deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 20:03:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into patch-3

Browse Source
This commit is contained in:
Stephanie Savell
2023-06-23 17:13:28 -05:00
committed by GitHub
parent 704fb24113 871c6a45d5
commit 3aad8e30af
37 changed files with 1040 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
education/windows/toc.yml
View File

@ -6,6 +6,8 @@ items:
items:
- name: Deploy and manage Windows devices in a school
href: tutorial-school-deployment/toc.yml
- name: Deploy applications to Windows 11 SE
href: tutorial-deploy-apps-winse/toc.yml
- name: Concepts
items:
- name: Windows 11 SE

53
education/windows/tutorial-deploy-apps-winse/considerations.md Normal file
View File

@ -0,0 +1,53 @@
---
title: Important considerations before deploying apps with managed installer
description: Learn about important aspects to consider before deploying apps with managed installer.
ms.date: 06/19/2023
ms.topic: tutorial
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Important considerations before deploying apps with Managed Installer
This article describes important aspects to consider before deploying apps with managed installer.
## Existing apps deployed in Intune
If you have Windows 11 SE devices that already have apps deployed through Intune, the apps won't get retroactively tagged with the *managed installer* mark. You may need to redeploy the apps through Intune to get them properly tagged with managed installer and allowed to run.
## Enrollment Status Page
The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due to the Windows 11 SE base policy, devices can be blocked from completing enrollment if:
1. You have the ESP configured to block device use until required apps are installed, and
2. You deploy an app that is blocked by the Windows 11 SE base policy, not installable via a managed installer (without more policies), and not allowed by any supplemental policies or AppLocker policies
<!--
For example, if you deploy a UWP LOB app but haven't deployed a supplemental policy to allow the app, ESP will fail.-->
If you choose to block device use on the installation of apps, you must ensure that apps are also not blocked from installation.
:::image type="content" source="./images/esp-error.png" alt-text="Screenshot of the Enrollment Status Page showing an error in OOBE on Windows 11 SE." border="false":::
### ESP errors mitigation
To ensure that you don't run into installation or enrollment blocks, you can pick one of the following options, in accordance with your internal policies:
1. Ensure that all apps are unblocked from installation. Apps must be compatible with the Windows 11 SE managed installer flow, and if they aren't compatible out-of-box, have the corresponding supplemental policy to allow them
2. Don't deploy apps that you haven't validated
3. Set your Enrollment Status Page configuration to not block device use based on required apps
To learn more about the ESP, see [Set up the Enrollment Status Page][MEM-1].
## Potential impact to events collected by Log Analytics integrations
Log Analytics is a cloud service that can be used to collect data from AppLocker policy events. Windows 11 SE devices enrolled in an Intune Education tenant will automatically receive an AppLocker policy. The result is an increase in events generated by the AppLocker policy.
If your organization is using Log Analytics, it's recommended to review your Log Analytics setup to:
- Ensure there's an appropriate data collection cap in place to avoid unexpected billing costs
- Turn off the collection of non-error AppLocker events in Log Analytics, except for MSI and Script logs
For more information, see [Use Event Viewer with AppLocker][WIN-1]
[MEM-1]: /mem/intune/enrollment/windows-enrollment-status
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker

210
education/windows/tutorial-deploy-apps-winse/create-policies.md Normal file
View File

@ -0,0 +1,210 @@
---
title: Create policies to enable applications
description: Learn how to create policies to enable the installation and execution of apps on Windows SE.
ms.date: 06/19/2023
ms.topic: tutorial
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Create policies to enable applications
:::row:::
:::column span="":::
<a href="deploy-apps.md"><img src="images/phase-1-off.svg" alt="Icon representing the first phase."/></a><br>
[**Deploy an application via Microsoft Intune**](deploy-apps.md)
:::column-end:::
:::column span="":::
<a href="validate-apps.md"><img src="images/phase-2-off.svg" alt="Icon representing the second phase."/></a><br>
[**Validate the application**](validate-apps.md)
:::column-end:::
:::column span="":::
<a href="create-policies.md"><img src="images/phase-3-on.svg" alt="Icon representing the third phase."/></a><br>
[**Create additional policies 2 (optional)**](create-policies.md)
:::column-end:::
:::row-end:::
You can create AppLocker policies to allow apps that are [semi-compatible](./validate-apps.md#semi-compatible-apps) or [incompatible](./validate-apps.md#incompatible-apps) with the managed installer to run.
<!--
You can create policies to allow applications that are [semi-compatible](./validate-apps.md#semi-compatible-apps) or [incompatible](./validate-apps.md#incompatible-apps) with the managed installer.
The following table details the two policy types to allow apps to run:
| **Policy type** | **How it works** | **When should I use this policy?** | **Security risk** |
|---|---|---|---|
| WDAC supplemental policy | Allows apps meeting the rule criteria to run | For executables that the Windows 11 SE base policy blocks. The blocked executables are visible from the Event Viewer in the [CodeIntegrity events](./troubleshoot.md). | Low |
| AppLocker policy | Sets an app to be considered as a managed installer | Only for executables that do installations or updates, that the Windows 11 SE base policy blocks. | High |
> [!NOTE]
> The specifics of the policy you will need to create vary from app to app. Public documentation can help you determine which rules would be useful for your app.
## WDAC supplemental policies
A *supplemental policy* can expand only one base policy, but multiple supplemental policies can expand the same base policy. When you use supplemental policies, the apps allowed by the base or its supplemental policies will be allowed to execute.\
The base policy that you must target for Windows SE devices has a PolicyID of **{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}**.
> [!WARNING]
> The maximum number of active policies is 32, which includes the Windows 11 SE base policy, the Microsoft vulnerable driver block list, and potentially other inbox policies. When planning your supplemental policy strategy, avoid adding too many. For example, avoid creating a supplemental policy per app, which can add up very quickly.
After you create WDAC supplemental policies, you must sign them and deploy them through Intune.\
To create supplemental policies, download and install the [WDAC Policy Wizard][EXT-1] from a **non-Windows SE device**.
The following video provides an overview and explains how to create supplemental policies for apps blocked by the Windows 11 SE base policy.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWWReO]
### Create a supplemental policy for Win32 apps
There are different ways to write a supplemental policy. The suggested method is to use [audit events][WIN-3], as they list the actions that Windows 11 SE would block. From the audit events, you can create a policy to allow those actions.\
From a non-Windows SE device with the WDAC Policy Wizard installed, follow these steps:
1. Apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml*, which is based on the Windows 11 SE base policy:
- Open the **WDAC Wizard** and select **Policy Editor**
- In the Policy Path to Edit field, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next**
:::image type="content" source="images/wdac-winsepolicy.png" alt-text="Screenshot of the WDAC wizard - creation of a policy targeting the base WinSEPolicy.xml policy.":::
- Toggle the option for **Audit Mode** and complete the wizard. Note the location of the *.cip* and *.xml* files shown on the final page of the wizard
- From an elevated PowerShell session, run the following command to activate the policy:
```cmd
citool.exe -up <"Path to the .cip file">
```
1. With the *Base audit mode policy* for Windows 11 SE in place:
- Download and run the app install for your app
- Launch the app and exercise the app's capabilities
- Uninstall the app
1. Use the WDAC Wizard to create a policy from audit events:
- Open the **WDAC Wizard** and select **Policy Editor**
- Select **Convert Event Log to a WDAC Policy** then select **Parse Event Log** to parse from the system Event Viewer. Select **Next**
- Review each row in the table and choose the type of rule to create. You may want to sort the table by FileName to group duplicate rows together. You need to create a single rule if the values are duplicates
- Complete the wizard to generate the policy. The policy will be a *Base* policy. Note the location of the *.xml* shown, as you'll use it in the next step.
- Check the event log **AppLocker** > **MSI and Script** for any events
- If any events are shown, you can use the **WDAC Wizard** to edit the policy and add more rules
- Alternatively, you can save all events to *.evtx* file and create a policy from audit events, but browse for the saved *.evtx* file rather than parsing events from the system Event Viewer
1. Convert the policy created in the previous step to a supplemental policy, specifying the Base audit policy you created in the first step as its base
```PowerShell
Set-CiPolicyIdInfo -FilePath "<Path to.xml file from step #4>" -BasePolicyToSupplementPath "<Path to the WDAC Base policy .xml created from step #2>"
```
1. From an elevated PowerShell session, run the following command to activate the policy:
```cmd
citool.exe -up '<Path to the .cip file>'
```
1. Clear the two event logs:
- **CodeIntegrity** > **Operational**
- **AppLocker** > **MSI and Script**
1. Repeat the app testing from step 3. Repeat these steps as needed until no further events are generated.
1. Once you have a policy that works for your app, reset the supplemental policy's Base policy to the official Windows 11 SE BasePolicyId. From an elevated PowerShell session, run the following command:
```PowerShell
Set-CiPolicyIdInfo -FilePath "<Path to .xml from step #4>" -SupplementsBasePolicyId "{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}"
```
> [!NOTE]
> If you have created multiple supplemental policies for different apps, it's recommended to merge all supplemental policies together before deploying. You can merge policies using the WDAC Wizard.
1. The creation of the supplemental policy is complete. You must sign and deploy the policy to your devices to take effect.
### Create a supplemental policy for UWP LOB apps
UWP apps don't work out-of-box due to the Windows 11 SE Windows 11 SE base policy.\
From a non-Windows SE device with the WDAC Policy Wizard installed, you can create and deploy a supplemental policy using these steps:
1. Open the **WDAC Wizard** and select **Policy Creator > Supplemental policy**
- Choose a **Policy Name** and **Policy File Location**
- In the **Base Policy** path to, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next**
- In **Policy Rules**, select **Next**
- In **Signing Rules**, select **Add Custom Rule** and choose:
- **Rule scope**: **Usermode Rule**
- **Rule action**: **Allow**
- **Rule type**: **Packaged App**
- **Package Name**: specify the package name of app. If the app is installed, you can search by name. If the app isn't installed, check the **Use Custom Package Family** box and specify the package family name of the app
:::image type="content" source="images/wdac-uwp-policy.png" alt-text="Screenshot of the WDAC wizard - selection of an installed UWP app package.":::
- Select the app name
- Select **Create Rule**
- Select **Next**
1. The policy should be created and output an *.xml* and *.cip* files to the policy file location specified earlier
1. The policy isn't yet targeting the right base policy. Run the following PowerShell command to set the base policy to the Windows 11 SE Windows 11 SE base policy:
```PowerShell
Set-CiPolicyIdInfo -FilePath "<Path to.xml file from previous step>" -SupplementsBasePolicyId "{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}"
```
1. The creation of the supplemental policy is complete. You must sign and deploy the policy to your devices to take effect.
### Guidelines for authoring WDAC supplemental policy rules
Here are some general guidelines to follow when writing WDAC supplemental policies:
- For packaged apps (*.appx* or *.msix*), choose **PackagedApp** and allow the file by its **PackageFamilyName**
- For other apps, try to create **Publisher** rules wherever possible, combining the **Publisher** with other properties like **Product**, **Filename**, and **Version**
> [!NOTE]
> The WDAC Wizard defaults to use all of the properties, if present. In some cases, you may want to combine a subset of the properties to allow multiple files. For example: Publisher + ProductName + Version.
- When a **Publisher** rule isn't an option (for example, when the file is unsigned), use *Hash* as the most restrictive option
- You might have to opt for a **FileAttribute** rule, but it can be easily spoofed
For additional information:
- [WDAC Policy Wizard][EXT-1]
- [Policy creation for common WDAC usage scenarios][WIN-1]
- [Create a new supplemental policy with the wizard][WIN-2]
## AppLocker policies
> [!WARNING]
> It's recommended to use AppLocker policies for processes that perform **updates** or **install as managed installers** only. The preferred method to allow incompatible applications or other executables to run, is to write **WDAC supplemental policies** instead of modifying AppLocker policies.
Additional AppLocker policies work by configuring other apps to be *managed installers*. However, since anything downloaded or installed by a managed installer is trusted to run, it creates a significant security risk. For example, if the executable for a third-party browser is set as a managed installer, anything downloaded from that browser will be allowed to run.\
Using a WDAC supplemental policy instead, allows you to have more control over what is allowed to run without the risk of those permissions propagating unintentionally.
To allow apps to run by setting their installers as managed installers, follow the guidance here:
-->
## AppLocker policies
Additional AppLocker policies work by configuring other apps to be *managed installers*. However, since anything downloaded or installed by a managed installer is trusted to run, it creates a significant security risk. For example, if the executable for a third-party browser is set as a managed installer, anything downloaded from that browser will be allowed to run.
To allow apps to run by setting their installers as managed installers, follow the guidance here:
- [Edit an AppLocker policy][WIN-5]
- [Allow apps deployed with a WDAC managed installer][WIN-6]
## Next steps
<!--
Before moving on to the next section, ensure that you've completed the following tasks.
For a WDAC supplemental policy:
> [!div class="checklist"]
>
> - Create a policy, targeting the base policy: **82443e1e-8a39-4b4a-96a8-f40ddc00b9f3**
For an AppLocker policy:
> [!div class="checklist"]
>
> - Only applied to an updater or installer
> - Created the policy with the **Merge** option
Advance to the next article to learn how to deploy the WDAC supplemental policies or AppLocker policies to Windows 11 SE devices.
-->
Advance to the next article to learn how to deploy the AppLocker policies to Windows 11 SE devices.
> [!div class="nextstepaction"]
> [Next: deploy policies >](deploy-policies.md)
[EXT-1]: https://webapp-wdac-wizard.azurewebsites.net/
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/types-of-devices
[WIN-2]: /windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy
[WIN-3]: /windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies
[WIN-5]: /windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy
[WIN-6]: /windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer

109
education/windows/tutorial-deploy-apps-winse/deploy-apps.md Normal file
View File

@ -0,0 +1,109 @@
---
title: Applications deployment considerations
description: Learn how to deploy different types of applications to Windows 11 SE and some considerations before deploying them.
ms.date: 05/23/2023
ms.topic: tutorial
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Applications deployment considerations
:::row:::
:::column span="":::
<a href="deploy-apps.md"><img src="images/phase-1-on.svg" alt="Icon representing the first phase."/></a><br>
[**Deploy an application via Microsoft Intune**](deploy-apps.md)
:::column-end:::
:::column span="":::
<a href="validate-apps.md"><img src="images/phase-2-off.svg" alt="Icon representing the second phase."/></a><br>
[**Validate the application**](validate-apps.md)
:::column-end:::
:::column span="":::
<a href="create-policies.md"><img src="images/phase-3-off.svg" alt="Icon representing the third phase."/></a><br>
[**Create additional policies 2 (optional)**](create-policies.md)
:::column-end:::
:::row-end:::
The process to deploy applications to Windows SE devices via Microsoft Intune is the same used for non-SE devices. Applications must be defined in Intune, and then assigned to the correct groups.\
However, on Windows SE devices, apps may successfully install, but they need validation to be certain that they're functional.
The following table provides an overview of the applications types that can be deployed to Windows devices via Intune, and considerations about the installation on Windows SE:
|**Installer/App type**|**Installer extensions**|**Available installation methods via Intune**|**Considerations for Windows 11 SE**|
|-|-|-|-|
|[Win32][WIN-1]|`.exe`<br>`.msi`|- Intune Management Extension (IME)<br> - Microsoft Store integration|⚠️ There are known limitations that might prevent an app to install or run.|
|[Universal Windows Platform (UWP)][WIN-2]|`.appx`<br>`.appxbundle`<br>`.msix`<br>|- For public apps: Microsoft Store integration<br>- For private apps: line-of-business (LOB) apps|⛔ UWP apps are currently unsupported.<!--⚠️ LOB apps require a supplemental policy.-->|
|[Progressive Web Apps (PWAs)][EDGE-2] |`.msix`|- Settings catalog policies<br>- Microsoft Store integration|✅ PWAs are supported.|
|Web links| n/a |- Windows web links|✅ Web links are supported.|
<!--after Intune 2307 update the table above with ✅ UWP public apps are supported.<br><br>⛔ UWP private apps are currently unsupported.-->
> [!IMPORTANT]
> Store apps must be installed in device context. Deploying apps in user context fails with error code `0x800711C7`.
> [!IMPORTANT]
> Although you'll be able to install apps on Windows 11 SE devices via Intune, some apps may not perform well on these devices due those apps' minimum spec requirements.
> Before deploying apps, first check which apps will be targeting your Windows 11 SE devices, and ensure that they meet the requirements.
## Win32 apps
The addition of Win32 applications to Intune consists of repackaging the apps and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
> [!IMPORTANT]
> If you have Windows 11 SE devices that already have apps deployed through Intune, the apps will not get retroactively tagged with the *managed installer* mark. The reason is to avoid making any security assumptions for these apps. You may need to redeploy the apps through Intune to get them properly tagged with managed installer and allowed to run.
There are known limitations that might prevent applications to install or execute. For more information, see the next section [validate applications](validate-apps.md).
## UWP apps
UWP apps are currently unsupported for Windows 11 SE.
<!-- 2307
### Microsoft Store apps
Public UWP apps available in the Microsoft Store are supported for Windows 11 SE.
### Line of business apps
Private UWP apps are currently unsupported for Windows 11 SE.
<!--### Line of business apps
For private, line-of-business (LOB) UWP apps, [deploy as line-of-business apps][MEM-2]
> [!IMPORTANT]
> UWP apps require the creation and deployment of supplemental policies. For more information, see the next section [validate applications](validate-apps.md).
-->
## PWA apps
PWAs can be deployed using the [Force-installed web Apps][EDGE-1] option via [settings catalog policies][MEM-3], or using the Microsoft Store integration with Intune.
## Web links
Web link can be deployed via Intune using [Windows web links][MEM-4], and will be available in the Start menu of the targeted devices.
## Section review
Before moving on to the next section, ensure that you've completed the following tasks:
> [!div class="checklist"]
> - `.intunewin` package created (for Win32 apps)
> - App uploaded via Intune (for Win32 and UWP LOB apps)
> - App assigned to the correct groups
## Next steps
Advance to the next article to learn how to validate the applications deployed to Windows 11 SE devices.
> [!div class="nextstepaction"]
> [Next: validate apps >](validate-apps.md)
[EDGE-1]: /deployedge/microsoft-edge-policies#configure-list-of-force-installed-web-apps
[EDGE-2]: /microsoft-edge/progressive-web-apps-chromium
[MEM-1]: /mem/intune/apps/apps-win32-add
[MEM-2]: /mem/intune/apps/lob-apps-windows
[MEM-3]: /mem/intune/configuration/settings-catalog
[MEM-4]: /mem/intune/apps/web-app
[WIN-1]: /windows/win32
[WIN-2]: /windows/uwp/get-started/universal-application-platform-guide

96
education/windows/tutorial-deploy-apps-winse/deploy-policies.md Normal file
View File

@ -0,0 +1,96 @@
---
title: Deploy policies to enable applications
description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices.
ms.date: 05/23/2023
ms.topic: tutorial
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
<!--description: Learn how to sign WDAC policies and how to deploy WDAC and AppLocker policies to enable apps execution on Windows SE devices.-->
# Deploy policies to enable applications
Once the policies are created, you must deploy them to the Windows SE devices.\
AppLocker policies can be deployed via Intune. This article describes how to deploy AppLocker policies to enable apps execution on Windows SE devices.
<!--
WDAC and AppLocker policies can be deployed via Intune, but WDAC policies must be signed before they can be deployed.
This article describes how to sign WDAC policies and how to deploy WDAC and AppLocker policies to enable apps execution on Windows SE devices.
## Sign WDAC supplemental policies
> [!IMPORTANT]
> *This section will be updated when the process using Azure CodeSigning for CI policy is released in April.*
## Deploy WDAC supplemental policies
Policies can be deployed via Intune using a custom OMA-URI.
> [!TIP]
> To prevent these policies from being applied to non-Windows SE devices, you can create and target a group with only Windows 11 SE devices in it, or use assignment filters.
[Deploy WDAC policies using Mobile Device Management][WIN-4]
### Troubleshoot WDAC policies
For information how to validate and troubleshoot WDAC supplemental policies, see [WDAC supplemental policy validation](./troubleshoot.md#wdac-supplemental-policy-validation)
-->
## Deploy AppLocker policies
Intune doesn't currently offer the option to modify AppLocker policies. The deployment of AppLocker policies can be done using PowerShell scripts deployed via Intune.
You can create a PowerShell script that stores the contents of the policy in a variable, then use the `Set-AppLockerPolicy` PowerShell command to merge it. Here's a sample function for the task:
```PowerShell
function MergeAppLockerPolicy([string]$policyXml)
{
$policyFile = '.\AppLockerPolicy.xml'
$policyXml | Out-File $policyFile
Write-Host "Merging and setting AppLocker policy"
Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
Remove-Item $policyFile
}
```
> [!WARNING]
> Intune deploys a script with the AppLocker policy to set **Intune Management Extension as a managed installer** on all Windows 11 SE devices enrolled into an Intune EDU tenant. If you want to deploy your own AppLocker policy to set another Managed Installer (in addition to Intune), be sure to use the `-Merge` parameter with `Set-AppLockerPolicy`. The `-Merge` parameter ensures that your policy plays well with Intune's AppLocker policy. Without using the `-Merge` parameter, it will result in issues with apps not getting tagged properly and their ability to run on impacted devices. To learn more about AppLocker Merge policy, see [Merge AppLocker policies][WIN-7].
Once finished, you can deploy the script via Intune. For more information, see [Add PowerShell scripts to Windows devices in Microsoft Intune][MEM-1].
### Troubleshoot AppLocker policies
For information how to validate and troubleshoot AppLocker policies, see [AppLocker policy validation](./troubleshoot.md#applocker-policy-validation)
## Next steps
<!--
Before moving on to the next section, ensure that you've completed the following tasks.
For a WDAC supplemental policy:
> [!div class="checklist"]
>
> - Signed .cip .p7b file with Device Guard
> - Policy created in Intune and assigned to the correct groups
> - Policy applied in Event Viewer
For an AppLocker policy:
> [!div class="checklist"]
>
> - Policy created in Intune and assigned to the correct groups
-->
Advance to the next article to learn about important considerations when deploying apps and policies to Windows SE devices.
> [!div class="nextstepaction"]
>
> [Next: important deployment considerations >](considerations.md)
[MEM-1]: /mem/intune/apps/intune-management-extension
[WIN-4]: /windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune
[WIN-7]: /windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy

BIN
education/windows/tutorial-deploy-apps-winse/images/applocker-export-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/applocker-policy-validation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 659 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/esp-error.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 293 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/intune-app-install-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 165 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/intune-app-install-status.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 200 KiB

3
education/windows/tutorial-deploy-apps-winse/images/phase-1-off.svg Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="272px" height="112px" viewBox="-0.5 -0.5 272 112"><defs/><g><rect x="21" y="1" width="250" height="110" rx="4.4" ry="4.4" fill-opacity="0.9" fill="#e6e6e6" stroke="#666666" stroke-opacity="0.9" stroke-width="2" pointer-events="all"/><image x="113" y="18" width="75" height="75" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9Im5vbmUiIHZpZXdCb3g9IjAgMCAyNCAyNCIgaGVpZ2h0PSIyNCIgd2lkdGg9IjI0Ij4mI3hhOyAgPHBhdGggZmlsbD0iIzIxMjEyMSIgZD0iTTE3LjUgMTJDMjAuNTM3NiAxMiAyMyAxNC40NjI0IDIzIDE3LjVDMjMgMjAuNTM3NiAyMC41Mzc2IDIzIDE3LjUgMjNDMTQuNDYyNCAyMyAxMiAyMC41Mzc2IDEyIDE3LjVDMTIgMTQuNDYyNCAxNC40NjI0IDEyIDE3LjUgMTJaTTE3LjUxMTIgMTQuMDAwMUwxNy40MjcgMTQuMDA1TDE3LjM3MTkgMTQuMDE2NkwxNy4yODg2IDE0LjA0NjdMMTcuMjE1MyAxNC4wODg4TDE3LjE1ODkgMTQuMTM0NEwxNC42NDY0IDE2LjY0NjRMMTQuNTg4NiAxNi43MTU3QzE0LjQ3MDUgMTYuODg2MiAxNC40NzA1IDE3LjExMzggMTQuNTg4NiAxNy4yODQzTDE0LjY0NjQgMTcuMzUzNkwxNC43MTU3IDE3LjQxMTRDMTQuODg2MiAxNy41Mjk1IDE1LjExMzggMTcuNTI5NSAxNS4yODQzIDE3LjQxMTRMMTUuMzUzNiAxNy4zNTM2TDE2Ljk5OSAxNS43MDhMMTcgMjFMMTcuMDA4MSAyMS4wODk5QzE3LjA0NTEgMjEuMjk0IDE3LjIwNiAyMS40NTQ5IDE3LjQxMDEgMjEuNDkxOUwxNy41IDIxLjVMMTcuNTg5OSAyMS40OTE5QzE3Ljc5NCAyMS40NTQ5IDE3Ljk1NDkgMjEuMjk0IDE3Ljk5MTkgMjEuMDg5OUwxOCAyMUwxNy45OTkgMTUuNzA2TDE5LjY0NjQgMTcuMzUzNkwxOS43MTU3IDE3LjQxMTRDMTkuOTEwNiAxNy41NDY0IDIwLjE4IDE3LjUyNzEgMjAuMzUzNiAxNy4zNTM2QzIwLjUyNzEgMTcuMTggMjAuNTQ2NCAxNi45MTA2IDIwLjQxMTQgMTYuNzE1N0wyMC4zNTM2IDE2LjY0NjRMMTcuODA2IDE0LjEwNEwxNy43NTg1IDE0LjA3MTlMMTcuNjkxIDE0LjAzNzhMMTcuNjI4MSAxNC4wMTY2TDE3LjU3MzkgMTQuMDA1NUMxNy41NTI5IDE0LjAwMjMgMTcuNTMxNyAxNC4wMDA2IDE3LjUxMTIgMTQuMDAwMVpNNi4yNSAzSDE3Ljc1QzE5LjQ4MyAzIDIwLjg5OTIgNC4zNTY0NSAyMC45OTQ5IDYuMDY1NThMMjEgNi4yNUwyMS4wMDEyIDEyLjAyMjZDMjAuNTM3OCAxMS43MjU4IDIwLjAzNDIgMTEuNDg2MSAxOS41MDA0IDExLjMxMzZMMTkuNSA4SDQuNVYxNy43NUM0LjUgMTguNjY4MiA1LjIwNzExIDE5LjQyMTIgNi4xMDY0NyAxOS40OTQyTDYuMjUgMTkuNUwxMS4zMTM2IDE5LjUwMDRDMTEuNDg2MSAyMC4wMzQyIDExLjcyNTggMjAuNTM3OCAxMi4wMjI2IDIxLjAwMTJMNi4yNSAyMUM0LjUxNjk3IDIxIDMuMTAwNzUgMTkuNjQzNSAzLjAwNTE0IDE3LjkzNDRMMyAxNy43NVY2LjI1QzMgNC41MTY5NyA0LjM1NjQ1IDMuMTAwNzUgNi4wNjU1OCAzLjAwNTE0TDYuMjUgM1oiLz4mI3hhOzwvc3ZnPg==" preserveAspectRatio="none" opacity="0.5"/><ellipse cx="21" cy="31" rx="20" ry="20" fill="#e6e6e6" stroke="#666666" stroke-width="2" pointer-events="all"/><g transform="translate(-0.5 -0.5)" opacity="0.5"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 31px; margin-left: 2px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: &quot;Segoe UI semibold&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">1</div></div></div></foreignObject><text x="21" y="36" fill="rgb(0, 0, 0)" font-family="Segoe UI semibold" font-size="18px" text-anchor="middle" font-weight="bold">1</text></switch></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.4 KiB

3
education/windows/tutorial-deploy-apps-winse/images/phase-1-on.svg Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="272px" height="112px" viewBox="-0.5 -0.5 272 112"><defs/><g><rect x="21" y="1" width="250" height="110" rx="4.4" ry="4.4" fill-opacity="0.95" fill="rgb(255, 255, 255)" stroke="#0078d4" stroke-opacity="0.95" stroke-width="2" pointer-events="all"/><image x="113" y="18" width="75" height="75" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9Im5vbmUiIHZpZXdCb3g9IjAgMCAyNCAyNCIgaGVpZ2h0PSIyNCIgd2lkdGg9IjI0Ij4mI3hhOyAgPHBhdGggZmlsbD0iIzIxMjEyMSIgZD0iTTE3LjUgMTJDMjAuNTM3NiAxMiAyMyAxNC40NjI0IDIzIDE3LjVDMjMgMjAuNTM3NiAyMC41Mzc2IDIzIDE3LjUgMjNDMTQuNDYyNCAyMyAxMiAyMC41Mzc2IDEyIDE3LjVDMTIgMTQuNDYyNCAxNC40NjI0IDEyIDE3LjUgMTJaTTE3LjUxMTIgMTQuMDAwMUwxNy40MjcgMTQuMDA1TDE3LjM3MTkgMTQuMDE2NkwxNy4yODg2IDE0LjA0NjdMMTcuMjE1MyAxNC4wODg4TDE3LjE1ODkgMTQuMTM0NEwxNC42NDY0IDE2LjY0NjRMMTQuNTg4NiAxNi43MTU3QzE0LjQ3MDUgMTYuODg2MiAxNC40NzA1IDE3LjExMzggMTQuNTg4NiAxNy4yODQzTDE0LjY0NjQgMTcuMzUzNkwxNC43MTU3IDE3LjQxMTRDMTQuODg2MiAxNy41Mjk1IDE1LjExMzggMTcuNTI5NSAxNS4yODQzIDE3LjQxMTRMMTUuMzUzNiAxNy4zNTM2TDE2Ljk5OSAxNS43MDhMMTcgMjFMMTcuMDA4MSAyMS4wODk5QzE3LjA0NTEgMjEuMjk0IDE3LjIwNiAyMS40NTQ5IDE3LjQxMDEgMjEuNDkxOUwxNy41IDIxLjVMMTcuNTg5OSAyMS40OTE5QzE3Ljc5NCAyMS40NTQ5IDE3Ljk1NDkgMjEuMjk0IDE3Ljk5MTkgMjEuMDg5OUwxOCAyMUwxNy45OTkgMTUuNzA2TDE5LjY0NjQgMTcuMzUzNkwxOS43MTU3IDE3LjQxMTRDMTkuOTEwNiAxNy41NDY0IDIwLjE4IDE3LjUyNzEgMjAuMzUzNiAxNy4zNTM2QzIwLjUyNzEgMTcuMTggMjAuNTQ2NCAxNi45MTA2IDIwLjQxMTQgMTYuNzE1N0wyMC4zNTM2IDE2LjY0NjRMMTcuODA2IDE0LjEwNEwxNy43NTg1IDE0LjA3MTlMMTcuNjkxIDE0LjAzNzhMMTcuNjI4MSAxNC4wMTY2TDE3LjU3MzkgMTQuMDA1NUMxNy41NTI5IDE0LjAwMjMgMTcuNTMxNyAxNC4wMDA2IDE3LjUxMTIgMTQuMDAwMVpNNi4yNSAzSDE3Ljc1QzE5LjQ4MyAzIDIwLjg5OTIgNC4zNTY0NSAyMC45OTQ5IDYuMDY1NThMMjEgNi4yNUwyMS4wMDEyIDEyLjAyMjZDMjAuNTM3OCAxMS43MjU4IDIwLjAzNDIgMTEuNDg2MSAxOS41MDA0IDExLjMxMzZMMTkuNSA4SDQuNVYxNy43NUM0LjUgMTguNjY4MiA1LjIwNzExIDE5LjQyMTIgNi4xMDY0NyAxOS40OTQyTDYuMjUgMTkuNUwxMS4zMTM2IDE5LjUwMDRDMTEuNDg2MSAyMC4wMzQyIDExLjcyNTggMjAuNTM3OCAxMi4wMjI2IDIxLjAwMTJMNi4yNSAyMUM0LjUxNjk3IDIxIDMuMTAwNzUgMTkuNjQzNSAzLjAwNTE0IDE3LjkzNDRMMyAxNy43NVY2LjI1QzMgNC41MTY5NyA0LjM1NjQ1IDMuMTAwNzUgNi4wNjU1OCAzLjAwNTE0TDYuMjUgM1oiLz4mI3hhOzwvc3ZnPg==" preserveAspectRatio="none"/><ellipse cx="21" cy="31" rx="20" ry="20" fill="#0078d4" stroke="#ffffff" stroke-width="2" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 31px; margin-left: 2px;"><div data-drawio-colors="color: #ffffff; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: &quot;Segoe UI semibold&quot;; color: rgb(255, 255, 255); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">1</div></div></div></foreignObject><text x="21" y="36" fill="#ffffff" font-family="Segoe UI semibold" font-size="18px" text-anchor="middle" font-weight="bold">1</text></switch></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.4 KiB

3
education/windows/tutorial-deploy-apps-winse/images/phase-2-off.svg Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="272px" height="112px" viewBox="-0.5 -0.5 272 112"><defs/><g><rect x="21" y="1" width="250" height="110" rx="4.4" ry="4.4" fill-opacity="0.9" fill="#e6e6e6" stroke="#666666" stroke-opacity="0.9" stroke-width="2" pointer-events="all"/><image x="105.5" y="15.5" width="80" height="80" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9Im5vbmUiIHZpZXdCb3g9IjAgMCAyNCAyNCIgaGVpZ2h0PSIyNCIgd2lkdGg9IjI0Ij4mI3hhOyAgPHBhdGggZmlsbD0iIzIxMjEyMSIgZD0iTTYuMjUgM0M0LjQ1NTA3IDMgMyA0LjQ1NTA3IDMgNi4yNVYxNy43NUMzIDE5LjU0NDkgNC40NTUwNyAyMSA2LjI1IDIxSDE3Ljc1QzE5LjU0NDkgMjEgMjEgMTkuNTQ0OSAyMSAxNy43NVY2LjI1QzIxIDQuNDU1MDcgMTkuNTQ0OSAzIDE3Ljc1IDNINi4yNVpNNC41IDhIMTkuNVYxNy43NUMxOS41IDE4LjcxNjUgMTguNzE2NSAxOS41IDE3Ljc1IDE5LjVINi4yNUM1LjI4MzUgMTkuNSA0LjUgMTguNzE2NSA0LjUgMTcuNzVWOFpNNiAxMC4zNUM2IDkuODgwNTYgNi4zODA1NiA5LjUgNi44NSA5LjVIMTAuMTVDMTAuNjE5NCA5LjUgMTEgOS44ODA1NiAxMSAxMC4zNVYxNy4xNUMxMSAxNy42MTk0IDEwLjYxOTQgMTggMTAuMTUgMThINi44NUM2LjM4MDU2IDE4IDYgMTcuNjE5NCA2IDE3LjE1VjEwLjM1Wk03LjUgMTFWMTYuNUg5LjVWMTFINy41Wk0xMi43NSA5LjVIMTcuMjVDMTcuNjY0MiA5LjUgMTggOS44MzU3OSAxOCAxMC4yNUMxOCAxMC42NjQyIDE3LjY2NDIgMTEgMTcuMjUgMTFIMTIuNzVDMTIuMzM1OCAxMSAxMiAxMC42NjQyIDEyIDEwLjI1QzEyIDkuODM1NzkgMTIuMzM1OCA5LjUgMTIuNzUgOS41Wk0xMiAxMy4yNUMxMiAxMi44MzU4IDEyLjMzNTggMTIuNSAxMi43NSAxMi41SDE2LjI1QzE2LjY2NDIgMTIuNSAxNyAxMi44MzU4IDE3IDEzLjI1QzE3IDEzLjY2NDIgMTYuNjY0MiAxNCAxNi4yNSAxNEgxMi43NUMxMi4zMzU4IDE0IDEyIDEzLjY2NDIgMTIgMTMuMjVaIi8+JiN4YTs8L3N2Zz4=" preserveAspectRatio="none" opacity="0.5"/><ellipse cx="21" cy="31" rx="20" ry="20" fill="#e6e6e6" stroke="#666666" stroke-width="2" pointer-events="all"/><g transform="translate(-0.5 -0.5)" opacity="0.5"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 31px; margin-left: 2px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: &quot;Segoe UI semibold&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">2</div></div></div></foreignObject><text x="21" y="36" fill="rgb(0, 0, 0)" font-family="Segoe UI semibold" font-size="18px" text-anchor="middle" font-weight="bold">2</text></switch></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.8 KiB

3
education/windows/tutorial-deploy-apps-winse/images/phase-2-on.svg Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="272px" height="112px" viewBox="-0.5 -0.5 272 112"><defs/><g><rect x="21" y="1" width="250" height="110" rx="4.4" ry="4.4" fill-opacity="0.95" fill="rgb(255, 255, 255)" stroke="#0078d4" stroke-opacity="0.95" stroke-width="2" pointer-events="all"/><image x="105.5" y="15.5" width="80" height="80" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9Im5vbmUiIHZpZXdCb3g9IjAgMCAyNCAyNCIgaGVpZ2h0PSIyNCIgd2lkdGg9IjI0Ij4mI3hhOyAgPHBhdGggZmlsbD0iIzIxMjEyMSIgZD0iTTYuMjUgM0M0LjQ1NTA3IDMgMyA0LjQ1NTA3IDMgNi4yNVYxNy43NUMzIDE5LjU0NDkgNC40NTUwNyAyMSA2LjI1IDIxSDE3Ljc1QzE5LjU0NDkgMjEgMjEgMTkuNTQ0OSAyMSAxNy43NVY2LjI1QzIxIDQuNDU1MDcgMTkuNTQ0OSAzIDE3Ljc1IDNINi4yNVpNNC41IDhIMTkuNVYxNy43NUMxOS41IDE4LjcxNjUgMTguNzE2NSAxOS41IDE3Ljc1IDE5LjVINi4yNUM1LjI4MzUgMTkuNSA0LjUgMTguNzE2NSA0LjUgMTcuNzVWOFpNNiAxMC4zNUM2IDkuODgwNTYgNi4zODA1NiA5LjUgNi44NSA5LjVIMTAuMTVDMTAuNjE5NCA5LjUgMTEgOS44ODA1NiAxMSAxMC4zNVYxNy4xNUMxMSAxNy42MTk0IDEwLjYxOTQgMTggMTAuMTUgMThINi44NUM2LjM4MDU2IDE4IDYgMTcuNjE5NCA2IDE3LjE1VjEwLjM1Wk03LjUgMTFWMTYuNUg5LjVWMTFINy41Wk0xMi43NSA5LjVIMTcuMjVDMTcuNjY0MiA5LjUgMTggOS44MzU3OSAxOCAxMC4yNUMxOCAxMC42NjQyIDE3LjY2NDIgMTEgMTcuMjUgMTFIMTIuNzVDMTIuMzM1OCAxMSAxMiAxMC42NjQyIDEyIDEwLjI1QzEyIDkuODM1NzkgMTIuMzM1OCA5LjUgMTIuNzUgOS41Wk0xMiAxMy4yNUMxMiAxMi44MzU4IDEyLjMzNTggMTIuNSAxMi43NSAxMi41SDE2LjI1QzE2LjY2NDIgMTIuNSAxNyAxMi44MzU4IDE3IDEzLjI1QzE3IDEzLjY2NDIgMTYuNjY0MiAxNCAxNi4yNSAxNEgxMi43NUMxMi4zMzU4IDE0IDEyIDEzLjY2NDIgMTIgMTMuMjVaIi8+JiN4YTs8L3N2Zz4=" preserveAspectRatio="none"/><ellipse cx="21" cy="31" rx="20" ry="20" fill="#0078d4" stroke="#ffffff" stroke-width="2" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 31px; margin-left: 2px;"><div data-drawio-colors="color: #ffffff; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: &quot;Segoe UI semibold&quot;; color: rgb(255, 255, 255); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">2</div></div></div></foreignObject><text x="21" y="36" fill="#ffffff" font-family="Segoe UI semibold" font-size="18px" text-anchor="middle" font-weight="bold">2</text></switch></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.7 KiB

3
education/windows/tutorial-deploy-apps-winse/images/phase-3-off.svg Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="272px" height="112px" viewBox="-0.5 -0.5 272 112"><defs/><g><rect x="21" y="1" width="250" height="110" rx="4.4" ry="4.4" fill-opacity="0.9" fill="#e6e6e6" stroke="#666666" stroke-opacity="0.9" stroke-width="2" pointer-events="all"/><image x="105.5" y="15.5" width="80" height="80" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9Im5vbmUiIHZpZXdCb3g9IjAgMCAyNCAyNCIgaGVpZ2h0PSIyNCIgd2lkdGg9IjI0Ij4mI3hhOyAgPHBhdGggZmlsbD0iIzIxMjEyMSIgZD0iTTE3Ljc0OSAzTDE3LjkzMzQgMy4wMDUxNEMxOS41ODI3IDMuMDk3MzQgMjAuOTAyOSA0LjQxNzUgMjAuOTk1MSA2LjA2NTU4TDIxLjAwMDIgNi4yNVYxMi42MTA4QzIwLjMxMzMgMTIuNDc5MyAxOS42NTU0IDEyLjEwODggMTkuMDA1NCAxMS40MzA1TDE4Ljk5OTQgMTEuNDI0M0wxOC45OTkgOEg1LjAwMDIyTDQuOTk5MDIgMTcuNzVDNC45OTkwMiAxOC4zOTcyIDUuNDkwODkgMTguOTI5NSA2LjEyMTIxIDE4Ljk5MzVMNi4yNDkwMiAxOUgxMy4zNzUzQzEzLjU3ODggMTkuNTk1MyAxMy44NjY5IDIwLjE0NjIgMTQuMjQzOSAyMC42NDU3QzE0LjMzNjEgMjAuNzY3OCAxNC40MzI4IDIwLjg4NTkgMTQuNTM0IDIxSDYuMjQ5MDJDNC41MTU5OSAyMSAzLjA5OTc3IDE5LjY0MzUgMy4wMDQxNiAxNy45MzQ0TDIuOTk5MDIgMTcuNzVWNi4yNUMyLjk5OTAyIDQuNTE2OTcgNC4zNTU0NyAzLjEwMDc1IDYuMDY0NiAzLjAwNTE0TDYuMjQ5MDIgM0gxNy43NDlaTTE4Ljk5OTYgMTIuNzY0NEMxOS42MjUxIDEzLjIzNzUgMjAuMjkwNiAxMy41MjMgMjEuMDAwMiAxMy42MjQ1QzIxLjE5NjYgMTMuNjUyNyAyMS4zOTY0IDEzLjY2NjcgMjEuNTk5NiAxMy42NjY3QzIxLjc5MjkgMTMuNjY2NyAyMS45NTQyIDEzLjgwOTUgMjEuOTkxNSAxMy45OTk0TDIxLjk5OTYgMTQuMDgzM1YxNi41ODQ0QzIxLjk5OTYgMTkuMjY2MyAyMC42ODY2IDIxLjA4OTYgMTguMTI2MSAyMS45Nzg2QzE4LjA0NCAyMi4wMDcxIDE3Ljk1NTIgMjIuMDA3MSAxNy44NzMxIDIxLjk3ODZDMTcuMTQ3OSAyMS43MjY4IDE2LjUyMjcgMjEuNCAxNS45OTkxIDIxQzE1LjI5NyAyMC40NjM2IDE0Ljc3NzYgMTkuNzk1NiAxNC40NDQzIDE5QzE0LjE3NzkgMTguMzY0IDE0LjAzMDYgMTcuNjQ2NiAxNC4wMDQgMTYuODQ5N0wxMy45OTk2IDE2LjU4NDRWMTQuMDgzM0MxMy45OTk2IDEzLjg1MzIgMTQuMTc4NyAxMy42NjY3IDE0LjM5OTYgMTMuNjY2N0MxNS42MjMgMTMuNjY2NyAxNi43MjMgMTMuMTU3NSAxNy43MTc1IDEyLjEyMkMxNy44NzM4IDExLjk1OTIgMTguMTI3MiAxMS45NTk0IDE4LjI4MzMgMTIuMTIyM0MxOC41MTYxIDEyLjM2NTIgMTguNzU0OCAxMi41NzkyIDE4Ljk5OTYgMTIuNzY0NFoiLz4mI3hhOzwvc3ZnPg==" preserveAspectRatio="none" opacity="0.5"/><ellipse cx="21" cy="31" rx="20" ry="20" fill="#e6e6e6" stroke="#666666" stroke-width="2" pointer-events="all"/><g transform="translate(-0.5 -0.5)" opacity="0.5"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 31px; margin-left: 2px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: &quot;Segoe UI semibold&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">3</div></div></div></foreignObject><text x="21" y="36" fill="rgb(0, 0, 0)" font-family="Segoe UI semibold" font-size="18px" text-anchor="middle" font-weight="bold">3</text></switch></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

3
education/windows/tutorial-deploy-apps-winse/images/phase-3-on.svg Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="272px" height="112px" viewBox="-0.5 -0.5 272 112"><defs/><g><rect x="21" y="1" width="250" height="110" rx="4.4" ry="4.4" fill-opacity="0.95" fill="rgb(255, 255, 255)" stroke="#0078d4" stroke-opacity="0.95" stroke-width="2" pointer-events="all"/><image x="105.5" y="15.5" width="80" height="80" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9Im5vbmUiIHZpZXdCb3g9IjAgMCAyNCAyNCIgaGVpZ2h0PSIyNCIgd2lkdGg9IjI0Ij4mI3hhOyAgPHBhdGggZmlsbD0iIzIxMjEyMSIgZD0iTTE3Ljc0OSAzTDE3LjkzMzQgMy4wMDUxNEMxOS41ODI3IDMuMDk3MzQgMjAuOTAyOSA0LjQxNzUgMjAuOTk1MSA2LjA2NTU4TDIxLjAwMDIgNi4yNVYxMi42MTA4QzIwLjMxMzMgMTIuNDc5MyAxOS42NTU0IDEyLjEwODggMTkuMDA1NCAxMS40MzA1TDE4Ljk5OTQgMTEuNDI0M0wxOC45OTkgOEg1LjAwMDIyTDQuOTk5MDIgMTcuNzVDNC45OTkwMiAxOC4zOTcyIDUuNDkwODkgMTguOTI5NSA2LjEyMTIxIDE4Ljk5MzVMNi4yNDkwMiAxOUgxMy4zNzUzQzEzLjU3ODggMTkuNTk1MyAxMy44NjY5IDIwLjE0NjIgMTQuMjQzOSAyMC42NDU3QzE0LjMzNjEgMjAuNzY3OCAxNC40MzI4IDIwLjg4NTkgMTQuNTM0IDIxSDYuMjQ5MDJDNC41MTU5OSAyMSAzLjA5OTc3IDE5LjY0MzUgMy4wMDQxNiAxNy45MzQ0TDIuOTk5MDIgMTcuNzVWNi4yNUMyLjk5OTAyIDQuNTE2OTcgNC4zNTU0NyAzLjEwMDc1IDYuMDY0NiAzLjAwNTE0TDYuMjQ5MDIgM0gxNy43NDlaTTE4Ljk5OTYgMTIuNzY0NEMxOS42MjUxIDEzLjIzNzUgMjAuMjkwNiAxMy41MjMgMjEuMDAwMiAxMy42MjQ1QzIxLjE5NjYgMTMuNjUyNyAyMS4zOTY0IDEzLjY2NjcgMjEuNTk5NiAxMy42NjY3QzIxLjc5MjkgMTMuNjY2NyAyMS45NTQyIDEzLjgwOTUgMjEuOTkxNSAxMy45OTk0TDIxLjk5OTYgMTQuMDgzM1YxNi41ODQ0QzIxLjk5OTYgMTkuMjY2MyAyMC42ODY2IDIxLjA4OTYgMTguMTI2MSAyMS45Nzg2QzE4LjA0NCAyMi4wMDcxIDE3Ljk1NTIgMjIuMDA3MSAxNy44NzMxIDIxLjk3ODZDMTcuMTQ3OSAyMS43MjY4IDE2LjUyMjcgMjEuNCAxNS45OTkxIDIxQzE1LjI5NyAyMC40NjM2IDE0Ljc3NzYgMTkuNzk1NiAxNC40NDQzIDE5QzE0LjE3NzkgMTguMzY0IDE0LjAzMDYgMTcuNjQ2NiAxNC4wMDQgMTYuODQ5N0wxMy45OTk2IDE2LjU4NDRWMTQuMDgzM0MxMy45OTk2IDEzLjg1MzIgMTQuMTc4NyAxMy42NjY3IDE0LjM5OTYgMTMuNjY2N0MxNS42MjMgMTMuNjY2NyAxNi43MjMgMTMuMTU3NSAxNy43MTc1IDEyLjEyMkMxNy44NzM4IDExLjk1OTIgMTguMTI3MiAxMS45NTk0IDE4LjI4MzMgMTIuMTIyM0MxOC41MTYxIDEyLjM2NTIgMTguNzU0OCAxMi41NzkyIDE4Ljk5OTYgMTIuNzY0NFoiLz4mI3hhOzwvc3ZnPg==" preserveAspectRatio="none"/><ellipse cx="21" cy="31" rx="20" ry="20" fill="#0078d4" stroke="#ffffff" stroke-width="2" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 31px; margin-left: 2px;"><div data-drawio-colors="color: #ffffff; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: &quot;Segoe UI semibold&quot;; color: rgb(255, 255, 255); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">3</div></div></div></foreignObject><text x="21" y="36" fill="#ffffff" font-family="Segoe UI semibold" font-size="18px" text-anchor="middle" font-weight="bold">3</text></switch></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.2 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/troubleshoot-citool.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 447 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/troubleshoot-codeintegrity-log.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 594 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/troubleshoot-managed-installer-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 420 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/wdac-uwp-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/wdac-winsepolicy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 304 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/winse-app-block.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 651 KiB

85
education/windows/tutorial-deploy-apps-winse/index.md Normal file
View File

@ -0,0 +1,85 @@
---
title: Deploy applications to Windows 11 SE with Intune
description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps.
ms.date: 06/07/2023
ms.topic: tutorial
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Tutorial: deploy applications to Windows 11 SE with Intune
This guide describes how to deploy applications to Windows 11 SE devices that are managed by Microsoft Intune in an education environment. The guide also describes how to validate the apps and how to create policies to allow apps that aren't installable or don't behave as intended.
## Windows 11 SE and application deployment
Windows 11 SE is designed to provide a simplified and secure experience for students. Windows 11 SE prevents the installation and execution of third party applications with a technology called *Windows Defender Application Control (WDAC)*.
WDAC applies an *allowlist* policy called *Windows 11 SE base policy*, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the Windows 11 SE base policy.
With the use of WDAC *supplemental policies*, Intune allows specific third party applications to be installed and executed. The [allowlist process][EDU-1] is done on an app-by-app basis, and the time to request an application to be allowed and have the supplemental policy deployed can be lengthy.
Starting with Windows 11 SE, version 22H2, IT admins have more flexibility to deploy applications to Windows 11 SE devices. When a Windows 11 SE device is enrolled in an Intune education tenant, it will automatically receive an AppLocker policy that sets the *Intune Management Extension (IME)* as a *managed installer*.
As a managed installer, applications deployed through the IME will be automatically allowed on Windows 11 SE, removing the allowlist process requirement. For more information about managed installer, see [How does a managed installer work?][WIN-2]
> [!NOTE]
> End-users of Windows 11 SE devices still cannot install and use arbitrary applications without being blocked. Only IT admins can control what apps are allowed.
## Tutorial objectives
Even when using managed installer, some applications may not execute due to their type or complexity. In these scenarios, the IT admin must create their own policies that allow the apps execution.\
The policies can then be deployed to the Windows SE devices via Intune.
In this tutorial you'll learn:
- Which types of apps can be deployed via Intune to Windows 11 SE devices
- How to verify that the apps are installed correctly
- How to mitigate app installation issues
- Special considerations when deploying apps to Windows 11 SE
## Installation process
There are three main steps to install an application on Windows 11 SE using the managed installer. Each step will be covered in detail in the next sections of this tutorial:
:::row:::
:::column span="":::
<a href="deploy-apps.md"><img src="images/phase-1-on.svg" alt="Icon representing the first phase."/></a><br>
[**Deploy an application via Microsoft Intune**](deploy-apps.md)<br>
Applications are deployed via Microsoft Intune. There are some restrictions on the types of apps that are compatible with managed installers, but the process is the same used for non-Windows 11 SE devices
:::column-end:::
:::column span="":::
<a href="validate-apps.md"><img src="images/phase-2-on.svg" alt="Icon representing the second phase."/></a><br>
[**Validate the application**](validate-apps.md)<br>
Applications are validated to ensure that they're installed and execute successfully. The process is the same for non-Windows 11 SE devices. Some applications may be incompatible due to how they're installed, how they execute, or how they update. You'll learn about known limitations in a later section of the tutorial
:::column-end:::
:::column span="":::
<a href="create-policies.md"><img src="images/phase-3-on.svg" alt="Icon representing the third phase."/></a><br>
[**Create additional policies 2 (optional)**](create-policies.md)<br>
To allow apps that aren't installable or don't behave as intended, more policies can be created and deployed so that the apps can be used
:::column-end:::
:::row-end:::
All the steps are done by the IT administrator. Once the steps are complete, users of Windows 11 SE devices should be able to run the applications deployed via Intune.
## Prerequisites
To receive policies on your Windows 11 SE devices, allowing app installation from Intune, you must have:
- Windows 11 SE, version 22H2 with [KB5019980][KB-1] and later
- Intune for Education licenses. The license requirement is for the managed installer to deploy apps and supplemental policies via Intune
If you don't have an Intune for Education license for your devices yet, refer to [Microsoft Intune for Education][EXT-1] for access to a free trial version.
## Next steps
Advance to the next article to learn which applications can be deployed to Windows 11 SE devices, and how to deploy them via Intune.
> [!div class="nextstepaction"]
> [Next: deploy apps >](deploy-apps.md)
[KB-1]: https://support.microsoft.com/kb/5019980
[EDU-1]: /education/windows/windows-11-se-overview#add-your-own-applications
[EXT-1]: https://www.microsoft.com/en-us/education/intune
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create
[WIN-2]: /windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#how-does-a-managed-installer-work

17
education/windows/tutorial-deploy-apps-winse/toc.yml Normal file
View File

@ -0,0 +1,17 @@
items:
- name: Introduction
href: index.md
- name: 1. Deploy apps
href: deploy-apps.md
- name: 2. Validate apps
href: validate-apps.md
- name: 3. Create and deploy policies to allow apps
items:
- name: Create policies
href: create-policies.md
- name: Deploy policies
href: deploy-policies.md
- name: Important app deployment considerations
href: considerations.md
- name: Troubleshoot common issues
href: troubleshoot.md

109
education/windows/tutorial-deploy-apps-winse/troubleshoot.md Normal file
View File

@ -0,0 +1,109 @@
---
title: Troubleshoot app deployment issues in Windows SE
description: Troubleshoot common issues when deploying apps to Windows SE devices.
ms.date: 06/19/2023
ms.topic: tutorial
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Troubleshoot app deployment issues in Windows SE
The following table lists common app deployment issues on Windows 11 SE, and options to resolve them:
| **Problem** | **Potential solution** |
|---|---|
| **App hasn't installed** | <li>Check the type of app:<ul><li>Win32 apps should be able to install with no problem</li><li>UWP LOB apps apps aren't supported</li></ul></li><li>It's possible the app is trying to execute a blocked binary. Check the AppLocker and CodeIntegrity logs in the Event Viewer and verify if any executables related to the app are blocked. If so, you'll need to write a supplemental policy to support the app</li><li> Check the Intune Management Extension logs to see if there was an attempt to install your app</li>|
| **App has problems when running** | It's possible the app is trying to execute a blocked binary<br> Check the **AppLocker** and **CodeIntegrity** logs in Event Viewer to see if any executables related to the app are being blocked. If so, you'll need to write a supplemental policy to support the app. |
| **My supplemental policy hasn't deployed** |<li>Your XML policy is malformed. Double-check to see if all markup is tagged correctly</li><li>Check that your policy is correctly applied|
<!--
The following table lists common app deployment issues on Windows 11 SE, and options to resolve them:
| **Problem** | **Potential solution** |
|---|---|
| **App hasn't installed** | <li>Check the type of app:<ul><li>Win32 apps should be able to install with no problem</li><li>UWP LOB apps require writing an additional supplemental policy</li><li>Microsoft Sore apps aren't supported</li></ul></li><li>Check that the managed installer policies are deployed correctly</li><li>It's possible the app is trying to execute a blocked binary. Check the AppLocker and CodeIntegrity logs in the Event Viewer and verify if any executables related to the app are blocked. If so, you'll need to write a supplemental policy to support the app</li><li> Check the Intune Management Extension logs to see if there was an attempt to install your app</li>|
| **App has problems when running** | It's possible the app is trying to execute a blocked binary<br> Check the **AppLocker** and **CodeIntegrity** logs in Event Viewer to see if any executables related to the app are being blocked. If so, you'll need to write a supplemental policy to support the app. |
| **My supplemental policy hasn't deployed** |<li>Your XML policy is malformed. Double-check to see if all markup is tagged correctly</li><li>Check that your policy is correctly applied|
## WDAC Supplemental policy validation
Use the Event Viewer to see if a supplemental policy is deployed correctly. These rules apply to both the policy that allows managed installers and any supplemental policies that you deploy.
1. Open the **Event viewer** on a target device
1. Expand **Applications and Services > Microsoft > Windows > CodeIntegrity > Operational**
1. Check for **event ID 3099**: *the policy was Refreshed and activated*
- For example: `Refreshed and activated Code Integrity policy {GUID} . id . Status 0x0`
- The policy that allows managed installers is **`C0DB889B-59C5-453C-B297-399C851934E4`**. Checking that this policy is applied correctly, indicates that a device is setup to allow managed installers (and therefore, can allow installation of Win32 apps via the Intune Management Extension).\
You can check that the **Managed Installer policy** rule was set in the policy, by checking the **Options** field in the **details** pane. For more information, see: [Understanding Application Control event IDs][WIN-1]
:::image type="content" source="images/troubleshoot-managed-installer-policy.png" alt-text="Screenshot of the CodeIntegrity operational log." lightbox="images/troubleshoot-managed-installer-policy.png":::
You can also verify that the policy has been activated by running the following from the <kbd>Win</kbd> + <kbd>R</kbd> *Run dialog* on a target device as an Administrator (hold <kbd>CTRL</kbd> + <kbd>Shift</kbd> when pressing Enter to run the command):
```
citool.exe -lp
```
- For the policy that allows managed installers to run, a policyID `C0DB889B-59C5-453C-B297-399C851934E4` and Friendly Name *[Win-EDU] Microsoft Apps Supplemental Policy - Prod* should be present, and have **Is Currently Enforced** showing as **true**
- For any additional policies that you deploy, check that a policy with a matching ID and Friendly Name is shown in the list and the **Is Currently Enforced** and **Is Authorized** properties are both showing as **true**
:::image type="content" source="images/troubleshoot-citool.png" alt-text="Screenshot of the output of citool.exe with the Win-EDU supplemental policy.":::
1. Check for **error events** with code **3077**: and reference [Understanding Application Control event IDs][WIN-1]
:::image type="content" source="images/troubleshoot-codeintegrity-log.png" alt-text="Screenshot of the error in the CodeIntegrity operational log showing that PowerShell execution is prevented by policy." lightbox="images/troubleshoot-codeintegrity-log.png":::
When checking an error event, you can observe that the information in the *General* tab may show something like the following:
```
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load **\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe** that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:**{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}**).
```
The important things to parse are:
- **Failing application**: the path and executable here inform you which application failed. It's important to check that this executable is expected for the application you're validating. (for example. You would expect zoom.exe to fail for Zoom as opposed to cmd.exe.)
- **Error reason**: indicates why the application was unable to run. `...did not meet the Enterprise signing level requirements or violated code integrity policy` is what should be seen
- **Policy ID**: is the policy that is being violated, meaning that a rule in the policy is preventing the application from running
> [!NOTE]
> **{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}** is the base policy, which is what restricts most third-party apps from running. If you see another policy ID, it's worth taking note of that.
Alternatively you can use `cidiag.exe /stop`, which copies all potentially relevant logs and policy files to a folder. The command also parses the critical events from the **CodeIntegrity** and **AppLocker** logs to a text file.
-->
## AppLocker policy validation
To query AppLocker policies and validate that they're configured correctly, follow these steps:
1. Open the **Local Security Policy** mmc console (`secpol.msc`)
1. Select **Security Settings > Application Control Policies**
1. Right-click **AppLocker** and select **Export Policy…**
:::image type="content" source="images/applocker-export-policy.png" alt-text="Screenshot of the export of the AppLocker policies from the Local Security Policy mmc console." lightbox="images/applocker-export-policy.png" border="false":::
1. For the policy that sets the Intune Management Extension as a Managed installer, *MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE* should be nested under a RuleCollection section of Type *ManagedInstaller*
:::image type="content" source="images/applocker-policy-validation.png" alt-text="Screenshot of the xml file generated by the get-applockerpolicy PowerShell cmdlet." lightbox="images/applocker-policy-validation.png":::
1. For any policies you added to set other executables you want to be managed installers, look for the rules you defined nested under a RuleCollection section of Type *ManagedInstaller*
### AppLocker service
To verify that the AppLocker service is running, follow these steps:
1. Open the **Services** mmc console (`services.msc`)
1. Verify that the service **Application Identity** has a status of **Running**
### AppLocker event log validation
1. Open the **Event Viewer** on a target device
1. Expand **Applications and Services > Microsoft > Windows > AppLocker > MSI and Script**
1. Check for **error events** with code **8040**, and reference [Understanding Application Control event IDs][WIN-2]
## Intune Management Extension
- [Collect diagnostics from a Windows device][MEM-1]
- Logs can be collected from `%programdata%\Microsoft\IntuneManagementExtension\Logs`
[MEM-1]: /mem/intune/remote-actions/collect-diagnostics
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/event-tag-explanations#policy-activation-event-options
[WIN-2]: /windows/security/threat-protection/windows-defender-application-control/event-id-explanations

172
education/windows/tutorial-deploy-apps-winse/validate-apps.md Normal file
View File

@ -0,0 +1,172 @@
---
title: Validate the applications deployed to Windows SE devices
description: Learn how to validate the applications deployed to Windows SE devices via Intune.
ms.date: 06/19/2023
ms.topic: tutorial
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Validate the applications deployed to Windows SE devices
:::row:::
:::column span="":::
<a href="deploy-apps.md"><img src="images/phase-1-off.svg" alt="Icon representing the first phase."/></a><br>
[**Deploy an application via Microsoft Intune**](deploy-apps.md)
:::column-end:::
:::column span="":::
<a href="validate-apps.md"><img src="images/phase-2-on.svg" alt="Icon representing the second phase."/></a><br>
[**Validate the application**](validate-apps.md)
:::column-end:::
:::column span="":::
<a href="create-policies.md"><img src="images/phase-3-off.svg" alt="Icon representing the third phase."/></a><br>
[**Create additional policies 2 (optional)**](create-policies.md)
:::column-end:::
:::row-end:::
A fundamental step in deploying apps to Windows 11 SE devices is to validate that the apps work as expected.
Application validation consists of the following steps:
1. Wait for the application to install
1. Verify that the app installed successfully
1. Open the app and exercise all user workflows
1. Inspect the app and take note of any potential problems
> [!NOTE]
> Apps must be validated on a case-by-case basis. A successful installation doesn't mean that the app will run properly. A successful execution of the app, doesn't mean it will *always* run properly.
## Wait for the application to install
Application installation depends on two factors:
- When the managed installer policies are applied to the device. These policies are automatically applied to Windows SE devices when they are enrolled in Intune
- When the apps are deployed to a device
> [!IMPORTANT]
> The Intune management extension agent checks every hour (or on service or device restart) for any new Win32 app assignments.
If the Windows 11 SE base policy doesn't block the application that you're trying to deploy, the process to deploy the app to Windows SE devices should be consistent with non-SE devices.
## Check for installation
There are two ways to verify that an app installed successfully:
- Intune portal
- On the device
Both options are worth checking. Installation in Intune can be used to check the installation status remotely and to ensure that the installation detection rules are configured correctly. Checking on the device can indicate if the app installed and if it runs properly.
### Check for installation from Intune
To check the installation status of an app from the Intune portal:
1. Sign in to the <a href="https://intune.microsoft.com/" target="_blank"><b>Microsoft Intune admin center</b></a>
1. Select **App > All apps**
1. Select the application you want to check
1. From the **Overview** page, you can verify the overall installation status
:::image type="content" source="./images/intune-app-install-overview.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation details." lightbox="./images/intune-app-install-overview.png":::
1. From the **Device install status** page, you can verify the installation status for each device, and the status code that indicates the cause of the failure
:::image type="content" source="./images/intune-app-install-status.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation status for each device." lightbox="./images/intune-app-install-status.png":::
> [!NOTE]
> A Win32 application may install correctly, but report to Intune as failed.\
> A Win32 app may also fail to install, but report as installed to Intune.
>
> In both cases, the issue may be in the detection rules defined in Intune, which must be configured correctly to detect the installation of the app.
### Check for installation on the device
On a Windows SE device, open the **Settings** app and select **Apps** > **Installed apps**. You can see the list of installed apps and validate that your targeted app is listed.
Another way to validate that the app has installed is to check its installation directory. The path is usually `C:\Program Files` or `C:\Program Files (x86)`, but can vary from app to app.
Lastly, launch the app to ensure that it has installed correctly.
## Check for compatibility
Checking for compatibility often means to execute the app and verify its functionalities. Here are some things to try while testing the behavior of your app:
- Open the app
- Test the core functionality and common user scenarios. Exercise a common workflow that a user would do with the app
- Force an update of the app
Here are things to pay attention to:
- Know how the apps you deploy are updated, and if they offer controls for automatic updates
- Dialogs may pop up during the app use, indicating that something is blocked
- Multiple apps are installed, especially if one app appears to be a launcher/updater. For example, Adobe Photoshop includes the Adobe Creative Cloud launcher, which updates Photoshop and other apps
- Any messages indicating that the app is doing pre-installation work or downloading more content
- Logs in the Event Viewer
### Compatible apps
If an app appears to be functioning correctly without being blocked, it's likely compatible with managed installer installation.
However, just because an app works initially doesn't mean it will *always* work. Self-updates or separate launchers/clients may update the apps.
### Semi-compatible apps
Semi-compatible apps may run without problems initially, but in the future they can be restricted to run after it self-updates or another installer/updater app installs over it.
### Incompatible apps
Incompatible apps may launch initially, but immediately begin to download more resources.\
These apps are eventually blocked before any of their functionalities can be accessed. Or, these apps may not launch due to a dependent file blocked by the Windows 11 SE base policy.
### Visual error notifications
You may see a dialog indicating **This app won't run on your PC**. Check the indicated executable and verify that it matches the executable of the installed application.
:::image type="content" source="images/winse-app-block.png" alt-text="Screenshot of Windows SE - error window while opening an app.":::
### Event Viewer
More detail can be obtained when looking for events indicating blocked executables in the Event Viewer.\
The event logs are:
- **CodeIntegrity > Operational**
- **AppLocker > MSI and Script**
For more information, see the [Troubleshoot](troubleshoot.md) section.
## Known limitations
Not all apps are compatible with managed installers, even after installation.
To learn about known limitations with apps deployed via a managed installer, see [Known limitations with managed installer][WIN-1].
<!--
> [!NOTE]
> UWP LOB apps aren't installed using the Intune Management Extension and thus aren't tracked by the managed installer heuristic. LOB apps must be authorized separately in your WDAC policy.
-->
## Section review
Before moving on to the next section, ensure that you've completed the following tasks:
> [!div class="checklist"]
> - Verified any installation errors from Intune
> - Verified the app installation on the device
> - Checked for any errors when opening the app from the device
> - Checked for any errors in the Event Viewer
## Next steps
Select one of the following options to learn the next steps:
<!--- If the apps don't work as expected, you must create and deploy WDAC or AppLocker policies to allow the apps to run-->
- If the apps don't work as expected, you must create and deploy AppLocker policies to allow the apps to run
> [!div class="nextstepaction"]
> [Next: Create policies>](create-policies.md)
- If the applications you are deploying don't have any issues, you can skip to important considerations when deploying apps and policies
> [!div class="nextstepaction"]
> [Next: Important deployment considerations>](considerations.md)
[M365-1]: /microsoft-365/education/deploy/microsoft-store-for-education
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#known-limitations-with-managed-installer
[WIN-2]: /windows/msix/
[WIN-3]: /windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control

21
education/windows/tutorial-school-deployment/configure-device-apps.md
View File

@ -1,7 +1,7 @@
---
title: Configure applications with Microsoft Intune
description: Learn how to configure applications with Microsoft Intune in preparation for device deployment.
ms.date: 08/31/2022
ms.date: 03/08/2023
ms.topic: tutorial
---
@ -54,21 +54,10 @@ To assign applications to a group of users or devices:
## Considerations for Windows 11 SE
Windows 11 SE supports all web applications and a *curated list* of desktop applications.
You can prepare and add a desktop app to Microsoft Intune as a Win32 app from the [approved app list][EDU-1].
Windows 11 SE prevents the installation and execution of third party applications with a technology called **Windows Defender Application Control** (WDAC).
WDAC applies an *allowlist* policy, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E Mode policy.
The process to add Win32 applications to Intune is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
> [!NOTE]
> If the applications you need aren't included in the list, anyone in your school district can submit an application request at <a href="https://edusupport.microsoft.com/support?product_id=win11se" target="_blank"><u>Microsoft Education Support</u></a>.
> [!CAUTION]
> If you assign an app to a device running **Windows 11 SE** and receive the **0x87D300D9** error code with a **Failed** state:
> - Be sure the app is on the [<u>approved app list</u>][EDU-1]
> - If you submitted a request to add your own app and it was approved, check that the app meets package requirements
> - If the app is not approved, it will not run on Windows 11 SE. In this case, you will have to verify if the app can run in a web browser, such as a web app or PWA
________________________________________________________
To learn more about which apps are supported in Windows 11 SE, and how to deploy them, see the tutorial [Deploy applications to Windows 11 SE with Intune][EDU-1].
## Next steps
@ -79,7 +68,7 @@ With the applications configured, you can now deploy students' and teachers' dev
<!-- Reference links in article -->
[EDU-1]: /education/windows/windows-11-se-overview
[EDU-1]: ../tutorial-deploy-apps-winse/index.md
[MEM-1]: /mem/intune/apps/apps-win32-add

5
education/windows/tutorial-school-deployment/enroll-autopilot.md
View File

@ -1,7 +1,7 @@
---
title: Enrollment in Intune with Windows Autopilot
description: Learn how to join Azure AD and enroll in Intune using Windows Autopilot.
ms.date: 08/31/2022
ms.date: 03/08/2023
ms.topic: tutorial
---
@ -97,7 +97,7 @@ To deploy the ESP to devices, you need to create an ESP profile in Microsoft Int
For more information, see [Set up the Enrollment Status Page][MEM-3].
> [!CAUTION]
> When targeting an ESP to **Windows 11 SE** devices, only applications included in the [<u>approved app list</u>][EDU-1] should part of the ESP configuration.
> The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due to the E Mode policy, devices may not complete the enrollment. For more information, see [Enrollment Status Page][EDU-3].
### Autopilot end-user experience
@ -144,5 +144,6 @@ With the devices joined to Azure AD tenant and managed by Intune, you can use In
[EDU-1]: /education/windows/windows-11-se-overview
[EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot
[EDU-3]: ../tutorial-deploy-apps-winse/considerations.md#enrollment-status-page
[SURF-1]: /surface/surface-autopilot-registration-support

12
windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft 365 Apps for enterprise
description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates
ms.date: 03/10/2023
ms.date: 06/23/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@ -41,9 +41,9 @@ For a device to be eligible for Microsoft 365 Apps for enterprise updates (both
## Update release schedule
All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and pulled directly from the Office Content Delivery Network (CDN).
All devices registered for Windows Autopatch receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and pulled directly from the Office Content Delivery Network (CDN).
Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update downloads, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update.
Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update downloads, there's a seven day [update deadline](../references/windows-autopatch-microsoft-365-policies.md) that specifies how long the user has until the user must apply the update.
## Deployment rings
@ -81,7 +81,7 @@ Windows Autopatch doesn't allow you to pause or roll back an update in the Micro
## Allow or block Microsoft 365 App updates
For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch won't provide Microsoft 365 App updates on your behalf, and your organizations will have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview).
For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview).
**To allow or block Microsoft 365 App updates:**
@ -120,12 +120,12 @@ For organizations seeking greater control, you can allow or block Microsoft 365
[Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting.
A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile affects all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it's ineligible for Microsoft 365 App update management.
However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [software update workload](windows-autopatch-update-management.md#software-update-workloads), see the Device eligibility section of each respective software update workload.
## Incidents and outages
If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Microsoft 365 Apps for enterprise updates, an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring the devices back into compliance.
If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Microsoft 365 Apps for enterprise updates, an incident is raised. The Windows Autopatch Service Engineering Team will work to bring the devices back into compliance.
If you're experiencing issues related to Microsoft 365 Apps for enterprise updates, [submit a support request](../operate/windows-autopatch-support-request.md).

4
windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Changes made at tenant enrollment
description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch
ms.date: 01/24/2023
ms.date: 06/23/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
@ -108,7 +108,7 @@ The following groups target Windows Autopatch configurations to devices and mana
| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
| Windows Autopatch-OfficeConfiguration | SetsOfficeUpdateChanneltotheMonthlyEnterpriseservicingbranch.<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ol>|<ol><li>Enable Automatic Updates</li><li>Hide option to enable or disable updates</li><li>Update Channel</li><li>Channel Name (Device)</li><li>Hide Update Notifications</li><li>Update Path</li></ol> |<ol><li>Enabled</li><li>Enabled</li><li>Enabled</li><li>Monthly Enterprise Channel</li><li>Disabled</li><li>Enabled</li></ol> |
| Windows Autopatch-OfficeConfiguration | SetsOfficeUpdateChanneltotheMonthlyEnterpriseservicingbranch.<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ol>|<ol><li>Enable Automatic Updates</li><li>Hide option to enable or disable updates</li><li>Update Channel</li><li>Channel Name (Device)</li><li>Hide Update Notifications</li><li>Update Path</li><li>Location for updates (Device)</li></ol> |<ol><li>Enabled</li><li>Enabled</li><li>Enabled</li><li>Monthly Enterprise Channel</li><li>Disabled</li><li>Enabled</li><li>`http://officecdn.microsoft.com/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6`</li></ol> |
| Windows Autopatch-OfficeUpdateConfiguration[Test] | Sets theOfficeupdatedeadline<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li></ol> |<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>|<ol><li>Enabled; `Days(Device) == 0 days`</li></li><li>Enabled; `Update Deadline(Device) == 7 days`</li></ol>|
| Windows Autopatch-OfficeUpdateConfiguration[First] | Setsthe Officeupdatedeadline<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-First</li></ol> |<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol> | <ol><li>Enabled; `Days(Device) == 0 days`</li><li>Enabled; `Update Deadline(Device) == 7 days`</li></ol>|
| Windows Autopatch-OfficeUpdateConfiguration[Fast] | Setsthe Officeupdatedeadline<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Fast</li></ol>|<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>| <ol><li>Enabled; `Days(Device) == 3 days`</li><li>Enabled; `Update Deadline(Device) == 7 days`</li></ol>|

22
windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft 365 Apps for enterprise update policies
description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch
ms.date: 07/11/2022
ms.date: 06/23/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@ -22,14 +22,14 @@ Deploying any of the following policies to a managed device makes that device in
### Update policies
Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device won't be eligible for management.
Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device isn't eligible for management.
| Update setting | Value | Usage reason |
| ----- | ----- | ----- |
| Set updates to occur automatically | Enabled | Enable automatic updates |
| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch |
| Update channel | Monthly Enterprise | Supported channel for Windows Autopatch |
| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs |
| Set a deadline by when updates must be applied | 7 | Update deadline |
| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated |
| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates |
| Setting name | Test | First | Fast | Broad | Usage reason |
| ----- | ----- | ----- | ----- | ----- | ----- |
| Set updates to occur automatically | Turned on | Turned on | Turned on | Turned on | Turn on automatic updates |
| Specify a location to look for updates | Blank | Blank | Blank | Blank | Don't use this setting because it overwrites the update branch |
| Specify the version of Microsoft Apps to update to | Variable | Variable | Variable | Variable | Used to roll back to a previous version if an error occurs |
| Set a deadline when updates must be applied | 7 | 7 | 7 | 7 | Updates must be applied by the specified deadline |
| Sets the Office update deferral | 0 | 0 | 3 | 7| Delay downloading and installing updates for Office |
| Hide update notifications from end users | Turned off | Turned off | Turned off | Turned off | End users should be notified when Microsoft 365 Apps are being updated |
| Hide the option to turn on or off automatic Office updates | Turned on | Turned on | Turned on | Turned on | Prevents end users from turning off automatic updates |

31
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 06/12/2023
ms.date: 06/23/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@ -21,9 +21,26 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
## June 2023
### June feature releases or updates
| Article | Description |
| ----- | ----- |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Added Location for updates (Device) setting and value to the [Windows Autopatch - Office Configuration policy](../references/windows-autopatch-changes-to-tenant.md#microsoft-office-update-policies) |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Updated [deadline link](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#behavior-during-updates) |
| [Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md) | Updated the [Update policies](../references/windows-autopatch-microsoft-365-policies.md#update-policies) section |
### June service releases
| Message center post number | Description |
| ----- | ----- |
| [MC602590](https://admin.microsoft.com/adminportal/home#/MessageCenter) | June 2023 Windows Autopatch baseline configuration update |
| [MC591864](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Updated ticket categories to reduce how long it takes to resolve support requests |
## May 2023
### May 2023 feature release
### May feature releases or updates
| Article | Description |
| ----- | ----- |
@ -51,7 +68,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) | Add new Policy health and remediation feature. This feature is in public preview |
| [Windows Autopatch groups public preview addendum](../references/windows-autopatch-groups-public-preview-addendum.md) | Added addendum for the Windows Autopatch groups public preview |
## May service release
### May service releases
| Message center post number | Description |
| ----- | ----- |
@ -65,7 +82,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| ----- | ----- |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the [Deployment rings for Windows 10 and later](../references/windows-autopatch-changes-to-tenant.md#deployment-rings-for-windows-10-and-later) section |
### April service release
### April service releases
| Message center post number | Description |
| ----- | ----- |
@ -83,7 +100,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | <ul><li>Added support for subscription versions of Microsoft Project and Visio desktop apps</li><li>Updated device eligibility criteria</li><li>Clarified update controls</li></ul> |
| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview<ul><li>[MC524715](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul>|
### March service release
### March service releases
| Message center post number | Description |
| ----- | ----- |
@ -107,7 +124,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] |
| [Register your devices](../deploy/windows-autopatch-register-devices.md) |<ul><li>Updated the [Built-in roles required for registration](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration) section</li><li>Added more information about assigning less-privileged user accounts</li></ul> |
### February service release
### February service releases
| Message center post number | Description |
| ----- | ----- |
@ -126,7 +143,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment |
| [Submit a support request](../operate/windows-autopatch-support-request.md) | Added Premier and Unified support options section |
### January service release
### January service releases
| Message center post number | Description |
| ----- | ----- |

17
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -368,21 +368,12 @@ If you dont sign up for any of these enterprise services, Microsoft will act
> - Windows 10, versions 1809, 1903, 1909, and 2004.
> - Newer versions of Windows 10 and Windows 11 that have not updated yet to at least the January 2023 preview cumulative update.
Use the instructions below to enable Windows diagnostic data processor configuration using a single setting, through Group Policy, or an MDM solution.
To enable Windows diagnostic data processor configuration, you can use Group Policy or a custom setting in an MDM solution, such as Microsoft Intune.
In Group Policy, to enable Windows diagnostic data processor configuration, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**.
- For Group Policy, you can use the “Allow commercial data pipeline” policy, which is also available in the Intune [settings catalog](/mem/intune/configuration/settings-catalog).
- For an MDM solution, you can use the AllowCommercialDataPipeline setting in the System Policy configuration service provider (CSP).
If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**.
To use an MDM solution, such as [Microsoft Intune](/mem/intune/configuration/custom-settings-windows-10), to deploy the Windows diagnostic data processor configuration to your supported devices, use the following custom OMA-URI setting configuration:
- **Name:** System/AllowCommercialDataPipeline
- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline
- **Data type:** Integer
Under **Value**, use **1** to enable the service.
If you wish to disable, at any time, switch the same setting to **0**. The default value is **0**.
For more information about AllowCommercialDataPipeline and the “Allow commercial data pipeline” policy, [review this information](/windows/client-management/mdm/policy-csp-system#allowcommercialdatapipeline).
## Change privacy settings on a single server

8
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -1916,9 +1916,13 @@ Add a REG_DWORD value named **DisableOneSettingsDownloads** to **HKEY_LOCAL_MACH
Widgets is a news and feeds service that can be customized by the user. If you turn off this service, apps using this service may stop working.
You can turn off Widgets by setting the following registry entries:
To turn off Widgets, you can use Group Policy or a custom setting in an MDM solution, such as Microsoft Intune.
- For Group Policy, you can use the “Allow widgets” policy, which is also available in the Intune [settings catalog](/mem/intune/configuration/settings-catalog).
- For an MDM solution, you can use the AllowNewsAndInterests setting in the NewsandInterests configuration service provider (CSP).
For more information about AllowNewsAndInterests and the “Allow widgets” policy, [review this information](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests).
Add a REG_DWORD value named **AllowWidgets** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Widgets** and set the value to **0**.
### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline

174
windows/privacy/manage-windows-11-endpoints.md
View File

@ -6,8 +6,8 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
ms.date: 01/18/2018
manager: laurawi
ms.date: 06/23/2023
ms.topic: reference
---
@ -26,15 +26,15 @@ Some Windows components, app, and related services transfer data to Microsoft ne
- Using your location to show a weather forecast.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
Where applicable, each endpoint covered in this article includes a link to the specific details on how to control that traffic.
The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 11 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -42,109 +42,125 @@ The following methodology was used to derive these network endpoints:
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connection endpoints for non-Enterprise editions](windows-11-endpoints-non-enterprise-editions.md).
## Windows 11 Enterprise connection endpoints
|Area|Description|Protocol|Destination|
|----------------|----------|----------|------------|
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|Apps|||[Learn how to turn off traffic to the following endpoint(s) for apps.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
|Certificates|||[Learn how to turn off traffic to all of the following endpoint(s) for certificates.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
||Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or isn't trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. |TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s) for Cortana and Live Tiles.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you'll block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||HTTPS|business.bing.com|
|||HTTP|c.bing.com|
|||HTTP|th.bing.com|
|||HTTP|c-ring.msedge.net|
|||TLSv1.2/HTTPS/HTTP|fp.msedge.net|
|||TLSv1.2|I-ring.msedge.net|
|||HTTPS|s-ring.msedge.net|
|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
|||HTTP|dmd.metaservices.microsoft.com|
|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||HTTPS/HTTP|s-ring.msedge.net|
|||HTTP|dual-s-ring.msedge.net|
|||HTTP|creativecdn.com|
|||HTTP|edgeassetservice.azureedge.net|
|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s) for device authentication.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device won't be authenticated.|HTTPS|login.live.com*|
|Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s) for device metadata.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata won't be updated for the device.|HTTP|dmd.metaservices.microsoft.com|
|Diagnostic Data| ||[Learn how to turn off traffic to all of the following endpoint(s) for diagnostic data.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft.|TLSv1.2/HTTP|self.events.data.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information won't be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
|||HTTPS|fs.microsoft.com|
|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com|
|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
|||TLSv1.2|www.telecommandsvc.microsoft.com|
|Font Streaming|||[Learn how to turn off traffic to all of the following endpoint(s) for font streaming.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
||The following endpoint is used to download fonts on demand. If you turn off traffic for these endpoints, you won't be able to download fonts on demand.|HTTPS|fs.microsoft.com|
|Licensing|||[Learn how to turn off traffic to all of the following endpoint(s) for licensing.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
||The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com|
|Location|||[Learn how to turn off traffic to all of the following endpoint(s) for location.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#182-location)|
||The following endpoint is used for location data. If you turn off traffic for this endpoint, apps can't use location data.|TLSv1.2|inference.location.live.net|
|Maps|||[Learn how to turn off traffic to all of the following endpoint(s) for maps.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps won't be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com|
|||HTTP|ecn.dev.virtualearth.net|
|||HTTP|ecn-us.dev.virtualearth.net|
|||HTTPS|weathermapdata.blob.core.windows.net|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft account.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoint is used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users can't sign in with Microsoft accounts. |TLSv1.2/HTTPS/HTTP|login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Edge.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
|||TLSv1.2/HTTP|edge.microsoft.com|
|||TLSv1.2/HTTP|windows.msn.com|
||This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires this endpoint to contact external websites.|HTTPS|iecvlist.microsoft.com|
||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge wont be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Store.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps can't be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLSv1.2/HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
|||HTTP|img-s-msn-com.akamaized.net|
||The following endpoints are needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
|||HTTP|storeedgefd.dsx.mp.microsoft.com|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
|||HTTP|share.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||HTTPS|www.office.com|
|Microsoft To Do|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft To Do.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.officeppe.com|
|||HTTP|staging.to-do.microsoft.com|
|||TLSv1.2/HTTP|to-do.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s) for Network Connection Status Indicator (NCSI).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the internet, and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
|||HTTP|ipv6.msftconnecttest.com|
|Office|||[Learn how to turn off traffic to all of the following endpoint(s) for Office.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTPS|www.office.com|
|||HTTPS|blobs.officehome.msocdn.com|
|||HTTPS|officehomeblobs.blob.core.windows.net|
|||HTTPS|self.events.data.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
|||TLSv1.2/HTTPS/HTTP|g.live.com|
|||HTTP|officeclient.microsoft.com|
|||HTTP|ecs.nel.measure.office.net|
|||HTTPS/HTTP|telecommandstorageprod.blob.core.windows.net|
|OneDrive|||[Learn how to turn off traffic to all of the following endpoint(s) for OneDrive.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
||The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|TLSv1.2/HTTPS/HTTP|g.live.com|
|||HTTP|onedrive.live.com|
|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms|
|||HTTPS| logincdn.msauth.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
|Settings|||[Learn how to turn off traffic to all of the following endpoint(s) for settings.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
||The following endpoints are used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.|TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
|||HTTPS|settings.data.microsoft.com|
|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
|||HTTPS/HTTP|*.pipe.aria.microsoft.com|
|Skype|||[Learn how to turn off traffic to all of the following endpoint(s) for Skype.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoints are used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Microsoft Defender Antivirus|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||HTTPS/TLSv1.2|wdcp.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com|
|Teams|||[Learn how to turn off traffic to all of the following endpoint(s) for Teams.]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoints are used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|||HTTP|teams.live.com|
|||TLSv1.2/HTTP|teams.events.data.microsoft.com|
|Microsoft Defender Antivirus|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Defender Antivirus.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
||The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.|HTTPS/TLSv1.2|wdcp.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
|||HTTPS/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
|Windows Spotlight|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Spotlight.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
||The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. |TLSv1.2/HTTPS/HTTP|arc.msn.com|
|||HTTPS|ris.api.iris.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||TLSv1.2/HTTP|api.msn.com|
|||TLSv1.2/HTTP|assets.msn.com|
|||HTTP|c.msn.com|
|||HTTP|ntp.msn.com|
|||HTTP|srtb.msn.com|
|||TLSv1.2/HTTP|www.msn.com|
|||TLSv1.2/HTTP|fd.api.iris.microsoft.com|
|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device won't be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device won't be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device won't be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||HTTPS|dlassets-ssl.xboxlive.com|
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 Enterprise, see:
- [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md)
- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint, and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|||[Learn how to turn off traffic to all of the following endpoint(s) for Xbox Live.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used for Xbox Live.|HTTPS|dlassets-ssl.xboxlive.com|
## Related links

3
windows/privacy/windows-11-endpoints-non-enterprise-editions.md
View File

@ -68,7 +68,6 @@ The following methodology was used to derive the network endpoints:
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
||The following endpoints are used get images that are used for Microsoft Store suggestions|TLSv1.2|store-images.s-microsoft.com|
@ -139,7 +138,6 @@ The following methodology was used to derive the network endpoints:
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
@ -210,7 +208,6 @@ The following methodology was used to derive the network endpoints:
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|1storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|

17
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -124,6 +124,15 @@ sections:
- question: What is Event ID 300?
answer: |
This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required.
- question: What happens when an unauthorized user gains possession of a device enrolled in Windows Hello for Business?
answer: |
The unauthorized user won't be able to utilize any biometric options and will have the only option to enter a PIN.
If the user attempts to unlock the device by entering random PINs, after three unsuccessful attempts the credential provider will display the following message: **You've entered an incorrect PIN several times. To try again, enter A1B2C3 below**.
Upon entering the challenge phrase *A1B2C3*, the user will be granted one more opportunity to enter the PIN. If unsuccessful, the provider will be disabled, leaving the user with the only option to reboot the device. Following the reboot, the aforementioned pattern repeats.
If unsuccessful attempts continue, the device will enter a lockout state, lasting for 1 minute after the first reboot, 2 minutes after the fourth reboot, and 10 minutes after the fifth reboot. The duration of each lockout increases accordingly. This behavior is a result of the TPM 2.0 anti-hammering feature.
For more information about the TPM anti-hammering feature, see [TPM 2.0 anti-hammering](/windows/security/information-protection/tpm/tpm-fundamentals#tpm-20-anti-hammering).
- name: Design and planning
questions:
@ -165,7 +174,7 @@ sections:
answer: |
A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
It's possible to Azure AD register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business.
@ -176,12 +185,12 @@ sections:
- question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients?
answer: |
No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD DS.
- question: Is Windows Hello for Business considered multi-factor authentication?
- question: Is Windows Hello for Business considered multifactor authentication?
answer: |
Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
> [!NOTE]
> The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
> The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
- question: Which is a better or more secure for of authentication, key or certificate?
answer: |
Both types of authentication provide the same security; one is not more secure than the other.
@ -216,7 +225,7 @@ sections:
Windows Hello for Business credentials need access to device state, which is not available in private browser mode or incognito mode. Hence it can't be used in private browser or Incognito mode.
- question: Can I use both a PIN and biometrics to unlock my device?
answer: |
You can use *multi-factor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
You can use *multifactor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
- name: Cloud Kerberos trust
questions: