
For example, for host configuration where the server IP Address is 192.168.1.202 and the subnet mask is 255.255.255.0, the static IP can be anything 192.168.1.* except 192.168.1.202.
<!-- Insert Image 1 & 2. Remove ent-mcc-script-dynamic-address.png image (it is replaced by image 2) -->
:::image type="content" source="./images/external-switch-1.jpg" alt-text="Screenshot of a sample output of ipconfig command showing example of subnet mask." lightbox="./images/external-switch-1.jpg":::
:::image type="content" source="./images/assigning-ip-2.png" alt-text="Screenshot of multiple installer questions about ipv4 address for Eflow." lightbox="./images/assigning-ip-2.png":::
If you would like to use your own DNS server instead of Google DNS 8.8.8.8, select **n** and set your own DNS server IP.
:::image type="content" source="./images/use-custom-dns-3.png" alt-text="Screenshot of multiple installer questions about setting an alternate DNS server." lightbox="./images/use-custom-dns-3.png":::
If you use a dynamic IP address, the DHCP server will automatically configure the IP address and DNS settings.
1. Choose where you would like to download, install, and store the virtual hard disk for EFLOW. You'll also be asked how much memory, storage, and how many cores you would like to allocate for the VM. For this example, we chose the default values for download path, install path, and virtual hard disk path.
<!-- Insert Image 4 -->
:::image type="content" source="./images/installation-info-4.png" alt-text="Screenshot of multiple installer questions about memory and storage for EFLOW." lightbox="./images/installation-info-4.png":::
For more information, see [Sizing Recommendations](mcc-enterprise-prerequisites.md#sizing-recommendations) for memory, virtual storage, and CPU cores. For this example we chose the recommend values for a Branch Office/Small Enterprise deployment.
<!-- Insert Image 5 -->
:::image type="content" source="./images/memory-storage-5.png" alt-text="Screenshot of multiple installer questions about memory and storage." lightbox="./images/memory-storage-5.png":::
<!-- Remove: If this is your first MCC deployment, select **n** so that a new IoT Hub can be created. If you have already configured MCC before, choose **y** so that your MCCs are grouped in the same IoT Hub.
1. You'll be shown a list of existing IoT Hubs in your Azure subscription. Enter the number corresponding to the IoT Hub to select it. **You'll likely have only 1 IoT Hub in your subscription, in which case you want to enter "1"**
:::image type="content" source="./images/ent-mcc-script-select-hub.png" alt-text="Screenshot of the installer script running in PowerShell prompting you to select which IoT Hub to use." lightbox="./images/ent-mcc-script-select-hub.png":::
-->
1. When the installation is complete, you should see the following output (the values below will be your own)
:::image type="content" source="./images/ent-mcc-script-complete.png" alt-text="Screenshot of the installer script displaying the completion summary in PowerShell." lightbox="./images/ent-mcc-script-complete.png":::
<!-- Insert Image 7 -->
:::image type="content" source="./images/installation-complete-7.png" alt-text="Screenshot of expected output when installation is complete." lightbox="./images/installation-complete-7.png":::
1. Your MCC deployment is now complete.
If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
- After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
- If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
1. If you don't see any errors, continue to the next section to validate your MCC deployment. Your VM will not appear in Hyper-V Manager as it is an EFLOW VM.
1. After validating your MCC is properly functional, review your management solution documentation, such as [Intune](/mem/intune/configuration/delivery-optimization-windows), to set the cache host policy to the IP address of your MCC.
1. If you had errors during your deployment, see the [Common Issues](#common-issues) section in this article.
## Verify proper functioning MCC server
## Verify MCC server functionality
#### Verify client side
@ -251,14 +266,20 @@ Connect to the EFLOW VM and check if MCC is properly running:
:::image type="content" source="./images/ent-mcc-connect-eflowvm.png" alt-text="Screenshot of running connect-EflowVm, sudo -s, and iotedge list from PowerShell." lightbox="./images/ent-mcc-connect-eflowvm.png":::
You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy.
You should see MCC, edgeAgent, and edgeHub running. If you see edgeAgent or edgeHub but not MCC, try this command in a few minutes. The MCC container can take a few minutes to deploy. If iotedge list times out, you can run docker ps -a to list the running containers.
If the 3 containers are still not running, run the following commands to check if DNS resolution is working correctly:
```bash
ping www.microsoft.com
resolvectl query microsoft.com
```
See the [common issues](#common-issues) section for more information.
#### Verify server side
For a validation of properly functioning MCC, execute the following command in the EFLOW VM or any device in the network. Replace <CacheServerIP\> with the IP address of the cache server.
To validate that MCC is properly functioning, execute the following command in the EFLOW VM or any device in the network. Replace <CacheServerIP\> with the IP address of the cache server.
```powershell
wget [http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com]
wget http://<CacheServerIP>/mscomtest/wuidt.gif?cacheHostOrigin=au.download.windowsupdate.com
```
A successful test result will display a status code of 200 along with additional information.
@ -319,3 +340,69 @@ This command will provide the current status of the starting, stopping of a cont
> [!NOTE]
> You should consult the IoT Edge troubleshooting guide ([Common issues and resolutions for Azure IoT Edge](/azure/iot-edge/troubleshoot)) for any issues you may encounter configuring IoT Edge, but we've listed a few issues that we encountered during our internal validation.
>
### DNS needs to be configured
Run the following IoT Edge install state check:
```bash
sudo iotedge check --verbose
```
If you see issues with ports 5671, 443, and 8883, your IoT Edge device needs to update the DNS for Docker.
To configure the device to work with your DNS, use the following steps:
1. Use `ifconfig` to find the appropriate NIC adapter name.
```bash
ifconfig
```
1. Run `nmcli device show <network adapter name>` to show the DNS name for the ethernet adapter. For example, to show DNS information for **eno1**:
```bash
nmcli device show eno1
```
:::image type="content" source="images/mcc-isp-nmcli.png" alt-text="Screenshot of a sample output of nmcli command to show network adapter information." lightbox="./images/mcc-isp-nmcli.png":::
1. Open or create the Docker configuration file used to configure the DNS server.
```bash
sudo nano /etc/docker/daemon.json
```
1. Paste the following string into the **daemon.json** file, and include the appropriate DNS server address. For example, in the previous screenshot, `IP4.DNS[1]` is `10.50.10.50`.
```bash
{ "dns": ["x.x.x.x"]}
```
1. Save the changes to daemon.json. If you need to change permissions on this file, use the following command:
```bash
sudo chmod 555 /etc/docker/daemon.json
```
1. Restart Docker to pick up the new DNS setting. Then restart IoT Edge.
```bash
sudo systemctl restart docker
sudo systemctl daemon-reload
sudo restart IoTEdge
```
### Resolve DNS issues
Follow these steps if you see a DNS error when trying to resolve hostnames during the provisioning or download of container:
Run ``` Get-EflowVmEndpoint ``` to get interface name
Once you get the name
```bash
Set-EflowVmDNSServers -vendpointName "interface name from above" -dnsServers @("DNS_IP_ADDRESS")
Stop-EflowVm
Start-EflowVm
```

9
windows/deployment/do/mcc-enterprise-update-uninstall.md
View File

@ -1,6 +1,6 @@
---
title: Update or uninstall MCC for Enterprise and Education
description: Details on how to update or uninstall Microsoft Connected Cache (MCC) for Enterprise and Education for your environment.
title: Uninstall MCC for Enterprise and Education
description: Details on how to uninstall Microsoft Connected Cache (MCC) for Enterprise and Education for your environment.
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@ -18,6 +18,7 @@ appliesto:
ms.date: 10/12/2022
---
<!-- Customers will no longer update the private preview and instead install public preview
# Update or uninstall Microsoft Connected Cache for Enterprise and Education
Throughout the preview phase, we'll send you security and feature updates for MCC. Follow these steps to perform the update.
@ -35,8 +36,8 @@ For example:
```powershell
# .\updatemcc.ps1 version="msconnectedcacheprod.azurecr.io/mcc/linux/iot/mcc-ubuntu-iot-amd64:1.2.1.659" tenantid="799a999aa-99a1-99aa-99aa-9a9aa099db99" customerid="99a999aa-99a1-99aa-99aa-9aaa9aaa0saa" cachenodeid=" aa99aaaa-999a-9aas-99aa99daaa99 " customerkey="a99d999a-aaaa-aa99-0999aaaa99a"
```
## Uninstall MCC
-->
# Uninstall MCC
Please contact the MCC Team before uninstalling to let us know if you're facing issues.

1
windows/hub/index.yml
View File

@ -10,7 +10,6 @@ metadata:
ms.topic: hub-page
ms.prod: windows-client
ms.collection:
- highpri
- tier1
author: paolomatarazzo
ms.author: paoloma

3
windows/security/application-security/application-control/user-account-control/how-it-works.md
View File

@ -1,9 +1,6 @@
---
title: How User Account Control works
description: Learn about User Account Control (UAC) components and how it interacts with the end users.
ms.collection:
- highpri
- tier2
ms.topic: concept-article
ms.date: 05/24/2023
---

3
windows/security/application-security/application-control/user-account-control/index.md
View File

@ -1,9 +1,6 @@
---
title: User Account Control
description: Learn how User Account Control (UAC) helps to prevent unauthorized changes to Windows devices.
ms.collection:
- highpri
- tier2
ms.topic: overview
ms.date: 05/24/2023
---

1
windows/security/application-security/application-control/windows-defender-application-control/applocker/applocker-overview.md
View File

@ -2,7 +2,6 @@
title: AppLocker
description: This article provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies.
ms.collection:
- highpri
- tier3
- must-keep
ms.topic: conceptual

1
windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
View File

@ -3,7 +3,6 @@ title: Microsoft recommended driver block rules
description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.
ms.localizationpriority: medium
ms.collection:
- highpri
- tier3
- must-keep
ms.date: 06/06/2023

1
windows/security/application-security/application-control/windows-defender-application-control/wdac.md
View File

@ -3,7 +3,6 @@ title: Application Control for Windows
description: Application Control restricts which applications users are allowed to run and the code that runs in the system core.
ms.localizationpriority: medium
ms.collection:
- highpri
- tier3
- must-keep
ms.date: 08/30/2023

3
windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md
View File

@ -3,9 +3,6 @@ title: Enable hardware-based isolation for Microsoft Edge
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
ms.date: 07/11/2023
ms.topic: how-to
ms.collection:
- highpri
- tier2
---
# Prepare to install Microsoft Defender Application Guard

4
windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md
View File

@ -1,11 +1,7 @@
---
title: Microsoft Defender Application Guard
description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
ms.localizationpriority: medium
ms.date: 07/11/2023
ms.collection:
- highpri
- tier2
ms.topic: conceptual
---

3
windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
View File

@ -1,9 +1,6 @@
---
title: Windows Sandbox configuration
description: Windows Sandbox configuration
ms.collection:
- highpri
- tier2
ms.topic: article
ms.date: 05/25/2023
---

3
windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md
View File

@ -1,9 +1,6 @@
---
title: Windows Sandbox
description: Windows Sandbox overview
ms.collection:
- highpri
- tier2
ms.topic: article
ms.date: 05/25/2023
---

14
windows/security/docfx.json
View File

@ -91,9 +91,7 @@
"operating-system-security/data-protection/**/*.md": "paolomatarazzo",
"operating-system-security/data-protection/**/*.yml": "paolomatarazzo",
"operating-system-security/network-security/**/*.md": "paolomatarazzo",
"operating-system-security/network-security/**/*.yml": "paolomatarazzo",
"operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms",
"operating-system-security/network-security/windows-firewall/**/*.yml": "ngangulyms"
"operating-system-security/network-security/**/*.yml": "paolomatarazzo"
},
"ms.author":{
"application-security//**/*.md": "vinpa",
@ -111,9 +109,7 @@
"operating-system-security/data-protection/**/*.md": "paoloma",
"operating-system-security/data-protection/**/*.yml": "paoloma",
"operating-system-security/network-security/**/*.md": "paoloma",
"operating-system-security/network-security/**/*.yml": "paoloma",
"operating-system-security/network-security/windows-firewall/*.md": "nganguly",
"operating-system-security/network-security/windows-firewall/*.yml": "nganguly"
"operating-system-security/network-security/**/*.yml": "paoloma"
},
"appliesto": {
"application-security//**/*.md": [
@ -220,20 +216,18 @@
"identity-protection/access-control/*.md": "sulahiri",
"identity-protection/smart-cards/*.md": "ardenw",
"identity-protection/virtual-smart-cards/*.md": "ardenw",
"operating-system-security/network-security/windows-firewall/*.md": "paoloma",
"operating-system-security/network-security/windows-firewall/*.md": "nganguly",
"operating-system-security/network-security/vpn/*.md": "pesmith",
"operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda",
"operating-system-security/device-management/windows-security-configuration-framework/*.md": "jmunck"
},
"ms.collection": {
"application-security/application-control/windows-defender-application-control/**/*.md": [ "tier3", "must-keep" ],
"identity-protection/hello-for-business/*.md": "tier1",
"information-protection/pluton/*.md": "tier1",
"information-protection/tpm/*.md": "tier1",
"threat-protection/auditing/*.md": "tier3",
"operating-system-security/data-protection/bitlocker/*.md": "tier1",
"operating-system-security/data-protection/personal-data-encryption/*.md": "tier1",
"operating-system-security/network-security/windows-firewall/*.md": [ "tier2", "must-keep" ]
"operating-system-security/data-protection/personal-data-encryption/*.md": "tier1"
}
},
"template": [],

4
windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -1,10 +1,6 @@
---
title: Enable memory integrity
description: This article explains the steps to opt in to using memory integrity on Windows devices.
ms.localizationpriority: medium
ms.collection:
- highpri
- tier2
ms.topic: conceptual
ms.date: 03/16/2023
appliesto:

1
windows/security/hardware-security/kernel-dma-protection-for-thunderbolt.md
View File

@ -2,7 +2,6 @@
title: Kernel DMA Protection
description: Learn how Kernel DMA Protection protects Windows devices against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices.
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 07/31/2023

1
windows/security/hardware-security/tpm/initialize-and-configure-ownership-of-the-tpm.md
View File

@ -4,7 +4,6 @@ description: Learn how to view and troubleshoot the Trusted Platform Module (TPM
ms.topic: conceptual
ms.date: 02/02/2023
ms.collection:
- highpri
- tier1
---

1
windows/security/hardware-security/tpm/tpm-recommendations.md
View File

@ -4,7 +4,6 @@ description: This topic provides recommendations for Trusted Platform Module (TP
ms.topic: conceptual
ms.date: 02/02/2023
ms.collection:
- highpri
- tier1
---

1
windows/security/hardware-security/tpm/trusted-platform-module-overview.md
View File

@ -4,7 +4,6 @@ description: Learn about the Trusted Platform Module (TPM) and how Windows uses
ms.topic: conceptual
ms.date: 02/22/2023
ms.collection:
- highpri
- tier1
---

2
windows/security/hardware-security/tpm/trusted-platform-module-services-group-policy-settings.md
View File

@ -134,4 +134,4 @@ If you don't want users to see the recommendation to update TPM firmware, you ca
- [Trusted Platform Module](trusted-platform-module-top-node.md)
- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../../operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md)
- [BitLocker planning guide](../../operating-system-security/data-protection/bitlocker/planning-guide.md)

1
windows/security/hardware-security/tpm/trusted-platform-module-top-node.md
View File

@ -4,7 +4,6 @@ description: This topic for the IT professional provides links to information ab
ms.topic: conceptual
ms.date: 02/02/2023
ms.collection:
- highpri
- tier1
---

3
windows/security/identity-protection/credential-guard/configure.md
View File

@ -2,9 +2,6 @@
title: Configure Credential Guard
description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry.
ms.date: 08/31/2023
ms.collection:
- highpri
- tier2
ms.topic: how-to
---

3
windows/security/identity-protection/credential-guard/index.md
View File

@ -3,9 +3,6 @@ title: Credential Guard overview
description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them.
ms.date: 08/31/2023
ms.topic: overview
ms.collection:
- highpri
- tier1
---
# Credential Guard overview

3
windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
View File

@ -1,9 +1,6 @@
---
title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
ms.collection:
- highpri
- tier1
ms.date: 09/07/2023
ms.topic: tutorial
---

2
windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
View File

@ -1,8 +1,6 @@
---
title: Deploy certificates for remote desktop sign-in
description: Learn how to deploy certificates to cloud Kerberos trust and key trust users, to enable remote desktop sign-in with supplied credentials.
ms.collection:
- tier1
ms.topic: how-to
ms.date: 07/25/2023
---

3
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -4,9 +4,6 @@ metadata:
description: Use these frequently asked questions (FAQ) to learn important details about Windows Hello for Business.
author: paolomatarazzo
ms.author: paoloma
ms.collection:
- highpri
- tier1
ms.topic: faq
ms.date: 08/03/2023

3
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -1,9 +1,6 @@
---
title: PIN reset
description: Learn how Microsoft PIN reset service enables your users to recover a forgotten Windows Hello for Business PIN.
ms.collection:
- highpri
- tier1
ms.date: 08/15/2023
ms.topic: how-to
---

2
windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
View File

@ -3,8 +3,6 @@ title: Remote Desktop
description: Learn how Windows Hello for Business supports using biometrics with remote desktop
ms.date: 09/01/2023
ms.topic: conceptual
ms.collection:
- tier1
---
# Remote Desktop

2
windows/security/identity-protection/hello-for-business/hello-identity-verification.md
View File

@ -3,8 +3,6 @@ ms.date: 10/09/2023
title: Windows Hello for Business Deployment Prerequisite Overview
description: Overview of all the different infrastructure requirements for Windows Hello for Business deployment models
ms.topic: overview
ms.collection:
- tier1
appliesto:
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
-<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>

3
windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
View File

@ -1,9 +1,6 @@
---
title: Manage Windows Hello in your organization
description: Learn how to create a Group Policy or mobile device management (MDM) policy to configure and deploy Windows Hello for Business.
ms.collection:
- highpri
- tier1
ms.date: 9/25/2023
ms.topic: reference
---

3
windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
View File

@ -1,9 +1,6 @@
---
title: Why a PIN is better than an online password
description: Windows Hello enables users to sign in to their devices using a PIN. Learn how is a PIN different from (and better than) an online password.
ms.collection:
- highpri
- tier1
ms.date: 03/15/2023
ms.topic: conceptual
---

3
windows/security/identity-protection/hello-for-business/index.md
View File

@ -1,9 +1,6 @@
---
title: Windows Hello for Business Overview
description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on Windows devices.
ms.collection:
- highpri
- tier1
ms.topic: overview
ms.date: 04/24/2023
---

1
windows/security/identity-protection/passkeys/index.md
View File

@ -2,7 +2,6 @@
title: Support for passkeys in Windows
description: Learn about passkeys and how to use them on Windows devices.
ms.collection:
- highpri
- tier1
ms.topic: overview
ms.date: 11/07/2023

1
windows/security/identity-protection/passwordless-experience/index.md
View File

@ -2,7 +2,6 @@
title: Windows passwordless experience
description: Learn how Windows passwordless experience enables your organization to move away from passwords.
ms.collection:
- highpri
- tier1
ms.date: 09/27/2023
ms.topic: how-to

3
windows/security/identity-protection/remote-credential-guard.md
View File

@ -1,9 +1,6 @@
---
title: Remote Credential Guard
description: Learn how Remote Credential Guard helps to secure Remote Desktop credentials by never sending them to the target device.
ms.collection:
- highpri
- tier1
ms.topic: how-to
ms.date: 09/06/2023
appliesto:

1
windows/security/identity-protection/web-sign-in/index.md
View File

@ -6,7 +6,6 @@ ms.topic: how-to
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
ms.collection:
- highpri
- tier1
---

1
windows/security/index.yml
View File

@ -9,7 +9,6 @@ metadata:
ms.prod: windows-client
ms.technology: itpro-security
ms.collection:
- highpri
- tier1
author: paolomatarazzo
ms.author: paoloma

2
windows/security/licensing-and-edition-requirements.md
View File

@ -1,8 +1,6 @@
---
title: Windows security features licensing and edition requirements
description: Learn about Windows licensing and edition requirements for the features included in Windows.
ms.collection:
- tier2
ms.topic: conceptual
ms.date: 06/15/2023
appliesto:

4
windows/security/operating-system-security/data-protection/bitlocker/faq.yml
View File

@ -1,9 +1,7 @@
### YamlMime:FAQ
metadata:
title: BitLocker FAQ
description: Learn more about BitLocker by reviewing the frequently asked questions.
ms.collection:
- tier1
description: Learn more about BitLocker by reviewing the frequently asked questions.
ms.topic: faq
ms.date: 10/30/2023
title: BitLocker FAQ

3
windows/security/operating-system-security/data-protection/bitlocker/index.md
View File

@ -1,9 +1,6 @@
---
title: BitLocker overview
description: Learn about BitLocker practical applications and requirements.
ms.collection:
- highpri
- tier1
ms.topic: overview
ms.date: 10/30/2023
---

2
windows/security/operating-system-security/data-protection/bitlocker/operations-guide.md
View File

@ -1,8 +1,6 @@
---
title: BitLocker operations guide
description: Learn how to use different tools to manage and operate BitLocker.
ms.collection:
- tier1
ms.topic: how-to
ms.date: 10/30/2023
---

3
windows/security/operating-system-security/data-protection/bitlocker/preboot-recovery-screen.md
View File

@ -1,9 +1,6 @@
---
title: BitLocker preboot recovery screen
description: Learn about the information displayed in the BitLocker preboot recovery screen, depending on configured policy settings and recovery keys status.
ms.collection:
- highpri
- tier1
ms.topic: concept-article
ms.date: 10/30/2023
---

3
windows/security/operating-system-security/data-protection/bitlocker/recovery-overview.md
View File

@ -1,9 +1,6 @@
---
title: BitLocker recovery overview
description: Learn about BitLocker recovery scenarios, recovery options, and how to determine root cause of failed automatic unlocks.
ms.collection:
- highpri
- tier1
ms.topic: how-to
ms.date: 10/30/2023
---

3
windows/security/operating-system-security/data-protection/bitlocker/recovery-process.md
View File

@ -1,9 +1,6 @@
---
title: BitLocker recovery process
description: Learn how to obtain BitLocker recovery information for Microsoft Entra joined, Microsoft Entra hybrid joined, and Active Directory joined devices, and how to restore access to a locked drive.
ms.collection:
- highpri
- tier1
ms.topic: how-to
ms.date: 10/30/2023
---

4
windows/security/operating-system-security/device-management/windows-security-configuration-framework/security-compliance-toolkit-10.md
View File

@ -1,10 +1,6 @@
---
title: Microsoft Security Compliance Toolkit Guide
description: This article describes how to use Security Compliance Toolkit in your organization.
ms.localizationpriority: medium
ms.collection:
- highpri
- tier3
ms.topic: conceptual
ms.date: 10/31/2023
---

4
windows/security/operating-system-security/device-management/windows-security-configuration-framework/windows-security-baselines.md
View File

@ -1,10 +1,6 @@
---
title: Security baselines guide
description: Learn how to use security baselines in your organization.
ms.localizationpriority: medium
ms.collection:
- highpri
- tier3
ms.topic: conceptual
ms.date: 07/11/2023
---

4
windows/security/operating-system-security/network-security/toc.yml
View File

@ -7,8 +7,8 @@ items:
href: https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09
- name: Extensible Authentication Protocol (EAP) for network access
href: /windows-server/networking/technologies/extensible-authentication-protocol/network-access
- name: Windows Firewall 🔗
href: windows-firewall/windows-firewall-with-advanced-security.md
- name: Windows Firewall
href: windows-firewall/toc.yml
- name: Virtual Private Network (VPN)
href: vpn/toc.yml
- name: Always On VPN 🔗

252
windows/security/operating-system-security/network-security/windows-firewall/TOC.yml
View File

@ -1,252 +0,0 @@
items:
- name: Overview
href: windows-firewall-with-advanced-security.md
- name: Plan deployment
items:
- name: Design guide
href: windows-firewall-with-advanced-security-design-guide.md
- name: Design process
href: understanding-the-windows-firewall-with-advanced-security-design-process.md
- name: Implementation goals
items:
- name: Identify implementation goals
href: identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
- name: Protect devices from unwanted network traffic
href: protect-devices-from-unwanted-network-traffic.md
- name: Restrict access to only trusted devices
href: restrict-access-to-only-trusted-devices.md
- name: Require encryption
href: require-encryption-when-accessing-sensitive-network-resources.md
- name: Restrict access
href: restrict-access-to-only-specified-users-or-devices.md
- name: Implementation designs
items:
- name: Mapping goals to a design
href: mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
- name: Basic firewall design
href: basic-firewall-policy-design.md
items:
- name: Basic firewall design example
href: firewall-policy-design-example.md
- name: Domain isolation design
href: domain-isolation-policy-design.md
items:
- name: Domain isolation design example
href: domain-isolation-policy-design-example.md
- name: Server isolation design
href: server-isolation-policy-design.md
items:
- name: Server Isolation design example
href: server-isolation-policy-design-example.md
- name: Certificate-based isolation design
href: certificate-based-isolation-policy-design.md
items:
- name: Certificate-based Isolation design example
href: certificate-based-isolation-policy-design-example.md
- name: Design planning
items:
- name: Planning your design
href: planning-your-windows-firewall-with-advanced-security-design.md
- name: Planning settings for a basic firewall policy
href: planning-settings-for-a-basic-firewall-policy.md
- name: Planning domain isolation zones
items:
- name: Domain isolation zones
href: planning-domain-isolation-zones.md
- name: Exemption list
href: exemption-list.md
- name: Isolated domain
href: isolated-domain.md
- name: Boundary zone
href: boundary-zone.md
- name: Encryption zone
href: encryption-zone.md
- name: Planning server isolation zones
href: planning-server-isolation-zones.md
- name: Planning certificate-based authentication
href: planning-certificate-based-authentication.md
items:
- name: Documenting the Zones
href: documenting-the-zones.md
- name: Planning group policy deployment for your isolation zones
href: planning-group-policy-deployment-for-your-isolation-zones.md
items:
- name: Planning isolation groups for the zones
href: planning-isolation-groups-for-the-zones.md
- name: Planning network access groups
href: planning-network-access-groups.md
- name: Planning the GPOs
href: planning-the-gpos.md
items:
- name: Firewall GPOs
href: firewall-gpos.md
items:
- name: GPO_DOMISO_Firewall
href: gpo-domiso-firewall.md
- name: Isolated domain GPOs
href: isolated-domain-gpos.md
items:
- name: GPO_DOMISO_IsolatedDomain_Clients
href: gpo-domiso-isolateddomain-clients.md
- name: GPO_DOMISO_IsolatedDomain_Servers
href: gpo-domiso-isolateddomain-servers.md
- name: Boundary zone GPOs
href: boundary-zone-gpos.md
items:
- name: GPO_DOMISO_Boundary
href: gpo-domiso-boundary.md
- name: Encryption zone GPOs
href: encryption-zone-gpos.md
items:
- name: GPO_DOMISO_Encryption
href: gpo-domiso-encryption.md
- name: Server isolation GPOs
href: server-isolation-gpos.md
- name: Planning GPO deployment
href: planning-gpo-deployment.md
- name: Planning to deploy
href: planning-to-deploy-windows-firewall-with-advanced-security.md
- name: Deployment guide
items:
- name: Deployment overview
href: windows-firewall-with-advanced-security-deployment-guide.md
- name: Implementing your plan
href: implementing-your-windows-firewall-with-advanced-security-design-plan.md
- name: Basic firewall deployment
items:
- name: "Checklist: Implementing a basic firewall policy design"
href: checklist-implementing-a-basic-firewall-policy-design.md
- name: Domain isolation deployment
items:
- name: "Checklist: Implementing a Domain Isolation Policy Design"
href: checklist-implementing-a-domain-isolation-policy-design.md
- name: Server isolation deployment
items:
- name: "Checklist: Implementing a Standalone Server Isolation Policy Design"
href: checklist-implementing-a-standalone-server-isolation-policy-design.md
- name: Certificate-based authentication
items:
- name: "Checklist: Implementing a Certificate-based Isolation Policy Design"
href: checklist-implementing-a-certificate-based-isolation-policy-design.md
- name: Best practices
items:
- name: Configuring the firewall
href: best-practices-configuring.md
- name: Securing IPsec
href: securing-end-to-end-ipsec-connections-by-using-ikev2.md
- name: PowerShell
href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md
- name: Isolating Microsoft Store Apps on Your Network
href: isolating-apps-on-your-network.md
- name: How-to
items:
- name: Add Production devices to the membership group for a zone
href: add-production-devices-to-the-membership-group-for-a-zone.md
- name: Add test devices to the membership group for a zone
href: add-test-devices-to-the-membership-group-for-a-zone.md
- name: Assign security group filters to the GPO
href: assign-security-group-filters-to-the-gpo.md
- name: Change rules from request to require mode
href: Change-Rules-From-Request-To-Require-Mode.Md
- name: Configure authentication methods
href: Configure-authentication-methods.md
- name: Configure data protection (Quick Mode) settings
href: configure-data-protection-quick-mode-settings.md
- name: Configure Group Policy to autoenroll and deploy certificates
href: configure-group-policy-to-autoenroll-and-deploy-certificates.md
- name: Configure key exchange (main mode) settings
href: configure-key-exchange-main-mode-settings.md
- name: Configure the rules to require encryption
href: configure-the-rules-to-require-encryption.md
- name: Configure the Windows Firewall log
href: configure-the-windows-firewall-log.md
- name: Configure the workstation authentication certificate template
href: configure-the-workstation-authentication-certificate-template.md
- name: Configure Windows Firewall to suppress notifications when a program is blocked
href: configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
- name: Confirm that certificates are deployed correctly
href: confirm-that-certificates-are-deployed-correctly.md
- name: Copy a GPO to create a new GPO
href: copy-a-gpo-to-create-a-new-gpo.md
- name: Create a Group Account in Active Directory
href: create-a-group-account-in-active-directory.md
- name: Create a Group Policy Object
href: create-a-group-policy-object.md
- name: Create an authentication exemption list rule
href: create-an-authentication-exemption-list-rule.md
- name: Create an authentication request rule
href: create-an-authentication-request-rule.md
- name: Create an inbound ICMP rule
href: create-an-inbound-icmp-rule.md
- name: Create an inbound port rule
href: create-an-inbound-port-rule.md
- name: Create an inbound program or service rule
href: create-an-inbound-program-or-service-rule.md
- name: Create an outbound port rule
href: create-an-outbound-port-rule.md
- name: Create an outbound program or service rule
href: create-an-outbound-program-or-service-rule.md
- name: Create inbound rules to support RPC
href: create-inbound-rules-to-support-rpc.md
- name: Create WMI filters for the GPO
href: create-wmi-filters-for-the-gpo.md
- name: Create Windows Firewall rules in Intune
href: create-windows-firewall-rules-in-intune.md
- name: Enable predefined inbound rules
href: enable-predefined-inbound-rules.md
- name: Enable predefined outbound rules
href: enable-predefined-outbound-rules.md
- name: Exempt ICMP from authentication
href: exempt-icmp-from-authentication.md
- name: Link the GPO to the domain
href: link-the-gpo-to-the-domain.md
- name: Modify GPO filters
href: modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
- name: Open IP security policies
href: open-the-group-policy-management-console-to-ip-security-policies.md
- name: Open Group Policy
href: open-the-group-policy-management-console-to-windows-firewall.md
- name: Open Group Policy
href: open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
- name: Open Windows Firewall
href: open-windows-firewall-with-advanced-security.md
- name: Restrict server access
href: restrict-server-access-to-members-of-a-group-only.md
- name: Enable Windows Firewall
href: turn-on-windows-firewall-and-configure-default-behavior.md
- name: Verify Network Traffic
href: verify-that-network-traffic-is-authenticated.md
- name: References
items:
- name: "Checklist: Creating Group Policy objects"
href: checklist-creating-group-policy-objects.md
- name: "Checklist: Creating inbound firewall rules"
href: checklist-creating-inbound-firewall-rules.md
- name: "Checklist: Creating outbound firewall rules"
href: checklist-creating-outbound-firewall-rules.md
- name: "Checklist: Configuring basic firewall settings"
href: checklist-configuring-basic-firewall-settings.md
- name: "Checklist: Configuring rules for the isolated domain"
href: checklist-configuring-rules-for-the-isolated-domain.md
- name: "Checklist: Configuring rules for the boundary zone"
href: checklist-configuring-rules-for-the-boundary-zone.md
- name: "Checklist: Configuring rules for the encryption zone"
href: checklist-configuring-rules-for-the-encryption-zone.md
- name: "Checklist: Configuring rules for an isolated server zone"
href: checklist-configuring-rules-for-an-isolated-server-zone.md
- name: "Checklist: Configuring rules for servers in a standalone isolated server zone"
href: checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
- name: "Checklist: Creating rules for clients of a standalone isolated server zone"
href: checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
- name: "Appendix A: Sample GPO template files for settings used in this guide"
href: appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
- name: Troubleshooting
items:
- name: Troubleshooting UWP app connectivity issues in Windows Firewall
href: troubleshooting-uwp-firewall.md
- name: Filter origin audit log improvements
href: filter-origin-documentation.md
- name: Quarantine behavior
href: quarantine.md
- name: Firewall settings lost on upgrade
href: firewall-settings-lost-on-upgrade.md

77
windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
View File

@ -1,77 +0,0 @@
---
title: Add Production Devices to the Membership Group for a Zone
description: Learn how to add production devices to the membership group for a zone and refresh the group policy on the devices in the membership group.
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
---
# Add Production Devices to the Membership Group for a Zone
After you test the GPOs for your design on a small set of devices, you can deploy them to the production devices.
**Caution**  
For GPOs that contain connection security rules that prevent unauthenticated connections, ensure you set the rules to request, not require, authentication during testing. After you deploy the GPO and confirm that all of your devices are successfully communicating by using authenticated IPsec, then you can modify the GPO to require authentication. Don't change the boundary zone GPO to require mode.
The method discussed in this guide uses the **Domain Computers** built-in group. The advantage of this method is that all new devices that are joined to the domain automatically receive the isolated domain GPO. To define this setting successfully, you must make sure that the WMI filters and security group filters exclude devices that must not receive the GPOs. Use device groups that deny both read and apply Group Policy permissions to the GPOs, such as a group used in the CG\_DOMISO\_NOIPSEC example design. Devices that are members of some zones must also be excluded from applying the GPOs for the main isolated domain. For more information, see the "Prevent members of a group from applying a GPO" section in [Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md).
Without such a group (or groups), you must either add devices individually or use the groups containing device accounts that are available to you.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the membership of the group for the GPO.
In this topic:
- [Add the group Domain Devices to the GPO membership group](#to-add-domain-devices-to-the-gpo-membership-group)
- [Refresh Group Policy on the devices in the membership group](#to-refresh-group-policy-on-a-device)
- [Check which GPOs apply to a device](#to-see-which-gpos-are-applied-to-a-device)
## To add domain devices to the GPO membership group
1. Open Active Directory Users and Computers.
2. In the navigation pane, expand **Active Directory Users and Computers**, expand *YourDomainName*, and then the container in which you created the membership group.
3. In the details pane, double-click the GPO membership group to which you want to add computers.
4. Select the **Members** tab, and then click **Add**.
5. Type **Domain Computers** in the text box, and then click **OK**.
6. Click **OK** to close the group properties dialog box.
After a computer is a member of the group, you can force a Group Policy refresh on the computer.
## To refresh Group Policy on a device
From an elevated command prompt, type the following command:
``` syntax
gpupdate /target:computer /force
```
After Group Policy is refreshed, you can see which GPOs are currently applied to the computer.
## To see which GPOs are applied to a device
From an elevated command prompt, type the following command:
``` syntax
gpresult /r /scope:computer
```

Some files were not shown because too many files have changed in this diff Show More