deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into uc-retire-7748881

Browse Source
This commit is contained in:
Meghan Stewart 2023-07-05 10:25:40 -07:00 committed by GitHub
commit 3fdd9de4c8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
68 changed files with 1333 additions and 242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
browsers/edge/docfx.json
View File

@ -35,11 +35,10 @@
],
"breadcrumb_path": "/microsoft-edge/breadcrumbs/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "microsoft-edge",
"audience": "ITPro",
"ms.topic": "article",
"manager": "dansimp",
"ms.prod": "edge",
"ms.prod": "microsoft-edge",
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {

2
browsers/edge/group-policies/index.yml
View File

@ -8,7 +8,7 @@ metadata:
description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: Microsoft Edge Legacy, Windows 10
ms.localizationpriority: medium
ms.prod: edge
ms.prod: microsoft-edge
author: dougeby
ms.author: pashort
ms.topic: landing-page

2
browsers/edge/microsoft-edge-faq.yml
View File

@ -8,7 +8,7 @@ metadata:
description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems.
author: dansimp
ms.author: dansimp
ms.prod: edge
ms.prod: microsoft-edge
ms.topic: faq
ms.mktglfcycl: general
ms.sitesec: library

2
browsers/edge/microsoft-edge.yml
View File

@ -7,7 +7,7 @@ metadata:
title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars.
keywords: Microsoft Edge, issues, fixes, announcements, Windows Server, advisories
ms.prod: edge
ms.prod: microsoft-edge
ms.localizationpriority: medium
author: aczechowski
ms.author: aaroncz

15
education/includes/education-content-updates.md
View File

@ -2,6 +2,21 @@
## Week of June 19, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 6/23/2023 | [Important considerations before deploying apps with managed installer](/education/windows/tutorial-deploy-apps-winse/considerations) | added |
| 6/23/2023 | [Create policies to enable applications](/education/windows/tutorial-deploy-apps-winse/create-policies) | added |
| 6/23/2023 | [Applications deployment considerations](/education/windows/tutorial-deploy-apps-winse/deploy-apps) | added |
| 6/23/2023 | [Deploy policies to enable applications](/education/windows/tutorial-deploy-apps-winse/deploy-policies) | added |
| 6/23/2023 | [Deploy applications to Windows 11 SE with Intune](/education/windows/tutorial-deploy-apps-winse/index) | added |
| 6/23/2023 | [Troubleshoot app deployment issues in Windows SE](/education/windows/tutorial-deploy-apps-winse/troubleshoot) | added |
| 6/23/2023 | [Validate the applications deployed to Windows SE devices](/education/windows/tutorial-deploy-apps-winse/validate-apps) | added |
| 6/23/2023 | [Configure applications with Microsoft Intune](/education/windows/tutorial-school-deployment/configure-device-apps) | modified |
## Week of May 29, 2023

2
education/windows/toc.yml
View File

@ -6,6 +6,8 @@ items:
items:
- name: Deploy and manage Windows devices in a school
href: tutorial-school-deployment/toc.yml
- name: Deploy applications to Windows 11 SE
href: tutorial-deploy-apps-winse/toc.yml
- name: Concepts
items:
- name: Windows 11 SE

53
education/windows/tutorial-deploy-apps-winse/considerations.md Normal file
View File

@ -0,0 +1,53 @@
---
title: Important considerations before deploying apps with managed installer
description: Learn about important aspects to consider before deploying apps with managed installer.
ms.date: 06/19/2023
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Important considerations before deploying apps with Managed Installer
This article describes important aspects to consider before deploying apps with managed installer.
## Existing apps deployed in Intune
If you have Windows 11 SE devices that already have apps deployed through Intune, the apps won't get retroactively tagged with the *managed installer* mark. You may need to redeploy the apps through Intune to get them properly tagged with managed installer and allowed to run.
## Enrollment Status Page
The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due to the Windows 11 SE base policy, devices can be blocked from completing enrollment if:
1. You have the ESP configured to block device use until required apps are installed, and
2. You deploy an app that is blocked by the Windows 11 SE base policy, not installable via a managed installer (without more policies), and not allowed by any supplemental policies or AppLocker policies
<!--
For example, if you deploy a UWP LOB app but haven't deployed a supplemental policy to allow the app, ESP will fail.-->
If you choose to block device use on the installation of apps, you must ensure that apps are also not blocked from installation.
:::image type="content" source="./images/esp-error.png" alt-text="Screenshot of the Enrollment Status Page showing an error in OOBE on Windows 11 SE." border="false":::
### ESP errors mitigation
To ensure that you don't run into installation or enrollment blocks, you can pick one of the following options, in accordance with your internal policies:
1. Ensure that all apps are unblocked from installation. Apps must be compatible with the Windows 11 SE managed installer flow, and if they aren't compatible out-of-box, have the corresponding supplemental policy to allow them
2. Don't deploy apps that you haven't validated
3. Set your Enrollment Status Page configuration to not block device use based on required apps
To learn more about the ESP, see [Set up the Enrollment Status Page][MEM-1].
## Potential impact to events collected by Log Analytics integrations
Log Analytics is a cloud service that can be used to collect data from AppLocker policy events. Windows 11 SE devices enrolled in an Intune Education tenant will automatically receive an AppLocker policy. The result is an increase in events generated by the AppLocker policy.
If your organization is using Log Analytics, it's recommended to review your Log Analytics setup to:
- Ensure there's an appropriate data collection cap in place to avoid unexpected billing costs
- Turn off the collection of non-error AppLocker events in Log Analytics, except for MSI and Script logs
For more information, see [Use Event Viewer with AppLocker][WIN-1]
[MEM-1]: /mem/intune/enrollment/windows-enrollment-status
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker

210
education/windows/tutorial-deploy-apps-winse/create-policies.md Normal file
View File

@ -0,0 +1,210 @@
---
title: Create policies to enable applications
description: Learn how to create policies to enable the installation and execution of apps on Windows SE.
ms.date: 06/19/2023
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Create policies to enable applications
:::row:::
:::column span="":::
<a href="deploy-apps.md"><img src="images/phase-1-off.svg" alt="Icon representing the first phase."/></a><br>
[**Deploy an application via Microsoft Intune**](deploy-apps.md)
:::column-end:::
:::column span="":::
<a href="validate-apps.md"><img src="images/phase-2-off.svg" alt="Icon representing the second phase."/></a><br>
[**Validate the application**](validate-apps.md)
:::column-end:::
:::column span="":::
<a href="create-policies.md"><img src="images/phase-3-on.svg" alt="Icon representing the third phase."/></a><br>
[**Create additional policies (optional)**](create-policies.md)
:::column-end:::
:::row-end:::
You can create AppLocker policies to allow apps that are [semi-compatible](./validate-apps.md#semi-compatible-apps) or [incompatible](./validate-apps.md#incompatible-apps) with the managed installer to run.
<!--
You can create policies to allow applications that are [semi-compatible](./validate-apps.md#semi-compatible-apps) or [incompatible](./validate-apps.md#incompatible-apps) with the managed installer.
The following table details the two policy types to allow apps to run:
| **Policy type** | **How it works** | **When should I use this policy?** | **Security risk** |
|---|---|---|---|
| WDAC supplemental policy | Allows apps meeting the rule criteria to run | For executables that the Windows 11 SE base policy blocks. The blocked executables are visible from the Event Viewer in the [CodeIntegrity events](./troubleshoot.md). | Low |
| AppLocker policy | Sets an app to be considered as a managed installer | Only for executables that do installations or updates, that the Windows 11 SE base policy blocks. | High |
> [!NOTE]
> The specifics of the policy you will need to create vary from app to app. Public documentation can help you determine which rules would be useful for your app.
## WDAC supplemental policies
A *supplemental policy* can expand only one base policy, but multiple supplemental policies can expand the same base policy. When you use supplemental policies, the apps allowed by the base or its supplemental policies will be allowed to execute.\
The base policy that you must target for Windows SE devices has a PolicyID of **{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}**.
> [!WARNING]
> The maximum number of active policies is 32, which includes the Windows 11 SE base policy, the Microsoft vulnerable driver block list, and potentially other inbox policies. When planning your supplemental policy strategy, avoid adding too many. For example, avoid creating a supplemental policy per app, which can add up very quickly.
After you create WDAC supplemental policies, you must sign them and deploy them through Intune.\
To create supplemental policies, download and install the [WDAC Policy Wizard][EXT-1] from a **non-Windows SE device**.
The following video provides an overview and explains how to create supplemental policies for apps blocked by the Windows 11 SE base policy.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWWReO]
### Create a supplemental policy for Win32 apps
There are different ways to write a supplemental policy. The suggested method is to use [audit events][WIN-3], as they list the actions that Windows 11 SE would block. From the audit events, you can create a policy to allow those actions.\
From a non-Windows SE device with the WDAC Policy Wizard installed, follow these steps:
1. Apply an audit mode WDAC Base policy. The WDAC Wizard includes a template policy called *WinSEPolicy.xml*, which is based on the Windows 11 SE base policy:
- Open the **WDAC Wizard** and select **Policy Editor**
- In the Policy Path to Edit field, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next**
:::image type="content" source="images/wdac-winsepolicy.png" alt-text="Screenshot of the WDAC wizard - creation of a policy targeting the base WinSEPolicy.xml policy.":::
- Toggle the option for **Audit Mode** and complete the wizard. Note the location of the *.cip* and *.xml* files shown on the final page of the wizard
- From an elevated PowerShell session, run the following command to activate the policy:
```cmd
citool.exe -up <"Path to the .cip file">
```
1. With the *Base audit mode policy* for Windows 11 SE in place:
- Download and run the app install for your app
- Launch the app and exercise the app's capabilities
- Uninstall the app
1. Use the WDAC Wizard to create a policy from audit events:
- Open the **WDAC Wizard** and select **Policy Editor**
- Select **Convert Event Log to a WDAC Policy** then select **Parse Event Log** to parse from the system Event Viewer. Select **Next**
- Review each row in the table and choose the type of rule to create. You may want to sort the table by FileName to group duplicate rows together. You need to create a single rule if the values are duplicates
- Complete the wizard to generate the policy. The policy will be a *Base* policy. Note the location of the *.xml* shown, as you'll use it in the next step.
- Check the event log **AppLocker** > **MSI and Script** for any events
- If any events are shown, you can use the **WDAC Wizard** to edit the policy and add more rules
- Alternatively, you can save all events to *.evtx* file and create a policy from audit events, but browse for the saved *.evtx* file rather than parsing events from the system Event Viewer
1. Convert the policy created in the previous step to a supplemental policy, specifying the Base audit policy you created in the first step as its base
```PowerShell
Set-CiPolicyIdInfo -FilePath "<Path to.xml file from step #4>" -BasePolicyToSupplementPath "<Path to the WDAC Base policy .xml created from step #2>"
```
1. From an elevated PowerShell session, run the following command to activate the policy:
```cmd
citool.exe -up '<Path to the .cip file>'
```
1. Clear the two event logs:
- **CodeIntegrity** > **Operational**
- **AppLocker** > **MSI and Script**
1. Repeat the app testing from step 3. Repeat these steps as needed until no further events are generated.
1. Once you have a policy that works for your app, reset the supplemental policy's Base policy to the official Windows 11 SE BasePolicyId. From an elevated PowerShell session, run the following command:
```PowerShell
Set-CiPolicyIdInfo -FilePath "<Path to .xml from step #4>" -SupplementsBasePolicyId "{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}"
```
> [!NOTE]
> If you have created multiple supplemental policies for different apps, it's recommended to merge all supplemental policies together before deploying. You can merge policies using the WDAC Wizard.
1. The creation of the supplemental policy is complete. You must sign and deploy the policy to your devices to take effect.
### Create a supplemental policy for UWP LOB apps
UWP apps don't work out-of-box due to the Windows 11 SE Windows 11 SE base policy.\
From a non-Windows SE device with the WDAC Policy Wizard installed, you can create and deploy a supplemental policy using these steps:
1. Open the **WDAC Wizard** and select **Policy Creator > Supplemental policy**
- Choose a **Policy Name** and **Policy File Location**
- In the **Base Policy** path to, browse for *%ProgramFiles%\WindowsApps\Microsoft.WDAC\** and select the file called *WinSEPolicy.xml*. Select **Next**
- In **Policy Rules**, select **Next**
- In **Signing Rules**, select **Add Custom Rule** and choose:
- **Rule scope**: **Usermode Rule**
- **Rule action**: **Allow**
- **Rule type**: **Packaged App**
- **Package Name**: specify the package name of app. If the app is installed, you can search by name. If the app isn't installed, check the **Use Custom Package Family** box and specify the package family name of the app
:::image type="content" source="images/wdac-uwp-policy.png" alt-text="Screenshot of the WDAC wizard - selection of an installed UWP app package.":::
- Select the app name
- Select **Create Rule**
- Select **Next**
1. The policy should be created and output an *.xml* and *.cip* files to the policy file location specified earlier
1. The policy isn't yet targeting the right base policy. Run the following PowerShell command to set the base policy to the Windows 11 SE Windows 11 SE base policy:
```PowerShell
Set-CiPolicyIdInfo -FilePath "<Path to.xml file from previous step>" -SupplementsBasePolicyId "{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}"
```
1. The creation of the supplemental policy is complete. You must sign and deploy the policy to your devices to take effect.
### Guidelines for authoring WDAC supplemental policy rules
Here are some general guidelines to follow when writing WDAC supplemental policies:
- For packaged apps (*.appx* or *.msix*), choose **PackagedApp** and allow the file by its **PackageFamilyName**
- For other apps, try to create **Publisher** rules wherever possible, combining the **Publisher** with other properties like **Product**, **Filename**, and **Version**
> [!NOTE]
> The WDAC Wizard defaults to use all of the properties, if present. In some cases, you may want to combine a subset of the properties to allow multiple files. For example: Publisher + ProductName + Version.
- When a **Publisher** rule isn't an option (for example, when the file is unsigned), use *Hash* as the most restrictive option
- You might have to opt for a **FileAttribute** rule, but it can be easily spoofed
For additional information:
- [WDAC Policy Wizard][EXT-1]
- [Policy creation for common WDAC usage scenarios][WIN-1]
- [Create a new supplemental policy with the wizard][WIN-2]
## AppLocker policies
> [!WARNING]
> It's recommended to use AppLocker policies for processes that perform **updates** or **install as managed installers** only. The preferred method to allow incompatible applications or other executables to run, is to write **WDAC supplemental policies** instead of modifying AppLocker policies.
Additional AppLocker policies work by configuring other apps to be *managed installers*. However, since anything downloaded or installed by a managed installer is trusted to run, it creates a significant security risk. For example, if the executable for a third-party browser is set as a managed installer, anything downloaded from that browser will be allowed to run.\
Using a WDAC supplemental policy instead, allows you to have more control over what is allowed to run without the risk of those permissions propagating unintentionally.
To allow apps to run by setting their installers as managed installers, follow the guidance here:
-->
## AppLocker policies
Additional AppLocker policies work by configuring other apps to be *managed installers*. However, since anything downloaded or installed by a managed installer is trusted to run, it creates a significant security risk. For example, if the executable for a third-party browser is set as a managed installer, anything downloaded from that browser will be allowed to run.
To allow apps to run by setting their installers as managed installers, follow the guidance here:
- [Edit an AppLocker policy][WIN-5]
- [Allow apps deployed with a WDAC managed installer][WIN-6]
## Next steps
<!--
Before moving on to the next section, ensure that you've completed the following tasks.
For a WDAC supplemental policy:
> [!div class="checklist"]
>
> - Create a policy, targeting the base policy: **82443e1e-8a39-4b4a-96a8-f40ddc00b9f3**
For an AppLocker policy:
> [!div class="checklist"]
>
> - Only applied to an updater or installer
> - Created the policy with the **Merge** option
Advance to the next article to learn how to deploy the WDAC supplemental policies or AppLocker policies to Windows 11 SE devices.
-->
Advance to the next article to learn how to deploy the AppLocker policies to Windows 11 SE devices.
> [!div class="nextstepaction"]
> [Next: deploy policies >](deploy-policies.md)
[EXT-1]: https://webapp-wdac-wizard.azurewebsites.net/
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/types-of-devices
[WIN-2]: /windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy
[WIN-3]: /windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies
[WIN-5]: /windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy
[WIN-6]: /windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer

109
education/windows/tutorial-deploy-apps-winse/deploy-apps.md Normal file
View File

@ -0,0 +1,109 @@
---
title: Applications deployment considerations
description: Learn how to deploy different types of applications to Windows 11 SE and some considerations before deploying them.
ms.date: 05/23/2023
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Applications deployment considerations
:::row:::
:::column span="":::
<a href="deploy-apps.md"><img src="images/phase-1-on.svg" alt="Icon representing the first phase."/></a><br>
[**Deploy an application via Microsoft Intune**](deploy-apps.md)
:::column-end:::
:::column span="":::
<a href="validate-apps.md"><img src="images/phase-2-off.svg" alt="Icon representing the second phase."/></a><br>
[**Validate the application**](validate-apps.md)
:::column-end:::
:::column span="":::
<a href="create-policies.md"><img src="images/phase-3-off.svg" alt="Icon representing the third phase."/></a><br>
[**Create additional policies (optional)**](create-policies.md)
:::column-end:::
:::row-end:::
The process to deploy applications to Windows SE devices via Microsoft Intune is the same used for non-SE devices. Applications must be defined in Intune, and then assigned to the correct groups.\
However, on Windows SE devices, apps may successfully install, but they need validation to be certain that they're functional.
The following table provides an overview of the applications types that can be deployed to Windows devices via Intune, and considerations about the installation on Windows SE:
|**Installer/App type**|**Installer extensions**|**Available installation methods via Intune**|**Considerations for Windows 11 SE**|
|-|-|-|-|
|[Win32][WIN-1]|`.exe`<br>`.msi`|- Intune Management Extension (IME)<br> - Microsoft Store integration|⚠️ There are known limitations that might prevent an app to install or run.|
|[Universal Windows Platform (UWP)][WIN-2]|`.appx`<br>`.appxbundle`<br>`.msix`<br>|- For public apps: Microsoft Store integration<br>- For private apps: line-of-business (LOB) apps|⛔ UWP apps are currently unsupported.<!--⚠️ LOB apps require a supplemental policy.-->|
|[Progressive Web Apps (PWAs)][EDGE-2] |`.msix`|- Settings catalog policies<br>- Microsoft Store integration|✅ PWAs are supported.|
|Web links| n/a |- Windows web links|✅ Web links are supported.|
<!--after Intune 2307 update the table above with ✅ UWP public apps are supported.<br><br>⛔ UWP private apps are currently unsupported.-->
> [!IMPORTANT]
> Store apps must be installed in device context. Deploying apps in user context fails with error code `0x800711C7`.
> [!IMPORTANT]
> Although you'll be able to install apps on Windows 11 SE devices via Intune, some apps may not perform well on these devices due those apps' minimum spec requirements.
> Before deploying apps, first check which apps will be targeting your Windows 11 SE devices, and ensure that they meet the requirements.
## Win32 apps
The addition of Win32 applications to Intune consists of repackaging the apps and defining the commands to silently install them. The process is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
> [!IMPORTANT]
> If you have Windows 11 SE devices that already have apps deployed through Intune, the apps will not get retroactively tagged with the *managed installer* mark. The reason is to avoid making any security assumptions for these apps. You may need to redeploy the apps through Intune to get them properly tagged with managed installer and allowed to run.
There are known limitations that might prevent applications to install or execute. For more information, see the next section [validate applications](validate-apps.md).
## UWP apps
UWP apps are currently unsupported for Windows 11 SE.
<!-- 2307
### Microsoft Store apps
Public UWP apps available in the Microsoft Store are supported for Windows 11 SE.
### Line of business apps
Private UWP apps are currently unsupported for Windows 11 SE.
<!--### Line of business apps
For private, line-of-business (LOB) UWP apps, [deploy as line-of-business apps][MEM-2]
> [!IMPORTANT]
> UWP apps require the creation and deployment of supplemental policies. For more information, see the next section [validate applications](validate-apps.md).
-->
## PWA apps
PWAs can be deployed using the [Force-installed web Apps][EDGE-1] option via [settings catalog policies][MEM-3], or using the Microsoft Store integration with Intune.
## Web links
Web link can be deployed via Intune using [Windows web links][MEM-4], and will be available in the Start menu of the targeted devices.
## Section review
Before moving on to the next section, ensure that you've completed the following tasks:
> [!div class="checklist"]
> - `.intunewin` package created (for Win32 apps)
> - App uploaded via Intune (for Win32 and UWP LOB apps)
> - App assigned to the correct groups
## Next steps
Advance to the next article to learn how to validate the applications deployed to Windows 11 SE devices.
> [!div class="nextstepaction"]
> [Next: validate apps >](validate-apps.md)
[EDGE-1]: /deployedge/microsoft-edge-policies#configure-list-of-force-installed-web-apps
[EDGE-2]: /microsoft-edge/progressive-web-apps-chromium
[MEM-1]: /mem/intune/apps/apps-win32-add
[MEM-2]: /mem/intune/apps/lob-apps-windows
[MEM-3]: /mem/intune/configuration/settings-catalog
[MEM-4]: /mem/intune/apps/web-app
[WIN-1]: /windows/win32
[WIN-2]: /windows/uwp/get-started/universal-application-platform-guide

96
education/windows/tutorial-deploy-apps-winse/deploy-policies.md Normal file
View File

@ -0,0 +1,96 @@
---
title: Deploy policies to enable applications
description: Learn how to deploy AppLocker policies to enable apps execution on Windows SE devices.
ms.date: 05/23/2023
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
<!--description: Learn how to sign WDAC policies and how to deploy WDAC and AppLocker policies to enable apps execution on Windows SE devices.-->
# Deploy policies to enable applications
Once the policies are created, you must deploy them to the Windows SE devices.\
AppLocker policies can be deployed via Intune. This article describes how to deploy AppLocker policies to enable apps execution on Windows SE devices.
<!--
WDAC and AppLocker policies can be deployed via Intune, but WDAC policies must be signed before they can be deployed.
This article describes how to sign WDAC policies and how to deploy WDAC and AppLocker policies to enable apps execution on Windows SE devices.
## Sign WDAC supplemental policies
> [!IMPORTANT]
> *This section will be updated when the process using Azure CodeSigning for CI policy is released in April.*
## Deploy WDAC supplemental policies
Policies can be deployed via Intune using a custom OMA-URI.
> [!TIP]
> To prevent these policies from being applied to non-Windows SE devices, you can create and target a group with only Windows 11 SE devices in it, or use assignment filters.
[Deploy WDAC policies using Mobile Device Management][WIN-4]
### Troubleshoot WDAC policies
For information how to validate and troubleshoot WDAC supplemental policies, see [WDAC supplemental policy validation](./troubleshoot.md#wdac-supplemental-policy-validation)
-->
## Deploy AppLocker policies
Intune doesn't currently offer the option to modify AppLocker policies. The deployment of AppLocker policies can be done using PowerShell scripts deployed via Intune.
You can create a PowerShell script that stores the contents of the policy in a variable, then use the `Set-AppLockerPolicy` PowerShell command to merge it. Here's a sample function for the task:
```PowerShell
function MergeAppLockerPolicy([string]$policyXml)
{
$policyFile = '.\AppLockerPolicy.xml'
$policyXml | Out-File $policyFile
Write-Host "Merging and setting AppLocker policy"
Set-AppLockerPolicy -XmlPolicy $policyFile -Merge -ErrorAction SilentlyContinue
Remove-Item $policyFile
}
```
> [!WARNING]
> Intune deploys a script with the AppLocker policy to set **Intune Management Extension as a managed installer** on all Windows 11 SE devices enrolled into an Intune EDU tenant. If you want to deploy your own AppLocker policy to set another Managed Installer (in addition to Intune), be sure to use the `-Merge` parameter with `Set-AppLockerPolicy`. The `-Merge` parameter ensures that your policy plays well with Intune's AppLocker policy. Without using the `-Merge` parameter, it will result in issues with apps not getting tagged properly and their ability to run on impacted devices. To learn more about AppLocker Merge policy, see [Merge AppLocker policies][WIN-7].
Once finished, you can deploy the script via Intune. For more information, see [Add PowerShell scripts to Windows devices in Microsoft Intune][MEM-1].
### Troubleshoot AppLocker policies
For information how to validate and troubleshoot AppLocker policies, see [AppLocker policy validation](./troubleshoot.md#applocker-policy-validation)
## Next steps
<!--
Before moving on to the next section, ensure that you've completed the following tasks.
For a WDAC supplemental policy:
> [!div class="checklist"]
>
> - Signed .cip .p7b file with Device Guard
> - Policy created in Intune and assigned to the correct groups
> - Policy applied in Event Viewer
For an AppLocker policy:
> [!div class="checklist"]
>
> - Policy created in Intune and assigned to the correct groups
-->
Advance to the next article to learn about important considerations when deploying apps and policies to Windows SE devices.
> [!div class="nextstepaction"]
>
> [Next: important deployment considerations >](considerations.md)
[MEM-1]: /mem/intune/apps/intune-management-extension
[WIN-4]: /windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune
[WIN-7]: /windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy

BIN
education/windows/tutorial-deploy-apps-winse/images/applocker-export-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/applocker-policy-validation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 659 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/esp-error.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 293 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/intune-app-install-overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 165 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/intune-app-install-status.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 200 KiB

3
education/windows/tutorial-deploy-apps-winse/images/phase-1-off.svg Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="272px" height="112px" viewBox="-0.5 -0.5 272 112"><defs/><g><rect x="21" y="1" width="250" height="110" rx="4.4" ry="4.4" fill-opacity="0.9" fill="#e6e6e6" stroke="#666666" stroke-opacity="0.9" stroke-width="2" pointer-events="all"/><image x="113" y="18" width="75" height="75" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9Im5vbmUiIHZpZXdCb3g9IjAgMCAyNCAyNCIgaGVpZ2h0PSIyNCIgd2lkdGg9IjI0Ij4mI3hhOyAgPHBhdGggZmlsbD0iIzIxMjEyMSIgZD0iTTE3LjUgMTJDMjAuNTM3NiAxMiAyMyAxNC40NjI0IDIzIDE3LjVDMjMgMjAuNTM3NiAyMC41Mzc2IDIzIDE3LjUgMjNDMTQuNDYyNCAyMyAxMiAyMC41Mzc2IDEyIDE3LjVDMTIgMTQuNDYyNCAxNC40NjI0IDEyIDE3LjUgMTJaTTE3LjUxMTIgMTQuMDAwMUwxNy40MjcgMTQuMDA1TDE3LjM3MTkgMTQuMDE2NkwxNy4yODg2IDE0LjA0NjdMMTcuMjE1MyAxNC4wODg4TDE3LjE1ODkgMTQuMTM0NEwxNC42NDY0IDE2LjY0NjRMMTQuNTg4NiAxNi43MTU3QzE0LjQ3MDUgMTYuODg2MiAxNC40NzA1IDE3LjExMzggMTQuNTg4NiAxNy4yODQzTDE0LjY0NjQgMTcuMzUzNkwxNC43MTU3IDE3LjQxMTRDMTQuODg2MiAxNy41Mjk1IDE1LjExMzggMTcuNTI5NSAxNS4yODQzIDE3LjQxMTRMMTUuMzUzNiAxNy4zNTM2TDE2Ljk5OSAxNS43MDhMMTcgMjFMMTcuMDA4MSAyMS4wODk5QzE3LjA0NTEgMjEuMjk0IDE3LjIwNiAyMS40NTQ5IDE3LjQxMDEgMjEuNDkxOUwxNy41IDIxLjVMMTcuNTg5OSAyMS40OTE5QzE3Ljc5NCAyMS40NTQ5IDE3Ljk1NDkgMjEuMjk0IDE3Ljk5MTkgMjEuMDg5OUwxOCAyMUwxNy45OTkgMTUuNzA2TDE5LjY0NjQgMTcuMzUzNkwxOS43MTU3IDE3LjQxMTRDMTkuOTEwNiAxNy41NDY0IDIwLjE4IDE3LjUyNzEgMjAuMzUzNiAxNy4zNTM2QzIwLjUyNzEgMTcuMTggMjAuNTQ2NCAxNi45MTA2IDIwLjQxMTQgMTYuNzE1N0wyMC4zNTM2IDE2LjY0NjRMMTcuODA2IDE0LjEwNEwxNy43NTg1IDE0LjA3MTlMMTcuNjkxIDE0LjAzNzhMMTcuNjI4MSAxNC4wMTY2TDE3LjU3MzkgMTQuMDA1NUMxNy41NTI5IDE0LjAwMjMgMTcuNTMxNyAxNC4wMDA2IDE3LjUxMTIgMTQuMDAwMVpNNi4yNSAzSDE3Ljc1QzE5LjQ4MyAzIDIwLjg5OTIgNC4zNTY0NSAyMC45OTQ5IDYuMDY1NThMMjEgNi4yNUwyMS4wMDEyIDEyLjAyMjZDMjAuNTM3OCAxMS43MjU4IDIwLjAzNDIgMTEuNDg2MSAxOS41MDA0IDExLjMxMzZMMTkuNSA4SDQuNVYxNy43NUM0LjUgMTguNjY4MiA1LjIwNzExIDE5LjQyMTIgNi4xMDY0NyAxOS40OTQyTDYuMjUgMTkuNUwxMS4zMTM2IDE5LjUwMDRDMTEuNDg2MSAyMC4wMzQyIDExLjcyNTggMjAuNTM3OCAxMi4wMjI2IDIxLjAwMTJMNi4yNSAyMUM0LjUxNjk3IDIxIDMuMTAwNzUgMTkuNjQzNSAzLjAwNTE0IDE3LjkzNDRMMyAxNy43NVY2LjI1QzMgNC41MTY5NyA0LjM1NjQ1IDMuMTAwNzUgNi4wNjU1OCAzLjAwNTE0TDYuMjUgM1oiLz4mI3hhOzwvc3ZnPg==" preserveAspectRatio="none" opacity="0.5"/><ellipse cx="21" cy="31" rx="20" ry="20" fill="#e6e6e6" stroke="#666666" stroke-width="2" pointer-events="all"/><g transform="translate(-0.5 -0.5)" opacity="0.5"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 31px; margin-left: 2px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: &quot;Segoe UI semibold&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">1</div></div></div></foreignObject><text x="21" y="36" fill="rgb(0, 0, 0)" font-family="Segoe UI semibold" font-size="18px" text-anchor="middle" font-weight="bold">1</text></switch></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.4 KiB

3
education/windows/tutorial-deploy-apps-winse/images/phase-1-on.svg Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="272px" height="112px" viewBox="-0.5 -0.5 272 112"><defs/><g><rect x="21" y="1" width="250" height="110" rx="4.4" ry="4.4" fill-opacity="0.95" fill="rgb(255, 255, 255)" stroke="#0078d4" stroke-opacity="0.95" stroke-width="2" pointer-events="all"/><image x="113" y="18" width="75" height="75" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9Im5vbmUiIHZpZXdCb3g9IjAgMCAyNCAyNCIgaGVpZ2h0PSIyNCIgd2lkdGg9IjI0Ij4mI3hhOyAgPHBhdGggZmlsbD0iIzIxMjEyMSIgZD0iTTE3LjUgMTJDMjAuNTM3NiAxMiAyMyAxNC40NjI0IDIzIDE3LjVDMjMgMjAuNTM3NiAyMC41Mzc2IDIzIDE3LjUgMjNDMTQuNDYyNCAyMyAxMiAyMC41Mzc2IDEyIDE3LjVDMTIgMTQuNDYyNCAxNC40NjI0IDEyIDE3LjUgMTJaTTE3LjUxMTIgMTQuMDAwMUwxNy40MjcgMTQuMDA1TDE3LjM3MTkgMTQuMDE2NkwxNy4yODg2IDE0LjA0NjdMMTcuMjE1MyAxNC4wODg4TDE3LjE1ODkgMTQuMTM0NEwxNC42NDY0IDE2LjY0NjRMMTQuNTg4NiAxNi43MTU3QzE0LjQ3MDUgMTYuODg2MiAxNC40NzA1IDE3LjExMzggMTQuNTg4NiAxNy4yODQzTDE0LjY0NjQgMTcuMzUzNkwxNC43MTU3IDE3LjQxMTRDMTQuODg2MiAxNy41Mjk1IDE1LjExMzggMTcuNTI5NSAxNS4yODQzIDE3LjQxMTRMMTUuMzUzNiAxNy4zNTM2TDE2Ljk5OSAxNS43MDhMMTcgMjFMMTcuMDA4MSAyMS4wODk5QzE3LjA0NTEgMjEuMjk0IDE3LjIwNiAyMS40NTQ5IDE3LjQxMDEgMjEuNDkxOUwxNy41IDIxLjVMMTcuNTg5OSAyMS40OTE5QzE3Ljc5NCAyMS40NTQ5IDE3Ljk1NDkgMjEuMjk0IDE3Ljk5MTkgMjEuMDg5OUwxOCAyMUwxNy45OTkgMTUuNzA2TDE5LjY0NjQgMTcuMzUzNkwxOS43MTU3IDE3LjQxMTRDMTkuOTEwNiAxNy41NDY0IDIwLjE4IDE3LjUyNzEgMjAuMzUzNiAxNy4zNTM2QzIwLjUyNzEgMTcuMTggMjAuNTQ2NCAxNi45MTA2IDIwLjQxMTQgMTYuNzE1N0wyMC4zNTM2IDE2LjY0NjRMMTcuODA2IDE0LjEwNEwxNy43NTg1IDE0LjA3MTlMMTcuNjkxIDE0LjAzNzhMMTcuNjI4MSAxNC4wMTY2TDE3LjU3MzkgMTQuMDA1NUMxNy41NTI5IDE0LjAwMjMgMTcuNTMxNyAxNC4wMDA2IDE3LjUxMTIgMTQuMDAwMVpNNi4yNSAzSDE3Ljc1QzE5LjQ4MyAzIDIwLjg5OTIgNC4zNTY0NSAyMC45OTQ5IDYuMDY1NThMMjEgNi4yNUwyMS4wMDEyIDEyLjAyMjZDMjAuNTM3OCAxMS43MjU4IDIwLjAzNDIgMTEuNDg2MSAxOS41MDA0IDExLjMxMzZMMTkuNSA4SDQuNVYxNy43NUM0LjUgMTguNjY4MiA1LjIwNzExIDE5LjQyMTIgNi4xMDY0NyAxOS40OTQyTDYuMjUgMTkuNUwxMS4zMTM2IDE5LjUwMDRDMTEuNDg2MSAyMC4wMzQyIDExLjcyNTggMjAuNTM3OCAxMi4wMjI2IDIxLjAwMTJMNi4yNSAyMUM0LjUxNjk3IDIxIDMuMTAwNzUgMTkuNjQzNSAzLjAwNTE0IDE3LjkzNDRMMyAxNy43NVY2LjI1QzMgNC41MTY5NyA0LjM1NjQ1IDMuMTAwNzUgNi4wNjU1OCAzLjAwNTE0TDYuMjUgM1oiLz4mI3hhOzwvc3ZnPg==" preserveAspectRatio="none"/><ellipse cx="21" cy="31" rx="20" ry="20" fill="#0078d4" stroke="#ffffff" stroke-width="2" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 31px; margin-left: 2px;"><div data-drawio-colors="color: #ffffff; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: &quot;Segoe UI semibold&quot;; color: rgb(255, 255, 255); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">1</div></div></div></foreignObject><text x="21" y="36" fill="#ffffff" font-family="Segoe UI semibold" font-size="18px" text-anchor="middle" font-weight="bold">1</text></switch></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.4 KiB

3
education/windows/tutorial-deploy-apps-winse/images/phase-2-off.svg Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="272px" height="112px" viewBox="-0.5 -0.5 272 112"><defs/><g><rect x="21" y="1" width="250" height="110" rx="4.4" ry="4.4" fill-opacity="0.9" fill="#e6e6e6" stroke="#666666" stroke-opacity="0.9" stroke-width="2" pointer-events="all"/><image x="105.5" y="15.5" width="80" height="80" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9Im5vbmUiIHZpZXdCb3g9IjAgMCAyNCAyNCIgaGVpZ2h0PSIyNCIgd2lkdGg9IjI0Ij4mI3hhOyAgPHBhdGggZmlsbD0iIzIxMjEyMSIgZD0iTTYuMjUgM0M0LjQ1NTA3IDMgMyA0LjQ1NTA3IDMgNi4yNVYxNy43NUMzIDE5LjU0NDkgNC40NTUwNyAyMSA2LjI1IDIxSDE3Ljc1QzE5LjU0NDkgMjEgMjEgMTkuNTQ0OSAyMSAxNy43NVY2LjI1QzIxIDQuNDU1MDcgMTkuNTQ0OSAzIDE3Ljc1IDNINi4yNVpNNC41IDhIMTkuNVYxNy43NUMxOS41IDE4LjcxNjUgMTguNzE2NSAxOS41IDE3Ljc1IDE5LjVINi4yNUM1LjI4MzUgMTkuNSA0LjUgMTguNzE2NSA0LjUgMTcuNzVWOFpNNiAxMC4zNUM2IDkuODgwNTYgNi4zODA1NiA5LjUgNi44NSA5LjVIMTAuMTVDMTAuNjE5NCA5LjUgMTEgOS44ODA1NiAxMSAxMC4zNVYxNy4xNUMxMSAxNy42MTk0IDEwLjYxOTQgMTggMTAuMTUgMThINi44NUM2LjM4MDU2IDE4IDYgMTcuNjE5NCA2IDE3LjE1VjEwLjM1Wk03LjUgMTFWMTYuNUg5LjVWMTFINy41Wk0xMi43NSA5LjVIMTcuMjVDMTcuNjY0MiA5LjUgMTggOS44MzU3OSAxOCAxMC4yNUMxOCAxMC42NjQyIDE3LjY2NDIgMTEgMTcuMjUgMTFIMTIuNzVDMTIuMzM1OCAxMSAxMiAxMC42NjQyIDEyIDEwLjI1QzEyIDkuODM1NzkgMTIuMzM1OCA5LjUgMTIuNzUgOS41Wk0xMiAxMy4yNUMxMiAxMi44MzU4IDEyLjMzNTggMTIuNSAxMi43NSAxMi41SDE2LjI1QzE2LjY2NDIgMTIuNSAxNyAxMi44MzU4IDE3IDEzLjI1QzE3IDEzLjY2NDIgMTYuNjY0MiAxNCAxNi4yNSAxNEgxMi43NUMxMi4zMzU4IDE0IDEyIDEzLjY2NDIgMTIgMTMuMjVaIi8+JiN4YTs8L3N2Zz4=" preserveAspectRatio="none" opacity="0.5"/><ellipse cx="21" cy="31" rx="20" ry="20" fill="#e6e6e6" stroke="#666666" stroke-width="2" pointer-events="all"/><g transform="translate(-0.5 -0.5)" opacity="0.5"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 31px; margin-left: 2px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: &quot;Segoe UI semibold&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">2</div></div></div></foreignObject><text x="21" y="36" fill="rgb(0, 0, 0)" font-family="Segoe UI semibold" font-size="18px" text-anchor="middle" font-weight="bold">2</text></switch></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.8 KiB

3
education/windows/tutorial-deploy-apps-winse/images/phase-2-on.svg Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="272px" height="112px" viewBox="-0.5 -0.5 272 112"><defs/><g><rect x="21" y="1" width="250" height="110" rx="4.4" ry="4.4" fill-opacity="0.95" fill="rgb(255, 255, 255)" stroke="#0078d4" stroke-opacity="0.95" stroke-width="2" pointer-events="all"/><image x="105.5" y="15.5" width="80" height="80" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9Im5vbmUiIHZpZXdCb3g9IjAgMCAyNCAyNCIgaGVpZ2h0PSIyNCIgd2lkdGg9IjI0Ij4mI3hhOyAgPHBhdGggZmlsbD0iIzIxMjEyMSIgZD0iTTYuMjUgM0M0LjQ1NTA3IDMgMyA0LjQ1NTA3IDMgNi4yNVYxNy43NUMzIDE5LjU0NDkgNC40NTUwNyAyMSA2LjI1IDIxSDE3Ljc1QzE5LjU0NDkgMjEgMjEgMTkuNTQ0OSAyMSAxNy43NVY2LjI1QzIxIDQuNDU1MDcgMTkuNTQ0OSAzIDE3Ljc1IDNINi4yNVpNNC41IDhIMTkuNVYxNy43NUMxOS41IDE4LjcxNjUgMTguNzE2NSAxOS41IDE3Ljc1IDE5LjVINi4yNUM1LjI4MzUgMTkuNSA0LjUgMTguNzE2NSA0LjUgMTcuNzVWOFpNNiAxMC4zNUM2IDkuODgwNTYgNi4zODA1NiA5LjUgNi44NSA5LjVIMTAuMTVDMTAuNjE5NCA5LjUgMTEgOS44ODA1NiAxMSAxMC4zNVYxNy4xNUMxMSAxNy42MTk0IDEwLjYxOTQgMTggMTAuMTUgMThINi44NUM2LjM4MDU2IDE4IDYgMTcuNjE5NCA2IDE3LjE1VjEwLjM1Wk03LjUgMTFWMTYuNUg5LjVWMTFINy41Wk0xMi43NSA5LjVIMTcuMjVDMTcuNjY0MiA5LjUgMTggOS44MzU3OSAxOCAxMC4yNUMxOCAxMC42NjQyIDE3LjY2NDIgMTEgMTcuMjUgMTFIMTIuNzVDMTIuMzM1OCAxMSAxMiAxMC42NjQyIDEyIDEwLjI1QzEyIDkuODM1NzkgMTIuMzM1OCA5LjUgMTIuNzUgOS41Wk0xMiAxMy4yNUMxMiAxMi44MzU4IDEyLjMzNTggMTIuNSAxMi43NSAxMi41SDE2LjI1QzE2LjY2NDIgMTIuNSAxNyAxMi44MzU4IDE3IDEzLjI1QzE3IDEzLjY2NDIgMTYuNjY0MiAxNCAxNi4yNSAxNEgxMi43NUMxMi4zMzU4IDE0IDEyIDEzLjY2NDIgMTIgMTMuMjVaIi8+JiN4YTs8L3N2Zz4=" preserveAspectRatio="none"/><ellipse cx="21" cy="31" rx="20" ry="20" fill="#0078d4" stroke="#ffffff" stroke-width="2" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 31px; margin-left: 2px;"><div data-drawio-colors="color: #ffffff; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: &quot;Segoe UI semibold&quot;; color: rgb(255, 255, 255); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">2</div></div></div></foreignObject><text x="21" y="36" fill="#ffffff" font-family="Segoe UI semibold" font-size="18px" text-anchor="middle" font-weight="bold">2</text></switch></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 2.7 KiB

3
education/windows/tutorial-deploy-apps-winse/images/phase-3-off.svg Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="272px" height="112px" viewBox="-0.5 -0.5 272 112"><defs/><g><rect x="21" y="1" width="250" height="110" rx="4.4" ry="4.4" fill-opacity="0.9" fill="#e6e6e6" stroke="#666666" stroke-opacity="0.9" stroke-width="2" pointer-events="all"/><image x="105.5" y="15.5" width="80" height="80" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9Im5vbmUiIHZpZXdCb3g9IjAgMCAyNCAyNCIgaGVpZ2h0PSIyNCIgd2lkdGg9IjI0Ij4mI3hhOyAgPHBhdGggZmlsbD0iIzIxMjEyMSIgZD0iTTE3Ljc0OSAzTDE3LjkzMzQgMy4wMDUxNEMxOS41ODI3IDMuMDk3MzQgMjAuOTAyOSA0LjQxNzUgMjAuOTk1MSA2LjA2NTU4TDIxLjAwMDIgNi4yNVYxMi42MTA4QzIwLjMxMzMgMTIuNDc5MyAxOS42NTU0IDEyLjEwODggMTkuMDA1NCAxMS40MzA1TDE4Ljk5OTQgMTEuNDI0M0wxOC45OTkgOEg1LjAwMDIyTDQuOTk5MDIgMTcuNzVDNC45OTkwMiAxOC4zOTcyIDUuNDkwODkgMTguOTI5NSA2LjEyMTIxIDE4Ljk5MzVMNi4yNDkwMiAxOUgxMy4zNzUzQzEzLjU3ODggMTkuNTk1MyAxMy44NjY5IDIwLjE0NjIgMTQuMjQzOSAyMC42NDU3QzE0LjMzNjEgMjAuNzY3OCAxNC40MzI4IDIwLjg4NTkgMTQuNTM0IDIxSDYuMjQ5MDJDNC41MTU5OSAyMSAzLjA5OTc3IDE5LjY0MzUgMy4wMDQxNiAxNy45MzQ0TDIuOTk5MDIgMTcuNzVWNi4yNUMyLjk5OTAyIDQuNTE2OTcgNC4zNTU0NyAzLjEwMDc1IDYuMDY0NiAzLjAwNTE0TDYuMjQ5MDIgM0gxNy43NDlaTTE4Ljk5OTYgMTIuNzY0NEMxOS42MjUxIDEzLjIzNzUgMjAuMjkwNiAxMy41MjMgMjEuMDAwMiAxMy42MjQ1QzIxLjE5NjYgMTMuNjUyNyAyMS4zOTY0IDEzLjY2NjcgMjEuNTk5NiAxMy42NjY3QzIxLjc5MjkgMTMuNjY2NyAyMS45NTQyIDEzLjgwOTUgMjEuOTkxNSAxMy45OTk0TDIxLjk5OTYgMTQuMDgzM1YxNi41ODQ0QzIxLjk5OTYgMTkuMjY2MyAyMC42ODY2IDIxLjA4OTYgMTguMTI2MSAyMS45Nzg2QzE4LjA0NCAyMi4wMDcxIDE3Ljk1NTIgMjIuMDA3MSAxNy44NzMxIDIxLjk3ODZDMTcuMTQ3OSAyMS43MjY4IDE2LjUyMjcgMjEuNCAxNS45OTkxIDIxQzE1LjI5NyAyMC40NjM2IDE0Ljc3NzYgMTkuNzk1NiAxNC40NDQzIDE5QzE0LjE3NzkgMTguMzY0IDE0LjAzMDYgMTcuNjQ2NiAxNC4wMDQgMTYuODQ5N0wxMy45OTk2IDE2LjU4NDRWMTQuMDgzM0MxMy45OTk2IDEzLjg1MzIgMTQuMTc4NyAxMy42NjY3IDE0LjM5OTYgMTMuNjY2N0MxNS42MjMgMTMuNjY2NyAxNi43MjMgMTMuMTU3NSAxNy43MTc1IDEyLjEyMkMxNy44NzM4IDExLjk1OTIgMTguMTI3MiAxMS45NTk0IDE4LjI4MzMgMTIuMTIyM0MxOC41MTYxIDEyLjM2NTIgMTguNzU0OCAxMi41NzkyIDE4Ljk5OTYgMTIuNzY0NFoiLz4mI3hhOzwvc3ZnPg==" preserveAspectRatio="none" opacity="0.5"/><ellipse cx="21" cy="31" rx="20" ry="20" fill="#e6e6e6" stroke="#666666" stroke-width="2" pointer-events="all"/><g transform="translate(-0.5 -0.5)" opacity="0.5"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 31px; margin-left: 2px;"><div data-drawio-colors="color: rgb(0, 0, 0); " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: &quot;Segoe UI semibold&quot;; color: rgb(0, 0, 0); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">3</div></div></div></foreignObject><text x="21" y="36" fill="rgb(0, 0, 0)" font-family="Segoe UI semibold" font-size="18px" text-anchor="middle" font-weight="bold">3</text></switch></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.3 KiB

3
education/windows/tutorial-deploy-apps-winse/images/phase-3-on.svg Normal file
View File

@ -0,0 +1,3 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="272px" height="112px" viewBox="-0.5 -0.5 272 112"><defs/><g><rect x="21" y="1" width="250" height="110" rx="4.4" ry="4.4" fill-opacity="0.95" fill="rgb(255, 255, 255)" stroke="#0078d4" stroke-opacity="0.95" stroke-width="2" pointer-events="all"/><image x="105.5" y="15.5" width="80" height="80" xlink:href="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIGZpbGw9Im5vbmUiIHZpZXdCb3g9IjAgMCAyNCAyNCIgaGVpZ2h0PSIyNCIgd2lkdGg9IjI0Ij4mI3hhOyAgPHBhdGggZmlsbD0iIzIxMjEyMSIgZD0iTTE3Ljc0OSAzTDE3LjkzMzQgMy4wMDUxNEMxOS41ODI3IDMuMDk3MzQgMjAuOTAyOSA0LjQxNzUgMjAuOTk1MSA2LjA2NTU4TDIxLjAwMDIgNi4yNVYxMi42MTA4QzIwLjMxMzMgMTIuNDc5MyAxOS42NTU0IDEyLjEwODggMTkuMDA1NCAxMS40MzA1TDE4Ljk5OTQgMTEuNDI0M0wxOC45OTkgOEg1LjAwMDIyTDQuOTk5MDIgMTcuNzVDNC45OTkwMiAxOC4zOTcyIDUuNDkwODkgMTguOTI5NSA2LjEyMTIxIDE4Ljk5MzVMNi4yNDkwMiAxOUgxMy4zNzUzQzEzLjU3ODggMTkuNTk1MyAxMy44NjY5IDIwLjE0NjIgMTQuMjQzOSAyMC42NDU3QzE0LjMzNjEgMjAuNzY3OCAxNC40MzI4IDIwLjg4NTkgMTQuNTM0IDIxSDYuMjQ5MDJDNC41MTU5OSAyMSAzLjA5OTc3IDE5LjY0MzUgMy4wMDQxNiAxNy45MzQ0TDIuOTk5MDIgMTcuNzVWNi4yNUMyLjk5OTAyIDQuNTE2OTcgNC4zNTU0NyAzLjEwMDc1IDYuMDY0NiAzLjAwNTE0TDYuMjQ5MDIgM0gxNy43NDlaTTE4Ljk5OTYgMTIuNzY0NEMxOS42MjUxIDEzLjIzNzUgMjAuMjkwNiAxMy41MjMgMjEuMDAwMiAxMy42MjQ1QzIxLjE5NjYgMTMuNjUyNyAyMS4zOTY0IDEzLjY2NjcgMjEuNTk5NiAxMy42NjY3QzIxLjc5MjkgMTMuNjY2NyAyMS45NTQyIDEzLjgwOTUgMjEuOTkxNSAxMy45OTk0TDIxLjk5OTYgMTQuMDgzM1YxNi41ODQ0QzIxLjk5OTYgMTkuMjY2MyAyMC42ODY2IDIxLjA4OTYgMTguMTI2MSAyMS45Nzg2QzE4LjA0NCAyMi4wMDcxIDE3Ljk1NTIgMjIuMDA3MSAxNy44NzMxIDIxLjk3ODZDMTcuMTQ3OSAyMS43MjY4IDE2LjUyMjcgMjEuNCAxNS45OTkxIDIxQzE1LjI5NyAyMC40NjM2IDE0Ljc3NzYgMTkuNzk1NiAxNC40NDQzIDE5QzE0LjE3NzkgMTguMzY0IDE0LjAzMDYgMTcuNjQ2NiAxNC4wMDQgMTYuODQ5N0wxMy45OTk2IDE2LjU4NDRWMTQuMDgzM0MxMy45OTk2IDEzLjg1MzIgMTQuMTc4NyAxMy42NjY3IDE0LjM5OTYgMTMuNjY2N0MxNS42MjMgMTMuNjY2NyAxNi43MjMgMTMuMTU3NSAxNy43MTc1IDEyLjEyMkMxNy44NzM4IDExLjk1OTIgMTguMTI3MiAxMS45NTk0IDE4LjI4MzMgMTIuMTIyM0MxOC41MTYxIDEyLjM2NTIgMTguNzU0OCAxMi41NzkyIDE4Ljk5OTYgMTIuNzY0NFoiLz4mI3hhOzwvc3ZnPg==" preserveAspectRatio="none"/><ellipse cx="21" cy="31" rx="20" ry="20" fill="#0078d4" stroke="#ffffff" stroke-width="2" pointer-events="all"/><g transform="translate(-0.5 -0.5)"><switch><foreignObject pointer-events="none" width="100%" height="100%" requiredFeatures="http://www.w3.org/TR/SVG11/feature#Extensibility" style="overflow: visible; text-align: left;"><div xmlns="http://www.w3.org/1999/xhtml" style="display: flex; align-items: unsafe center; justify-content: unsafe center; width: 38px; height: 1px; padding-top: 31px; margin-left: 2px;"><div data-drawio-colors="color: #ffffff; " style="box-sizing: border-box; font-size: 0px; text-align: center;"><div style="display: inline-block; font-size: 18px; font-family: &quot;Segoe UI semibold&quot;; color: rgb(255, 255, 255); line-height: 1.2; pointer-events: all; font-weight: bold; white-space: normal; overflow-wrap: normal;">3</div></div></div></foreignObject><text x="21" y="36" fill="#ffffff" font-family="Segoe UI semibold" font-size="18px" text-anchor="middle" font-weight="bold">3</text></switch></g></g></svg>
Side by Side

After

Width:  |  Height:  |  Size: 3.2 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/troubleshoot-citool.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 447 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/troubleshoot-codeintegrity-log.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 594 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/troubleshoot-managed-installer-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 420 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/wdac-uwp-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 162 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/wdac-winsepolicy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 304 KiB

BIN
education/windows/tutorial-deploy-apps-winse/images/winse-app-block.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 651 KiB

85
education/windows/tutorial-deploy-apps-winse/index.md Normal file
View File

@ -0,0 +1,85 @@
---
title: Deploy applications to Windows 11 SE with Intune
description: Learn how to deploy applications to Windows 11 SE with Intune and how to validate the apps.
ms.date: 06/07/2023
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Tutorial: deploy applications to Windows 11 SE with Intune
This guide describes how to deploy applications to Windows 11 SE devices that are managed by Microsoft Intune in an education environment. The guide also describes how to validate the apps and how to create policies to allow apps that aren't installable or don't behave as intended.
## Windows 11 SE and application deployment
Windows 11 SE is designed to provide a simplified and secure experience for students. Windows 11 SE prevents the installation and execution of third party applications with a technology called *Windows Defender Application Control (WDAC)*.
WDAC applies an *allowlist* policy called *Windows 11 SE base policy*, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the Windows 11 SE base policy.
With the use of WDAC *supplemental policies*, Intune allows specific third party applications to be installed and executed. The [allowlist process][EDU-1] is done on an app-by-app basis, and the time to request an application to be allowed and have the supplemental policy deployed can be lengthy.
Starting with Windows 11 SE, version 22H2, IT admins have more flexibility to deploy applications to Windows 11 SE devices. When a Windows 11 SE device is enrolled in an Intune education tenant, it will automatically receive an AppLocker policy that sets the *Intune Management Extension (IME)* as a *managed installer*.
As a managed installer, applications deployed through the IME will be automatically allowed on Windows 11 SE, removing the allowlist process requirement. For more information about managed installer, see [How does a managed installer work?][WIN-2]
> [!NOTE]
> End-users of Windows 11 SE devices still cannot install and use arbitrary applications without being blocked. Only IT admins can control what apps are allowed.
## Tutorial objectives
Even when using managed installer, some applications may not execute due to their type or complexity. In these scenarios, the IT admin must create their own policies that allow the apps execution.\
The policies can then be deployed to the Windows SE devices via Intune.
In this tutorial you'll learn:
- Which types of apps can be deployed via Intune to Windows 11 SE devices
- How to verify that the apps are installed correctly
- How to mitigate app installation issues
- Special considerations when deploying apps to Windows 11 SE
## Installation process
There are three main steps to install an application on Windows 11 SE using the managed installer. Each step will be covered in detail in the next sections of this tutorial:
:::row:::
:::column span="":::
<a href="deploy-apps.md"><img src="images/phase-1-on.svg" alt="Icon representing the first phase."/></a><br>
[**Deploy an application via Microsoft Intune**](deploy-apps.md)<br>
Applications are deployed via Microsoft Intune. There are some restrictions on the types of apps that are compatible with managed installers, but the process is the same used for non-Windows 11 SE devices
:::column-end:::
:::column span="":::
<a href="validate-apps.md"><img src="images/phase-2-on.svg" alt="Icon representing the second phase."/></a><br>
[**Validate the application**](validate-apps.md)<br>
Applications are validated to ensure that they're installed and execute successfully. The process is the same for non-Windows 11 SE devices. Some applications may be incompatible due to how they're installed, how they execute, or how they update. You'll learn about known limitations in a later section of the tutorial
:::column-end:::
:::column span="":::
<a href="create-policies.md"><img src="images/phase-3-on.svg" alt="Icon representing the third phase."/></a><br>
[**Create additional policies (optional)**](create-policies.md)<br>
To allow apps that aren't installable or don't behave as intended, more policies can be created and deployed so that the apps can be used
:::column-end:::
:::row-end:::
All the steps are done by the IT administrator. Once the steps are complete, users of Windows 11 SE devices should be able to run the applications deployed via Intune.
## Prerequisites
To receive policies on your Windows 11 SE devices, allowing app installation from Intune, you must have:
- Windows 11 SE, version 22H2 with [KB5019980][KB-1] and later
- Intune for Education licenses. The license requirement is for the managed installer to deploy apps and supplemental policies via Intune
If you don't have an Intune for Education license for your devices yet, refer to [Microsoft Intune for Education][EXT-1] for access to a free trial version.
## Next steps
Advance to the next article to learn which applications can be deployed to Windows 11 SE devices, and how to deploy them via Intune.
> [!div class="nextstepaction"]
> [Next: deploy apps >](deploy-apps.md)
[KB-1]: https://support.microsoft.com/kb/5019980
[EDU-1]: /education/windows/windows-11-se-overview#add-your-own-applications
[EXT-1]: https://www.microsoft.com/en-us/education/intune
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create
[WIN-2]: /windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#how-does-a-managed-installer-work

17
education/windows/tutorial-deploy-apps-winse/toc.yml Normal file
View File

@ -0,0 +1,17 @@
items:
- name: Introduction
href: index.md
- name: 1. Deploy apps
href: deploy-apps.md
- name: 2. Validate apps
href: validate-apps.md
- name: 3. Create and deploy policies to allow apps
items:
- name: Create policies
href: create-policies.md
- name: Deploy policies
href: deploy-policies.md
- name: Important app deployment considerations
href: considerations.md
- name: Troubleshoot common issues
href: troubleshoot.md

109
education/windows/tutorial-deploy-apps-winse/troubleshoot.md Normal file
View File

@ -0,0 +1,109 @@
---
title: Troubleshoot app deployment issues in Windows SE
description: Troubleshoot common issues when deploying apps to Windows SE devices.
ms.date: 06/19/2023
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Troubleshoot app deployment issues in Windows SE
The following table lists common app deployment issues on Windows 11 SE, and options to resolve them:
| **Problem** | **Potential solution** |
|---|---|
| **App hasn't installed** | <li>Check the type of app:<ul><li>Win32 apps should be able to install with no problem</li><li>UWP LOB apps apps aren't supported</li></ul></li><li>It's possible the app is trying to execute a blocked binary. Check the AppLocker and CodeIntegrity logs in the Event Viewer and verify if any executables related to the app are blocked. If so, you'll need to write a supplemental policy to support the app</li><li> Check the Intune Management Extension logs to see if there was an attempt to install your app</li>|
| **App has problems when running** | It's possible the app is trying to execute a blocked binary<br> Check the **AppLocker** and **CodeIntegrity** logs in Event Viewer to see if any executables related to the app are being blocked. If so, you'll need to write a supplemental policy to support the app. |
| **My supplemental policy hasn't deployed** |<li>Your XML policy is malformed. Double-check to see if all markup is tagged correctly</li><li>Check that your policy is correctly applied|
<!--
The following table lists common app deployment issues on Windows 11 SE, and options to resolve them:
| **Problem** | **Potential solution** |
|---|---|
| **App hasn't installed** | <li>Check the type of app:<ul><li>Win32 apps should be able to install with no problem</li><li>UWP LOB apps require writing an additional supplemental policy</li><li>Microsoft Sore apps aren't supported</li></ul></li><li>Check that the managed installer policies are deployed correctly</li><li>It's possible the app is trying to execute a blocked binary. Check the AppLocker and CodeIntegrity logs in the Event Viewer and verify if any executables related to the app are blocked. If so, you'll need to write a supplemental policy to support the app</li><li> Check the Intune Management Extension logs to see if there was an attempt to install your app</li>|
| **App has problems when running** | It's possible the app is trying to execute a blocked binary<br> Check the **AppLocker** and **CodeIntegrity** logs in Event Viewer to see if any executables related to the app are being blocked. If so, you'll need to write a supplemental policy to support the app. |
| **My supplemental policy hasn't deployed** |<li>Your XML policy is malformed. Double-check to see if all markup is tagged correctly</li><li>Check that your policy is correctly applied|
## WDAC Supplemental policy validation
Use the Event Viewer to see if a supplemental policy is deployed correctly. These rules apply to both the policy that allows managed installers and any supplemental policies that you deploy.
1. Open the **Event viewer** on a target device
1. Expand **Applications and Services > Microsoft > Windows > CodeIntegrity > Operational**
1. Check for **event ID 3099**: *the policy was Refreshed and activated*
- For example: `Refreshed and activated Code Integrity policy {GUID} . id . Status 0x0`
- The policy that allows managed installers is **`C0DB889B-59C5-453C-B297-399C851934E4`**. Checking that this policy is applied correctly, indicates that a device is setup to allow managed installers (and therefore, can allow installation of Win32 apps via the Intune Management Extension).\
You can check that the **Managed Installer policy** rule was set in the policy, by checking the **Options** field in the **details** pane. For more information, see: [Understanding Application Control event IDs][WIN-1]
:::image type="content" source="images/troubleshoot-managed-installer-policy.png" alt-text="Screenshot of the CodeIntegrity operational log." lightbox="images/troubleshoot-managed-installer-policy.png":::
You can also verify that the policy has been activated by running the following from the <kbd>Win</kbd> + <kbd>R</kbd> *Run dialog* on a target device as an Administrator (hold <kbd>CTRL</kbd> + <kbd>Shift</kbd> when pressing Enter to run the command):
```
citool.exe -lp
```
- For the policy that allows managed installers to run, a policyID `C0DB889B-59C5-453C-B297-399C851934E4` and Friendly Name *[Win-EDU] Microsoft Apps Supplemental Policy - Prod* should be present, and have **Is Currently Enforced** showing as **true**
- For any additional policies that you deploy, check that a policy with a matching ID and Friendly Name is shown in the list and the **Is Currently Enforced** and **Is Authorized** properties are both showing as **true**
:::image type="content" source="images/troubleshoot-citool.png" alt-text="Screenshot of the output of citool.exe with the Win-EDU supplemental policy.":::
1. Check for **error events** with code **3077**: and reference [Understanding Application Control event IDs][WIN-1]
:::image type="content" source="images/troubleshoot-codeintegrity-log.png" alt-text="Screenshot of the error in the CodeIntegrity operational log showing that PowerShell execution is prevented by policy." lightbox="images/troubleshoot-codeintegrity-log.png":::
When checking an error event, you can observe that the information in the *General* tab may show something like the following:
```
Code Integrity determined that a process (\Device\HarddiskVolume3\Windows\System32\svchost.exe) attempted to load **\Device\HarddiskVolume3\Windows\System32\WindowsPowerShell\v1.0\powershell.exe** that did not meet the Enterprise signing level requirements or violated code integrity policy (Policy ID:**{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}**).
```
The important things to parse are:
- **Failing application**: the path and executable here inform you which application failed. It's important to check that this executable is expected for the application you're validating. (for example. You would expect zoom.exe to fail for Zoom as opposed to cmd.exe.)
- **Error reason**: indicates why the application was unable to run. `...did not meet the Enterprise signing level requirements or violated code integrity policy` is what should be seen
- **Policy ID**: is the policy that is being violated, meaning that a rule in the policy is preventing the application from running
> [!NOTE]
> **{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}** is the base policy, which is what restricts most third-party apps from running. If you see another policy ID, it's worth taking note of that.
Alternatively you can use `cidiag.exe /stop`, which copies all potentially relevant logs and policy files to a folder. The command also parses the critical events from the **CodeIntegrity** and **AppLocker** logs to a text file.
-->
## AppLocker policy validation
To query AppLocker policies and validate that they're configured correctly, follow these steps:
1. Open the **Local Security Policy** mmc console (`secpol.msc`)
1. Select **Security Settings > Application Control Policies**
1. Right-click **AppLocker** and select **Export Policy…**
:::image type="content" source="images/applocker-export-policy.png" alt-text="Screenshot of the export of the AppLocker policies from the Local Security Policy mmc console." lightbox="images/applocker-export-policy.png" border="false":::
1. For the policy that sets the Intune Management Extension as a Managed installer, *MICROSOFT.MANAGEMENT.SERVICES.INTUNEWINDOWSAGENT.EXE* should be nested under a RuleCollection section of Type *ManagedInstaller*
:::image type="content" source="images/applocker-policy-validation.png" alt-text="Screenshot of the xml file generated by the get-applockerpolicy PowerShell cmdlet." lightbox="images/applocker-policy-validation.png":::
1. For any policies you added to set other executables you want to be managed installers, look for the rules you defined nested under a RuleCollection section of Type *ManagedInstaller*
### AppLocker service
To verify that the AppLocker service is running, follow these steps:
1. Open the **Services** mmc console (`services.msc`)
1. Verify that the service **Application Identity** has a status of **Running**
### AppLocker event log validation
1. Open the **Event Viewer** on a target device
1. Expand **Applications and Services > Microsoft > Windows > AppLocker > MSI and Script**
1. Check for **error events** with code **8040**, and reference [Understanding Application Control event IDs][WIN-2]
## Intune Management Extension
- [Collect diagnostics from a Windows device][MEM-1]
- Logs can be collected from `%programdata%\Microsoft\IntuneManagementExtension\Logs`
[MEM-1]: /mem/intune/remote-actions/collect-diagnostics
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/event-tag-explanations#policy-activation-event-options
[WIN-2]: /windows/security/threat-protection/windows-defender-application-control/event-id-explanations

172
education/windows/tutorial-deploy-apps-winse/validate-apps.md Normal file
View File

@ -0,0 +1,172 @@
---
title: Validate the applications deployed to Windows SE devices
description: Learn how to validate the applications deployed to Windows SE devices via Intune.
ms.date: 06/19/2023
ms.topic: tutorial
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE, version 22H2 and later</a>
---
# Validate the applications deployed to Windows SE devices
:::row:::
:::column span="":::
<a href="deploy-apps.md"><img src="images/phase-1-off.svg" alt="Icon representing the first phase."/></a><br>
[**Deploy an application via Microsoft Intune**](deploy-apps.md)
:::column-end:::
:::column span="":::
<a href="validate-apps.md"><img src="images/phase-2-on.svg" alt="Icon representing the second phase."/></a><br>
[**Validate the application**](validate-apps.md)
:::column-end:::
:::column span="":::
<a href="create-policies.md"><img src="images/phase-3-off.svg" alt="Icon representing the third phase."/></a><br>
[**Create additional policies (optional)**](create-policies.md)
:::column-end:::
:::row-end:::
A fundamental step in deploying apps to Windows 11 SE devices is to validate that the apps work as expected.
Application validation consists of the following steps:
1. Wait for the application to install
1. Verify that the app installed successfully
1. Open the app and exercise all user workflows
1. Inspect the app and take note of any potential problems
> [!NOTE]
> Apps must be validated on a case-by-case basis. A successful installation doesn't mean that the app will run properly. A successful execution of the app, doesn't mean it will *always* run properly.
## Wait for the application to install
Application installation depends on two factors:
- When the managed installer policies are applied to the device. These policies are automatically applied to Windows SE devices when they are enrolled in Intune
- When the apps are deployed to a device
> [!IMPORTANT]
> The Intune management extension agent checks every hour (or on service or device restart) for any new Win32 app assignments.
If the Windows 11 SE base policy doesn't block the application that you're trying to deploy, the process to deploy the app to Windows SE devices should be consistent with non-SE devices.
## Check for installation
There are two ways to verify that an app installed successfully:
- Intune portal
- On the device
Both options are worth checking. Installation in Intune can be used to check the installation status remotely and to ensure that the installation detection rules are configured correctly. Checking on the device can indicate if the app installed and if it runs properly.
### Check for installation from Intune
To check the installation status of an app from the Intune portal:
1. Sign in to the <a href="https://intune.microsoft.com/" target="_blank"><b>Microsoft Intune admin center</b></a>
1. Select **App > All apps**
1. Select the application you want to check
1. From the **Overview** page, you can verify the overall installation status
:::image type="content" source="./images/intune-app-install-overview.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation details." lightbox="./images/intune-app-install-overview.png":::
1. From the **Device install status** page, you can verify the installation status for each device, and the status code that indicates the cause of the failure
:::image type="content" source="./images/intune-app-install-status.png" alt-text="Screenshot of the Microsoft Intune admin center - App installation status for each device." lightbox="./images/intune-app-install-status.png":::
> [!NOTE]
> A Win32 application may install correctly, but report to Intune as failed.\
> A Win32 app may also fail to install, but report as installed to Intune.
>
> In both cases, the issue may be in the detection rules defined in Intune, which must be configured correctly to detect the installation of the app.
### Check for installation on the device
On a Windows SE device, open the **Settings** app and select **Apps** > **Installed apps**. You can see the list of installed apps and validate that your targeted app is listed.
Another way to validate that the app has installed is to check its installation directory. The path is usually `C:\Program Files` or `C:\Program Files (x86)`, but can vary from app to app.
Lastly, launch the app to ensure that it has installed correctly.
## Check for compatibility
Checking for compatibility often means to execute the app and verify its functionalities. Here are some things to try while testing the behavior of your app:
- Open the app
- Test the core functionality and common user scenarios. Exercise a common workflow that a user would do with the app
- Force an update of the app
Here are things to pay attention to:
- Know how the apps you deploy are updated, and if they offer controls for automatic updates
- Dialogs may pop up during the app use, indicating that something is blocked
- Multiple apps are installed, especially if one app appears to be a launcher/updater. For example, Adobe Photoshop includes the Adobe Creative Cloud launcher, which updates Photoshop and other apps
- Any messages indicating that the app is doing pre-installation work or downloading more content
- Logs in the Event Viewer
### Compatible apps
If an app appears to be functioning correctly without being blocked, it's likely compatible with managed installer installation.
However, just because an app works initially doesn't mean it will *always* work. Self-updates or separate launchers/clients may update the apps.
### Semi-compatible apps
Semi-compatible apps may run without problems initially, but in the future they can be restricted to run after it self-updates or another installer/updater app installs over it.
### Incompatible apps
Incompatible apps may launch initially, but immediately begin to download more resources.\
These apps are eventually blocked before any of their functionalities can be accessed. Or, these apps may not launch due to a dependent file blocked by the Windows 11 SE base policy.
### Visual error notifications
You may see a dialog indicating **This app won't run on your PC**. Check the indicated executable and verify that it matches the executable of the installed application.
:::image type="content" source="images/winse-app-block.png" alt-text="Screenshot of Windows SE - error window while opening an app.":::
### Event Viewer
More detail can be obtained when looking for events indicating blocked executables in the Event Viewer.\
The event logs are:
- **CodeIntegrity > Operational**
- **AppLocker > MSI and Script**
For more information, see the [Troubleshoot](troubleshoot.md) section.
## Known limitations
Not all apps are compatible with managed installers, even after installation.
To learn about known limitations with apps deployed via a managed installer, see [Known limitations with managed installer][WIN-1].
<!--
> [!NOTE]
> UWP LOB apps aren't installed using the Intune Management Extension and thus aren't tracked by the managed installer heuristic. LOB apps must be authorized separately in your WDAC policy.
-->
## Section review
Before moving on to the next section, ensure that you've completed the following tasks:
> [!div class="checklist"]
> - Verified any installation errors from Intune
> - Verified the app installation on the device
> - Checked for any errors when opening the app from the device
> - Checked for any errors in the Event Viewer
## Next steps
Select one of the following options to learn the next steps:
<!--- If the apps don't work as expected, you must create and deploy WDAC or AppLocker policies to allow the apps to run-->
- If the apps don't work as expected, you must create and deploy AppLocker policies to allow the apps to run
> [!div class="nextstepaction"]
> [Next: Create policies>](create-policies.md)
- If the applications you are deploying don't have any issues, you can skip to important considerations when deploying apps and policies
> [!div class="nextstepaction"]
> [Next: Important deployment considerations>](considerations.md)
[M365-1]: /microsoft-365/education/deploy/microsoft-store-for-education
[WIN-1]: /windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer#known-limitations-with-managed-installer
[WIN-2]: /windows/msix/
[WIN-3]: /windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control

21
education/windows/tutorial-school-deployment/configure-device-apps.md
View File

@ -1,7 +1,7 @@
---
title: Configure applications with Microsoft Intune
description: Learn how to configure applications with Microsoft Intune in preparation for device deployment.
ms.date: 08/31/2022
ms.date: 03/08/2023
ms.topic: tutorial
---
@ -54,21 +54,10 @@ To assign applications to a group of users or devices:
## Considerations for Windows 11 SE
Windows 11 SE supports all web applications and a *curated list* of desktop applications.
You can prepare and add a desktop app to Microsoft Intune as a Win32 app from the [approved app list][EDU-1].
Windows 11 SE prevents the installation and execution of third party applications with a technology called **Windows Defender Application Control** (WDAC).
WDAC applies an *allowlist* policy, which ensures that unwanted apps don't run or get installed. However, it also prevents IT admins from deploying apps to Windows 11 SE devices, unless they're included in the E Mode policy.
The process to add Win32 applications to Intune is described in the article [Add, assign, and monitor a Win32 app in Microsoft Intune][MEM-1].
> [!NOTE]
> If the applications you need aren't included in the list, anyone in your school district can submit an application request at <a href="https://edusupport.microsoft.com/support?product_id=win11se" target="_blank"><u>Microsoft Education Support</u></a>.
> [!CAUTION]
> If you assign an app to a device running **Windows 11 SE** and receive the **0x87D300D9** error code with a **Failed** state:
> - Be sure the app is on the [<u>approved app list</u>][EDU-1]
> - If you submitted a request to add your own app and it was approved, check that the app meets package requirements
> - If the app is not approved, it will not run on Windows 11 SE. In this case, you will have to verify if the app can run in a web browser, such as a web app or PWA
________________________________________________________
To learn more about which apps are supported in Windows 11 SE, and how to deploy them, see the tutorial [Deploy applications to Windows 11 SE with Intune][EDU-1].
## Next steps
@ -79,7 +68,7 @@ With the applications configured, you can now deploy students' and teachers' dev
<!-- Reference links in article -->
[EDU-1]: /education/windows/windows-11-se-overview
[EDU-1]: ../tutorial-deploy-apps-winse/index.md
[MEM-1]: /mem/intune/apps/apps-win32-add

5
education/windows/tutorial-school-deployment/enroll-autopilot.md
View File

@ -1,7 +1,7 @@
---
title: Enrollment in Intune with Windows Autopilot
description: Learn how to join Azure AD and enroll in Intune using Windows Autopilot.
ms.date: 08/31/2022
ms.date: 03/08/2023
ms.topic: tutorial
---
@ -97,7 +97,7 @@ To deploy the ESP to devices, you need to create an ESP profile in Microsoft Int
For more information, see [Set up the Enrollment Status Page][MEM-3].
> [!CAUTION]
> When targeting an ESP to **Windows 11 SE** devices, only applications included in the [<u>approved app list</u>][EDU-1] should part of the ESP configuration.
> The Enrollment Status Page (ESP) is compatible with Windows 11 SE. However, due to the E Mode policy, devices may not complete the enrollment. For more information, see [Enrollment Status Page][EDU-3].
### Autopilot end-user experience
@ -144,5 +144,6 @@ With the devices joined to Azure AD tenant and managed by Intune, you can use In
[EDU-1]: /education/windows/windows-11-se-overview
[EDU-2]: /intune-education/windows-11-se-overview#windows-autopilot
[EDU-3]: ../tutorial-deploy-apps-winse/considerations.md#enrollment-status-page
[SURF-1]: /surface/surface-autopilot-registration-support

29
store-for-business/includes/store-for-business-content-updates.md
View File

@ -2,33 +2,10 @@
## Week of May 22, 2023
## Week of June 26, 2023
| Published On |Topic title | Change |
|------|------------|--------|
| 5/25/2023 | [Acquire apps in Microsoft Store for Business (Windows 10)](/microsoft-store/acquire-apps-microsoft-store-for-business) | modified |
| 5/25/2023 | [Manage Windows device deployment with Windows Autopilot Deployment](/microsoft-store/add-profile-to-devices) | modified |
| 5/25/2023 | [App inventory management for Microsoft Store for Business and Microsoft Store for Education (Windows 10)](/microsoft-store/app-inventory-management-microsoft-store-for-business) | modified |
| 5/25/2023 | [Apps in Microsoft Store for Business and Education (Windows 10)](/microsoft-store/apps-in-microsoft-store-for-business) | modified |
| 5/25/2023 | [Assign apps to employees (Windows 10)](/microsoft-store/assign-apps-to-employees) | modified |
| 5/25/2023 | [Configure an MDM provider (Windows 10)](/microsoft-store/configure-mdm-provider-microsoft-store-for-business) | modified |
| 5/25/2023 | [Distribute apps using your private store (Windows 10)](/microsoft-store/distribute-apps-from-your-private-store) | modified |
| 5/25/2023 | [Distribute apps to your employees from the Microsoft Store for Business and Education (Windows 10)](/microsoft-store/distribute-apps-to-your-employees-microsoft-store-for-business) | modified |
| 5/25/2023 | [Distribute apps with a management tool (Windows 10)](/microsoft-store/distribute-apps-with-management-tool) | modified |
| 5/25/2023 | [Distribute offline apps (Windows 10)](/microsoft-store/distribute-offline-apps) | modified |
| 5/25/2023 | [Find and acquire apps (Windows 10)](/microsoft-store/find-and-acquire-apps-overview) | modified |
| 5/25/2023 | [Microsoft Store for Business and Education (Windows 10)](/microsoft-store/index) | modified |
| 5/25/2023 | [Manage access to private store (Windows 10)](/microsoft-store/manage-access-to-private-store) | modified |
| 5/25/2023 | [Manage products and services in Microsoft Store for Business (Windows 10)](/microsoft-store/manage-apps-microsoft-store-for-business-overview) | modified |
| 5/25/2023 | [Manage private store settings (Windows 10)](/microsoft-store/manage-private-store-settings) | modified |
| 5/25/2023 | [Manage settings for Microsoft Store for Business and Microsoft Store for Education (Windows 10)](/microsoft-store/manage-settings-microsoft-store-for-business) | modified |
| 5/25/2023 | [Manage user accounts in Microsoft Store for Business and Microsoft Store for Education (Windows 10)](/microsoft-store/manage-users-and-groups-microsoft-store-for-business) | modified |
| 5/25/2023 | [Microsoft Store for Business and Education PowerShell module - preview](/microsoft-store/microsoft-store-for-business-education-powershell-module) | modified |
| 5/25/2023 | [Microsoft Store for Business and Microsoft Store for Education overview (Windows 10)](/microsoft-store/microsoft-store-for-business-overview) | modified |
| 5/25/2023 | [Notifications in Microsoft Store for Business and Education (Windows 10)](/microsoft-store/notifications-microsoft-store-business) | modified |
| 5/25/2023 | [Prerequisites for Microsoft Store for Business and Education (Windows 10)](/microsoft-store/prerequisites-microsoft-store-for-business) | modified |
| 5/25/2023 | [Roles and permissions in Microsoft Store for Business and Education (Windows 10)](/microsoft-store/roles-and-permissions-microsoft-store-for-business) | modified |
| 5/25/2023 | [Sign up and get started (Windows 10)](/microsoft-store/sign-up-microsoft-store-for-business-overview) | modified |
| 5/25/2023 | [Troubleshoot Microsoft Store for Business (Windows 10)](/microsoft-store/troubleshoot-microsoft-store-for-business) | modified |
| 5/25/2023 | [Update your Billing account settings](/microsoft-store/update-microsoft-store-for-business-account-settings) | modified |
| 6/29/2023 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified |
| 6/29/2023 | [Whats new in Microsoft Store for Business and Education](/microsoft-store/whats-new-microsoft-store-business-education) | modified |

35
store-for-business/release-history-microsoft-store-business-education.md
View File

@ -8,7 +8,7 @@ ms.author: cmcatee
author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.date: 05/24/2023
ms.date: 06/29/2023
ms.reviewer:
---
@ -17,11 +17,38 @@ ms.reviewer:
> [!IMPORTANT]
>
> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed).
Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases.
Because Microsoft Store for Business and Education will be retired, we no longer release new and improved features. Here's a summary of new or updated features in previous releases.
Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
## May 2023
### Removal of Microsoft Store for Business tab from Microsoft Store app on Windows 10 PCs
The Microsoft Store for Business tab was removed from the Microsoft Store app on Windows 10. The Microsoft Store for Business tab is still available on HoloLens devices.
Users on Windows 10 PCs can no longer do the following tasks:
- see Line of Business (LOB) products listed in the Microsoft Store for Business tab
- acquire or install [online apps](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps)
- assign licenses for existing [online apps](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) using the Store for Business portal or Store for Business app
[Offline app](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) distribution and licensing scenarios aren't impacted by this change.
We recommend that you add your apps through the new Microsoft Store app experience in Intune. If an app isnt available in the Microsoft Store, you must retrieve an app package from the vendor and install it as an LOB app or Win32 app. For instructions, read the following articles:
- [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft)
- [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows)
- [Add, assign, and monitor a Win32 app in Microsoft Intune](/mem/intune/apps/apps-win32-add)
Follow the [Intune Customer Success blog](https://aka.ms/IntuneCustomerSuccess) where we will publish more information about this change.
## April 2023
- **Tab removed from Microsoft Store apps on Windows 11 PCs** The Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. [Get more info](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed)
## October 2018
- **Use security groups with Private store apps** - On the details page for apps in your private store, you can set Private store availability. This allows you to choose which security groups can see an app in the private store. [Get more info](app-inventory-management-microsoft-store-for-business.md)
## September 2018
- **Performance improvements** - With updates and improvements in the private store, most changes, like adding an app, will take fifteen minutes or less. [Get more info](/microsoft-store/manage-private-store-settings#private-store-performance)

41
store-for-business/whats-new-microsoft-store-business-education.md
View File

@ -1,6 +1,6 @@
---
title: Whats new in Microsoft Store for Business and Education
description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
description: Learn about the newest features in Microsoft Store for Business and Microsoft Store for Education.
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
@ -8,7 +8,7 @@ ms.author: cmcatee
author: cmcatee-MSFT
manager: scotv
ms.topic: conceptual
ms.date: 05/24/2023
ms.date: 06/29/2023
ms.reviewer:
---
@ -17,23 +17,30 @@ ms.reviewer:
> [!IMPORTANT]
>
> - The retirement of Microsoft Store for Business and Microsoft Store for Education has been postponed. We will update this notice when a new retirement date is announced. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Update to Intune integration with the Microsoft Store on Windows](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/update-to-endpoint-manager-integration-with-the-microsoft-store/ba-p/3585077) and [FAQ: Supporting Microsoft Store experiences on managed devices](https://techcommunity.microsoft.com/t5/windows-management/faq-supporting-microsoft-store-experiences-on-managed-devices/m-p/3585286).
> - In April 2023 the Microsoft Store for Business tab was removed from Microsoft Store apps on Windows 10 and Windows 11 PCs. An interaction with existing MDM and GPO policies may lead to customers seeing errors when accessing the Microsoft Store app. For more information see [Microsoft Store for Business tab removed](manage-access-to-private-store.md#microsoft-store-for-business-tab-removed).
Microsoft Store for Business and Education regularly releases new and improved features.
## Latest updates for Store for Business and Education
**October 2018**
**May 2023**
:::row:::
:::column span="1":::
![Security groups.](images/security-groups-icon.png)
:::column-end:::
:::column span="1":::
**Use security groups with Private store apps**<br /><br /> On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store. <br /><br />[Get more info](./app-inventory-management-microsoft-store-for-business.md#private-store-availability)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education
:::column-end:::
:::row-end:::
**Removal of Microsoft Store for Business tab from Microsoft Store app on Windows 10 PCs**
The Microsoft Store for Business tab was removed from the Microsoft Store app on Windows 10. The Microsoft Store for Business tab is still available on HoloLens devices.
Users on Windows 10 PCs can no longer do the following tasks:
- see Line of Business (LOB) products listed in the Microsoft Store for Business tab
- acquire or install [online apps](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps)
- assign licenses for existing [online apps](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) using the Store for Business portal or Store for Business app
[Offline app](/mem/configmgr/apps/deploy-use/manage-apps-from-the-windows-store-for-business#online-and-offline-apps) distribution and licensing scenarios aren't impacted by this change.
We recommend that you add your apps through the new Microsoft Store app experience in Intune. If an app isnt available in the Microsoft Store, you must retrieve an app package from the vendor and install it as an LOB app or Win32 app. For instructions, read the following articles:
- [Add Microsoft Store apps to Microsoft Intune](/mem/intune/apps/store-apps-microsoft)
- [Add a Windows line-of-business app to Microsoft Intune](/mem/intune/apps/lob-apps-windows)
- [Add, assign, and monitor a Win32 app in Microsoft Intune](/mem/intune/apps/apps-win32-add)
Follow the [Intune Customer Success blog](https://aka.ms/IntuneCustomerSuccess) where we will publish more information about this change.
<!---
We've been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!
@ -47,6 +54,12 @@ We've been working on bug fixes and performance improvements to provide you a be
## Previous releases and updates
[April 2023](release-history-microsoft-store-business-education.md#april-2023)
- Tab removed from Microsoft Store apps on Windows 11 PCs.
[October 2018](release-history-microsoft-store-business-education.md#october-2018)
- Use security groups with Private store apps
[September 2018](release-history-microsoft-store-business-education.md#september-2018)
- Performance improvements

43
windows/client-management/mdm/surfacehub-csp.md
View File

@ -75,6 +75,7 @@ The following list shows the SurfaceHub configuration service provider nodes:
- [Properties](#properties)
- [AllowAutoProxyAuth](#propertiesallowautoproxyauth)
- [AllowSessionResume](#propertiesallowsessionresume)
- [DefaultAutomaticFraming](#propertiesdefaultautomaticframing)
- [DefaultVolume](#propertiesdefaultvolume)
- [DisableSigninSuggestions](#propertiesdisablesigninsuggestions)
- [DoNotShowMyMeetingsAndFiles](#propertiesdonotshowmymeetingsandfiles)
@ -1878,7 +1879,7 @@ The name of the domain admin group to add to the administrators group on the dev
<!-- Device-Management-GroupSid-Description-Begin -->
<!-- Description-Source-DDF -->
The sid of the domain admin group to add to the administrators group on the device.
The side of the domain admin group to add to the administrators group on the device.
<!-- Device-Management-GroupSid-Description-End -->
<!-- Device-Management-GroupSid-Editable-Begin -->
@ -2154,6 +2155,46 @@ Specifies whether to allow the ability to resume a session when the session time
<!-- Device-Properties-AllowSessionResume-End -->
<!-- Device-Properties-DefaultAutomaticFraming-Begin -->
### Properties/DefaultAutomaticFraming
<!-- Device-Properties-DefaultAutomaticFraming-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE | ✅ Windows 10, version 20H2 [10.0.19042] and later |
<!-- Device-Properties-DefaultAutomaticFraming-Applicability-End -->
<!-- Device-Properties-DefaultAutomaticFraming-OmaUri-Begin -->
```Device
./Vendor/MSFT/SurfaceHub/Properties/DefaultAutomaticFraming
```
<!-- Device-Properties-DefaultAutomaticFraming-OmaUri-End -->
<!-- Device-Properties-DefaultAutomaticFraming-Description-Begin -->
<!-- Description-Source-DDF -->
Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled.
<!-- Device-Properties-DefaultAutomaticFraming-Description-End -->
<!-- Device-Properties-DefaultAutomaticFraming-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Device-Properties-DefaultAutomaticFraming-Editable-End -->
<!-- Device-Properties-DefaultAutomaticFraming-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `bool` |
| Access Type | Get, Replace |
| Default Value | true |
<!-- Device-Properties-DefaultAutomaticFraming-DFProperties-End -->
<!-- Device-Properties-DefaultAutomaticFraming-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Device-Properties-DefaultAutomaticFraming-Examples-End -->
<!-- Device-Properties-DefaultAutomaticFraming-End -->
<!-- Device-Properties-DefaultVolume-Begin -->
### Properties/DefaultVolume

2
windows/configuration/kiosk-single-app.md
View File

@ -12,7 +12,7 @@ ms.collection:
- highpri
- tier1
ms.technology: itpro-configure
ms.date: 12/31/2017
ms.date: 06/15/2023
---
# Set up a single-app kiosk on Windows 10/11

5
windows/configuration/windows-accessibility-for-ITPros.md
View File

@ -5,6 +5,7 @@ ms.prod: windows-client
ms.technology: itpro-configure
ms.author: lizlong
author: lizgt2000
ms.date: 06/27/2023
ms.reviewer:
manager: aaroncz
ms.localizationpriority: medium
@ -67,6 +68,8 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
- [Use live captions to better understand audio](https://support.microsoft.com/windows/use-live-captions-to-better-understand-audio-b52da59c-14b8-4031-aeeb-f6a47e6055df). Use Windows 11, version 22H2 or later to better understand any spoken audio with real time captions.
- Starting with Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446), live captions now supports additional languages.
- [View live transcription in a Teams meeting](https://support.microsoft.com/office/view-live-transcription-in-a-teams-meeting-dc1a8f23-2e20-4684-885e-2152e06a4a8b). During any Teams meeting, view a live transcription so you don't miss what's being said.
- [Use Teams for sign language](https://www.microsoft.com/microsoft-teams/group-chat-software). Teams is available on various platforms and devices, so you don't have to worry about whether your co-workers, friends, and family can communicate with you.
@ -110,6 +113,8 @@ Windows 11, version 22H2, includes improvements for people with disabilities: sy
- [Save time with keyboard shortcuts](https://support.microsoft.com/windows/keyboard-shortcuts-in-windows-dcc61a57-8ff0-cffe-9796-cb9706c75eec).
- [Use voice access to control your PC and author text with your voice](https://support.microsoft.com/en-us/topic/use-voice-access-to-control-your-pc-author-text-with-your-voice-4dcd23ee-f1b9-4fd1-bacc-862ab611f55d).
## Other resources
[Windows accessibility](https://www.microsoft.com/Accessibility/windows)

9
windows/deployment/do/waas-delivery-optimization-faq.yml
View File

@ -12,7 +12,7 @@ metadata:
- highpri
- tier3
ms.topic: faq
ms.date: 04/17/2023
ms.date: 06/28/2023
title: Delivery Optimization Frequently Asked Questions
summary: |
**Applies to**
@ -111,7 +111,7 @@ sections:
The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy.
At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service:
- *.prod.do.dsp.mp.microsoft.com
- `*.prod.do.dsp.mp.microsoft.com`
If allowing direct Internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode.
@ -119,7 +119,8 @@ sections:
answer: |
Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage.
If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access.
Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. Starting in Windows 11, Download mode '100' is deprecated.
> [!NOTE]
> Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization.
@ -129,4 +130,4 @@ sections:
- question: What Delivery Optimization settings are available?
answer: |
There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with control s on bandwidth, time of day, etc.
There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with control s on bandwidth, time of day, etc.

7
windows/deployment/do/waas-delivery-optimization-reference.md
View File

@ -8,7 +8,7 @@ ms.localizationpriority: medium
ms.author: carmenf
ms.topic: article
ms.technology: itpro-updates
ms.date: 12/31/2017
ms.date: 06/28/2023
ms.collection: tier3
---
@ -128,11 +128,8 @@ Download mode dictates which download sources clients are allowed to use when do
| Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. |
| Internet (3) | Enable Internet peer sources for Delivery Optimization. |
| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable, or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience over HTTP from the download's original source or a Microsoft Connected Cache server, with no peer-to-peer caching. |
| Bypass (100) | This option is deprecated starting in Windows 11. If you want to disable peer-to-peer functionality, it's best to set DownloadMode to (0). If your device doesnt have internet access, set Download Mode to (99). Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You don't need to set this option if you're using Configuration Manager. |
| Bypass (100) | Starting in Windows 11, this option is deprecated. Don't set **Download mode** to '100' (Bypass), which can cause some content to fail to download. If you want to disable peer-to-peer functionality, set DownloadMode to (0). If your device doesn't have internet access, set Download Mode to (99). When you set Bypass (100), the download bypasses Delivery Optimization and uses BITS instead. You don't need to set this option if you're using Configuration Manager. |
> [!NOTE]
> Starting in Windows 11, the Bypass option of Download Mode is deprecated.
>
> [!NOTE]
> When you use Azure Active Directory tenant, AD Site, or AD Domain as the source of group IDs, the association of devices participating in the group should not be relied on for an authentication of identity of those devices.

4
windows/deployment/update/deployment-service-drivers.md
View File

@ -8,7 +8,7 @@ ms.author: mstewart
manager: aaroncz
ms.topic: article
ms.technology: itpro-updates
ms.date: 06/16/2023
ms.date: 06/22/2023
---
# Deploy drivers and firmware updates with Windows Update for Business deployment service
@ -81,7 +81,7 @@ To create a policy without any deployment settings, in the request body specify
{
"audience": {
"@odata.id": "d39ad1ce-0123-4567-89ab-cdef01234567"
"id": "d39ad1ce-0123-4567-89ab-cdef01234567"
}
}
```

BIN
windows/deployment/update/media/33771278-workbook-summary-tab-tiles.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/deployment/update/media/8037522-workbook-summary-tab-tiles.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

11
windows/deployment/update/wufb-reports-prerequisites.md
View File

@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 06/09/2023
ms.date: 06/27/2023
ms.technology: itpro-updates
---
@ -49,12 +49,11 @@ Windows Update for Business reports supports Windows client devices on the follo
## Diagnostic data requirements
At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). For more information about what's included in different diagnostic levels, see [Diagnostics, feedback, and privacy in Windows](https://support.microsoft.com/windows/diagnostics-feedback-and-privacy-in-windows-28808a2b-a31b-dd73-dcd3-4559a5199319).
At minimum, Windows Update for Business reports requires devices to send diagnostic data at the *Required* level (previously *Basic*). For more information about what's included in different diagnostic levels, see [Configure Windows diagnostic data in your organization](/windows/privacy/configure-windows-diagnostic-data-in-your-organization).
For some queries, such as Windows 11 eligibility reporting, Windows Update for Business reports requires devices to send diagnostic data at the following levels:
- *Optional* level for Windows 11 devices (previously *Full*)
- *Enhanced* level for Windows 10 devices
The following levels are recommended, but not required:
- The *Enhanced* level for Windows 10 devices
- The *Optional* level for Windows 11 devices (previously *Full*) <!--8027083-->
Device names don't appear in Windows Update for Business reports unless you individually opt-in devices by using a policy. The configuration script does this for you, but when using other client configuration methods, set one of the following to display device names:

33
windows/deployment/update/wufb-reports-workbook.md
View File

@ -6,7 +6,7 @@ ms.prod: windows-client
author: mestew
ms.author: mstewart
ms.topic: article
ms.date: 06/12/2023
ms.date: 06/23/2023
ms.technology: itpro-updates
---
@ -35,6 +35,7 @@ To access the Windows Update for Business reports workbook:
1. When the gallery opens, select the **Windows Update for Business reports** workbook. If needed, you can filter workbooks by name in the gallery.
1. When the workbook opens, you may need to specify which **Subscription** and **Workspace** you used when [enabling Windows Update for Business reports](wufb-reports-enable.md).
## Summary tab
The **Summary** tab gives you a brief high-level overview of the devices that you've enrolled into Windows Update for Business reports. The **Summary** tab contains tiles above the **Overall security update status** chart.
@ -43,13 +44,13 @@ The **Summary** tab gives you a brief high-level overview of the devices that yo
Each of these tiles contains an option to **View details**. When **View details** is selected for a tile, a flyout appears with additional information.
:::image type="content" source="media/33771278-workbook-summary-tab-tiles.png" alt-text="Screenshot of the summary tab tiles in the Windows Update for Business reports workbook":::
:::image type="content" source="media/8037522-workbook-summary-tab-tiles.png" alt-text="Screenshot of the summary tab tiles in the Windows Update for Business reports workbook":::
| Tile name | Description | View details description |
|---|---|------|
| **Enrolled devices** | Total number of devices that are enrolled into Windows Update for Business reports | Displays multiple charts about the operating systems (OS) for enrolled devices: </br> **OS Version** </br> **OS Edition** </br> **OS Servicing Channel** </br> **OS Architecture**|
|**Active alerts** | Total number of active alerts on enrolled devices | Displays the top three active alert subtypes and the count of devices in each. </br> </br> Select the count of **Devices** to display a table of the devices. This table is limited to the first 1000 rows. Select `...` to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). </br> </br> Select an **AlertSubtype** to display a list containing: </br> - Each **Error Code** in the alert subtype </br>- A **Description** of the error code </br> - A **Recommendation** to help you remediate the error code </br> - A count of **Devices** with the specific error code |
| **Windows 11 eligibility** | Percentage of devices that are capable of running Windows 11 | Displays the following items: </br> - **Windows 11 Readiness Status** chart </br> - **Readiness Reason(s) Breakdown** chart that displays Windows 11 requirements that aren't met. </br> - A table for **Readiness reason**. Select a reason to display a list of devices that don't meet a specific requirement for Windows 11. |
| **Windows 11 adoption** | Number of devices that are running Windows 11 | Displays the following items: </br> - **Windows 11 Device Count** chart, broken down by Windows 11 version </br> - **Windows 11 Eligibility Status** contains a **Readiness status** chart that lists the count of devices by OS version that are either capable or not capable of running Windows 11. </br> - The **Device List** allows you to choose a Windows 11 **Ineligibility Reason** to display devices that don't meet the selected requirement. <!--8037522-->|
### Summary tab charts
@ -63,15 +64,14 @@ The charts displayed in the **Summary** tab give you a general idea of the overa
## Quality updates tab
The **Quality updates** tab displays generalized data at the top by using tiles. The quality update data becomes more specific as you navigate lower in this tab. The top of the **Quality updates** tab contains tiles with the following information:
- **Latest security update**: Count of devices that have reported successful installation of the latest security update.
- **Missing one security update**: Count of devices that haven't installed the latest security update.
- **Missing multiple security updates**: Count of devices that are missing two or more security updates.
- **Active alerts**: Count of active update and device alerts for quality updates.
Selecting **View details** on any of the tiles displays a flyout with a chart that displays the first 1000 items. Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).
The **Quality updates** tab displays generalized data at the top by using tiles. The quality update data becomes more specific as you navigate lower in this tab. The top of the **Quality updates** tab contains tiles with the following information and drill-down options:
| Tile name | Description | Drill-in description |
|---|---|---|
|**Latest security update**| Count of devices that have reported successful installation of the latest security update. | - Select **View details** to display a flyout with a chart that displays the first 1000 items. </br> - Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). |
| **Missing one security update** | Count of devices that haven't installed the latest security update.| - Select **View details** to display a flyout with a chart that displays the first 1000 items. </br> - Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial).|
| **Missing multiple security updates** | Count of devices that are missing two or more security updates. | - Select **View details** to display a flyout with a chart that displays the first 1000 items. </br> - Select `...` from the flyout to export the full list, or display the query in [Log Analytics](/azure/azure-monitor/logs/log-analytics-tutorial). |
| **Expedite performance** | Overview of the progress for the expedited deployments of the latest security update. | - Select **View details** to display a flyout with a chart that displays the total progress of each deployment, number of alerts, and count of devices. </br> - Select the count from the **Alerts** column to display the alerts, by name, for the deployment. Selecting the device count for the alert name displays a list of devices with the alert. </br> - Select the count in the **TotalDevices** column to display a list of clients and their information for the deployment. <!--7626683-->|
Below the tiles, the **Quality updates** tab is subdivided into **Update status** and **Device status** groups. These different chart groups allow you to easily discover trends in compliance data. For instance, you may remember that about third of your devices were in the installing state yesterday, but this number didn't change as much as you were expecting. That unexpected trend may cause you to investigate and resolve a potential issue before end users are impacted.
@ -188,6 +188,17 @@ The Delivery Optimization tab is further divided into the following groups:
:::image type="content" source="media/wufb-do-overview.png" alt-text="Screenshot of the summary tab in the Windows Update for Business reports workbook for Delivery Optimization." lightbox="media/wufb-do-overview.png":::
## Understanding update states
Updates can go though many phases from when they're initially deployed to being installed on the device. Transition from one state to another can be rapid, which makes some states less likely to be displayed in reports. The workbook can report the following high-level states for a device update: <!--8052067-->
- **Offering**: The update is being offered to the device for installation
- **Installing**: The update is in the process of being installed on the device
- **Installed**: The update has been installed on the device
- **Cancelled**: The update was cancelled from the [deployment service](deployment-service-overview.md) before it was installed
- **Uninstalled**: The update was uninstalled from the device by either an admin or a user
- **OnHold**: The update was put on hold from the [deployment service](deployment-service-overview.md) before it was installed
- **Unknown**: This state occurs when there's a record for the device in the [UCClient](wufb-reports-schema-ucclient.md) table, but there isn't a record for the specific update for the specific device in the [UCClientUpdateStatus](wufb-reports-schema-ucclientupdatestatus.md) table. This means that there is no record of the update for the device in question.
## Customize the workbook

2
windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
View File

@ -81,7 +81,7 @@ The KMS uses service (SRV) resource records in DNS to store and communicate the
By default, KMS client computers query DNS for KMS information. The first time a KMS client computer queries DNS for KMS information, it randomly chooses a KMS host from the list of service (SRV) resource records that DNS returns. The address of a DNS server that contains the service (SRV) resource records can be listed as a suffixed entry on KMS client computers, which allows one DNS server to advertise the service (SRV) resource records for KMS, and KMS client computers with other primary DNS servers to find it.
Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. Only Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 provide these priority and weight parameters.
Priority and weight parameters can be added to the DnsDomainPublishList registry value for KMS. Establishing KMS host priority groupings and weighting within each group allows you to specify which KMS host the client computers should try first and balances traffic among multiple KMS hosts. All currently supported versions of Windows and Windows Server provide these priority and weight parameters.
If the KMS host that a client computer selects doesn't respond, the KMS client computer removes that KMS host from its list of service (SRV) resource records and randomly selects another KMS host from the list. When a KMS host responds, the KMS client computer caches the name of the KMS host and uses it for subsequent activation and renewal attempts. If the cached KMS host doesn't respond on a subsequent renewal, the KMS client computer discovers a new KMS host by querying DNS for KMS service (SRV) resource records.

2
windows/deployment/volume-activation/use-vamt-in-windows-powershell.md
View File

@ -44,7 +44,7 @@ To open PowerShell with administrative credentials, select **Start** and enter `
For all supported operating systems, you can use the VAMT PowerShell module included with the Windows ADK. By default, the module is installed with the Windows ADK in the VAMT folder. Change directories to the directory where VAMT is located. For example, if the Windows ADK is installed in the default location of `C:\Program Files(x86)\Windows Kits\10`, enter:
```powershell
cd "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0"
cd "C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT3"
```
### Import the VAMT PowerShell module

4
windows/deployment/windows-autopatch/TOC.yml
View File

@ -146,6 +146,8 @@
href: operate/windows-autopatch-policy-health-and-remediation.md
- name: Maintain the Windows Autopatch environment
href: operate/windows-autopatch-maintain-environment.md
- name: Manage driver and firmware updates
href: operate/windows-autopatch-manage-driver-and-firmware-updates.md
- name: Submit a support request
href: operate/windows-autopatch-support-request.md
- name: Deregister a device
@ -166,6 +168,8 @@
href: references/windows-autopatch-changes-to-tenant.md
- name: Windows Autopatch groups public preview addendum
href: references/windows-autopatch-groups-public-preview-addendum.md
- name: Driver and firmware updates public preview addendum
href: references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md
- name: What's new
href:
items:

65
windows/deployment/windows-autopatch/operate/windows-autopatch-manage-driver-and-firmware-updates.md Normal file
View File

@ -0,0 +1,65 @@
---
title: Manage driver and firmware updates
description: This article explains how you can manage driver and firmware updates with Windows Autopatch
ms.date: 07/04/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
ms.reviewer: andredm7
ms.collection:
- highpri
- tier1
---
# Manage driver and firmware updates (public preview)
> [!IMPORTANT]
> This feature is in **public preview**. The feature is being actively developed, and might not be complete. You can test and use these features in production environments and provide feedback.
You can manage and control your driver and firmware updates with Windows Autopatch. You can choose to receive driver and firmware updates automatically, or self-manage the deployment.
> [!TIP]
> Windows Autopatch's driver and firmware update management is based on [Intunes driver and firmware update management](/mem/intune/protect/windows-driver-updates-overview). You can use **both** Intune and Windows Autopatch to manage your driver and firmware updates.
## Automatic and Self-managed modes
Switching the toggle between Automatic and Self-managed modes creates driver profiles on a per-ring basis within your tenant.
| Modes | Description |
| ----- | -----|
| Automatic | We recommend using **Automatic** mode.<p>Automatic mode (default) is recommended for organizations with standard Original Equipment Manufacturer (OEM) devices where no recent driver or hardware issues have occurred due to Windows Updates. Automatic mode ensures the most secure drivers are installed using Autopatch deployment ring rollout.</p> |
| Self-managed | When you use the the **Self-managed** mode for drivers and firmware, no drivers are installed in your environment without your explicit approval. You can still use Intune to choose specific drivers and deploy them on a ring-by-ring basis.<p>Self-managed mode turns off Windows Autopatchs automatic driver deployment. Instead, the Administrator controls the driver deployment.<p>The Administrator selects the individual driver within an Intune driver update profile. Then, Autopatch creates an Intune driver update profile per deployment ring. Drivers can vary between deployment rings.</p><p>The drivers listed for selection represent only the drivers needed for the targeted clients, which are the Autopatch rings. Therefore, the drivers offered may vary between rings depending on the variety of device hardware in an organization.</p> |
## Set driver and firmware updates to Automatic or Self-managed mode
**To set driver and firmware updates to Automatic or Self-managed mode:**
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Devices** > **Windows Autopatch** > **Release management** > **Release settings**.
1. In the **Windows Driver Updates** section, read and accept the agreement.
1. Select either **Automatic** or **Self-managed**.
## View driver and firmware policies created by Windows Autopatch
**To view driver and firmware policies created by Windows Autopatch:**
1. Go to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Navigate to **Devices** > **Driver updates for Windows 10 and later**.
1. Windows Autopatch creates four policies. The policy names begin with **Windows Autopatch Driver Update Policy** and end with the name of the ring to which they're targeted in brackets. For example, **Windows Autopatch Driver Update Policy [Test]**.
The `CreateDriverUpdatePolicy` is created for the Test, First, Fast, and Broad deployment rings. The policy settings are defined in the following table:
| Policy name | DisplayName | Description | Approval Type | DeploymentDeferralInDays |
| ----- | ----- | ----- | ----- | ----- |
| `CreateDriverUpdatePolicy` | Windows Autopatch Driver Update policy [Test/First/Fast/Broad] | Driver Update Policy for device Test/First/Fast/Broad group | Automatic | `0` |
> [!NOTE]
> In public preview, the DeploymentDeferralInDays setting is set to `0` for all deployment rings.
## Feedback and support
If you need support with this feature, and have enrolled your tenant into Windows Autopatch, [submit a support request](../operate/windows-autopatch-support-request.md).

12
windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft 365 Apps for enterprise
description: This article explains how Windows Autopatch manages Microsoft 365 Apps for enterprise updates
ms.date: 03/10/2023
ms.date: 06/23/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: how-to
@ -41,9 +41,9 @@ For a device to be eligible for Microsoft 365 Apps for enterprise updates (both
## Update release schedule
All devices registered for Windows Autopatch will receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they'll receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and pulled directly from the Office Content Delivery Network (CDN).
All devices registered for Windows Autopatch receive updates from the [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview). This practice provides your users with new features each month, and they receive just one update per month on a predictable release schedule. Updates are released on the second Tuesday of the month; these updates can include feature, security, and quality updates. These updates occur automatically and pulled directly from the Office Content Delivery Network (CDN).
Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update downloads, there's a seven day [update deadline](/deployoffice/configure-update-settings-microsoft-365-apps) that specifies how long the user has until the user must apply the update.
Unlike Windows update, the Office CDN doesn't make the update available to all devices at once. Over the course of the release, the Office CDN gradually makes the update available to the whole population of devices. Windows Autopatch doesn't control the order in which updates are offered to devices across your estate. After the update downloads, there's a seven day [update deadline](../references/windows-autopatch-microsoft-365-policies.md) that specifies how long the user has until the user must apply the update.
## Deployment rings
@ -81,7 +81,7 @@ Windows Autopatch doesn't allow you to pause or roll back an update in the Micro
## Allow or block Microsoft 365 App updates
For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch won't provide Microsoft 365 App updates on your behalf, and your organizations will have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview).
For organizations seeking greater control, you can allow or block Microsoft 365 App updates for Windows Autopatch-enrolled devices. When the Microsoft 365 App update setting is set to **Block**, Windows Autopatch doesn't provide Microsoft 365 App updates on your behalf, and your organizations have full control over these updates. For example, you can continue to receive updates from [channels](/deployoffice/overview-update-channels) other than the default [Monthly Enterprise Channel](/deployoffice/overview-update-channels#monthly-enterprise-channel-overview).
**To allow or block Microsoft 365 App updates:**
@ -120,12 +120,12 @@ For organizations seeking greater control, you can allow or block Microsoft 365
[Servicing profiles](/deployoffice/admincenter/servicing-profile) is a feature in the [Microsoft 365 Apps admin center](https://config.office.com/) that provides controlled update management of monthly Office updates, including controls for user and device targeting, scheduling, rollback, and reporting.
A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management.
A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other policies, such as a Microsoft Intune policy or the Office Deployment Tool. The servicing profile affects all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it's ineligible for Microsoft 365 App update management.
However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [software update workload](windows-autopatch-update-management.md#software-update-workloads), see the Device eligibility section of each respective software update workload.
## Incidents and outages
If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Microsoft 365 Apps for enterprise updates, an incident will be raised. The Windows Autopatch Service Engineering Team will work to bring the devices back into compliance.
If devices in your tenant aren't meeting the [service level objective](#service-level-objective) for Microsoft 365 Apps for enterprise updates, an incident is raised. The Windows Autopatch Service Engineering Team will work to bring the devices back into compliance.
If you're experiencing issues related to Microsoft 365 Apps for enterprise updates, [submit a support request](../operate/windows-autopatch-support-request.md).

4
windows/deployment/windows-autopatch/overview/windows-autopatch-roles-responsibilities.md
View File

@ -1,7 +1,7 @@
---
title: Roles and responsibilities
description: This article describes the roles and responsibilities provided by Windows Autopatch and what the customer must do
ms.date: 03/08/2023
ms.date: 06/27/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@ -47,6 +47,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| Remove your devices from existing unsupported [Windows update](../references/windows-autopatch-windows-update-unsupported-policies.md) and [Microsoft 365](../references/windows-autopatch-microsoft-365-policies.md) policies | :heavy_check_mark: | :x: |
| [Turn on or off expedited Windows quality updates](../operate/windows-autopatch-windows-quality-update-overview.md#expedited-releases) | :heavy_check_mark: | :x: |
| [Allow or block Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#allow-or-block-microsoft-365-app-updates) | :heavy_check_mark: | :x: |
| [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md) | :heavy_check_mark: | :x: |
| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | :heavy_check_mark: | :x: |
| [Register devices/add devices to the Windows Autopatch Device Registration group](../deploy/windows-autopatch-register-devices.md#steps-to-register-devices-using-the-classic-method) | :heavy_check_mark: | :x: |
| [Run the pre-registration device readiness checks](../deploy/windows-autopatch-register-devices.md#about-the-registered-not-ready-and-not-registered-tabs) | :x: | :heavy_check_mark: |
@ -69,6 +70,7 @@ This article outlines your responsibilities and Windows Autopatch's responsibili
| [Maintain the Test deployment ring membership](../operate/windows-autopatch-update-management.md#deployment-ring-calculation-logic) | :heavy_check_mark: | :x: |
| Monitor [Windows update signals](../operate/windows-autopatch-windows-quality-update-signals.md) for safe update release | :x: | :heavy_check_mark: |
| Test specific [business update scenarios](../operate/windows-autopatch-windows-quality-update-signals.md) | :heavy_check_mark: | :x: |
| [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md) | :heavy_check_mark: | :x: |
| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | :heavy_check_mark: | :x: |
| [Define and implement service default release schedule](../operate/windows-autopatch-windows-quality-update-overview.md) | :x: | :heavy_check_mark: |
| Communicate the update [release schedule](../operate/windows-autopatch-windows-quality-update-communications.md) | :x: | :heavy_check_mark: |

4
windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md
View File

@ -1,7 +1,7 @@
---
title: Changes made at tenant enrollment
description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch
ms.date: 01/24/2023
ms.date: 06/23/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: reference
@ -108,7 +108,7 @@ The following groups target Windows Autopatch configurations to devices and mana
| Policy name | Policy description | Properties | Value |
| ----- | ----- | ----- | ----- |
| Windows Autopatch-OfficeConfiguration | SetsOfficeUpdateChanneltotheMonthlyEnterpriseservicingbranch.<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ol>|<ol><li>Enable Automatic Updates</li><li>Hide option to enable or disable updates</li><li>Update Channel</li><li>Channel Name (Device)</li><li>Hide Update Notifications</li><li>Update Path</li></ol> |<ol><li>Enabled</li><li>Enabled</li><li>Enabled</li><li>Monthly Enterprise Channel</li><li>Disabled</li><li>Enabled</li></ol> |
| Windows Autopatch-OfficeConfiguration | SetsOfficeUpdateChanneltotheMonthlyEnterpriseservicingbranch.<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li><li>Modern Workplace Devices-Windows Autopatch-First</li><li>Modern Workplace Devices-Windows Autopatch-Fast</li><li>Modern Workplace Devices-Windows Autopatch-Broad</li></ol>|<ol><li>Enable Automatic Updates</li><li>Hide option to enable or disable updates</li><li>Update Channel</li><li>Channel Name (Device)</li><li>Hide Update Notifications</li><li>Update Path</li><li>Location for updates (Device)</li></ol> |<ol><li>Enabled</li><li>Enabled</li><li>Enabled</li><li>Monthly Enterprise Channel</li><li>Disabled</li><li>Enabled</li><li>`http://officecdn.microsoft.com/pr/55336b82-a18d-4dd6-b5f6-9e5095c314a6`</li></ol> |
| Windows Autopatch-OfficeUpdateConfiguration[Test] | Sets theOfficeupdatedeadline<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Test</li></ol> |<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>|<ol><li>Enabled; `Days(Device) == 0 days`</li></li><li>Enabled; `Update Deadline(Device) == 7 days`</li></ol>|
| Windows Autopatch-OfficeUpdateConfiguration[First] | Setsthe Officeupdatedeadline<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-First</li></ol> |<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol> | <ol><li>Enabled; `Days(Device) == 0 days`</li><li>Enabled; `Update Deadline(Device) == 7 days`</li></ol>|
| Windows Autopatch-OfficeUpdateConfiguration[Fast] | Setsthe Officeupdatedeadline<p>Assigned to:<ol><li>ModernWorkplaceDevices-WindowsAutopatch-Fast</li></ol>|<ol><li>Delay downloading and installing updates for Office</li><li>Update Deadline</li></ol>| <ol><li>Enabled; `Days(Device) == 3 days`</li><li>Enabled; `Update Deadline(Device) == 7 days`</li></ol>|

29
windows/deployment/windows-autopatch/references/windows-autopatch-driver-and-firmware-updates-public-preview-addendum.md Normal file
View File

@ -0,0 +1,29 @@
---
title: Driver and firmware updates for Windows Autopatch Public Preview Addendum
description: This article explains how driver and firmware updates are managed in Autopatch
ms.date: 06/26/2023
ms.prod: w11
ms.technology: windows
ms.topic: conceptual
ms.localizationpriority: medium
author: tiaraquan
ms.author: tiaraquan
manager: dougeby
msreviewer: hathind
---
# Driver and Firmware Updates for Windows Autopatch Public Preview Addendum
**This Driver and Firmware Updates for Windows Autopatch Public Preview Addendum ("Addendum") to the Microsoft Product Terms Universal License Terms for Online Services** (as provided at: [Microsoft Product Terms](https://www.microsoft.com/licensing/terms/product/ForOnlineServices/all) (the "**Product Terms**")) is entered into between Microsoft Corporation, a Washington corporation having its principal place of business at One Microsoft Way, Redmond, Washington, USA 98052-6399 (or based on where Customer lives, one of Microsoft's affiliates) ("**Microsoft**"), and you ("**Customer**").
For good and valuable consideration, the receipt and sufficiency of which is acknowledged, the parties agree as follows:
Microsoft desires to preview the Driver and Firmware Updates for Windows Autopatch service it's developing ("**Driver and Firmware Updates Preview**”) in order to evaluate it. Customer would like to particulate this Driver and Firmware Updates Preview under the Product Terms and this Addendum. Driver and Firmware Updates Preview consists of features and services that are in preview, beta, or other prerelease form. Driver and Firmware Updates Preview is subject to the "preview" terms set forth in the Product Terms Universal License Terms for Online Services.
## Definitions
Capitalized terms used but not defined herein have the meanings given in the Product Terms.
## Data Handling
Driver and Firmware Updates Preview integrates Customer Data from other Products, including Windows, Microsoft Intune, Azure Active Directory, and Office (collectively for purposes of this provision "Windows Autopatch Input Services"). Once Customer Data from Windows Autopatch Input Services is integrated into Driver and Firmware Updates Preview, only the Product Terms and [DPA provisions](https://www.microsoft.com/licensing/terms/product/Glossary/all) applicable to Driver and Firmware Updates Preview apply to that data.

22
windows/deployment/windows-autopatch/references/windows-autopatch-microsoft-365-policies.md
View File

@ -1,7 +1,7 @@
---
title: Microsoft 365 Apps for enterprise update policies
description: This article explains the Microsoft 365 Apps for enterprise policies in Windows Autopatch
ms.date: 07/11/2022
ms.date: 06/23/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: conceptual
@ -22,14 +22,14 @@ Deploying any of the following policies to a managed device makes that device in
### Update policies
Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device won't be eligible for management.
Window Autopatch deploys mobile device management (MDM) policies to configure Microsoft 365 Apps and requires a specific configuration. If any [Microsoft 365 Apps update settings](/deployoffice/configure-update-settings-microsoft-365-apps) are deployed which conflict with our policies, then the device isn't eligible for management.
| Update setting | Value | Usage reason |
| ----- | ----- | ----- |
| Set updates to occur automatically | Enabled | Enable automatic updates |
| Specify a location to look for updates | Blank | Don't use this setting since it overwrites the update branch |
| Update channel | Monthly Enterprise | Supported channel for Windows Autopatch |
| Specify the version of Microsoft 365 Apps to update to | Variable | Used to roll back to a previous version if an error occurs |
| Set a deadline by when updates must be applied | 7 | Update deadline |
| Hide update notifications from users | Turned off | Users should be notified when Microsoft 365 Apps are being updated |
| Hide the option to turn on or off automatic Office updates | Turned on | Prevents users from disabling automatic updates |
| Setting name | Test | First | Fast | Broad | Usage reason |
| ----- | ----- | ----- | ----- | ----- | ----- |
| Set updates to occur automatically | Turned on | Turned on | Turned on | Turned on | Turn on automatic updates |
| Specify a location to look for updates | Blank | Blank | Blank | Blank | Don't use this setting because it overwrites the update branch |
| Specify the version of Microsoft Apps to update to | Variable | Variable | Variable | Variable | Used to roll back to a previous version if an error occurs |
| Set a deadline when updates must be applied | 7 | 7 | 7 | 7 | Updates must be applied by the specified deadline |
| Sets the Office update deferral | 0 | 0 | 3 | 7| Delay downloading and installing updates for Office |
| Hide update notifications from end users | Turned off | Turned off | Turned off | Turned off | End users should be notified when Microsoft 365 Apps are being updated |
| Hide the option to turn on or off automatic Office updates | Turned on | Turned on | Turned on | Turned on | Prevents end users from turning off automatic updates |

33
windows/deployment/windows-autopatch/whats-new/windows-autopatch-whats-new-2023.md
View File

@ -1,7 +1,7 @@
---
title: What's new 2023
description: This article lists the 2023 feature releases and any corresponding Message center post numbers.
ms.date: 06/12/2023
ms.date: 06/26/2023
ms.prod: windows-client
ms.technology: itpro-updates
ms.topic: whats-new
@ -21,9 +21,28 @@ This article lists new and updated feature releases, and service releases, with
Minor corrections such as typos, style, or formatting issues aren't listed.
## June 2023
### June feature releases or updates
| Article | Description |
| ----- | ----- |
| [Manage driver and firmware updates](../operate/windows-autopatch-manage-driver-and-firmware-updates.md) | New article on how to manage driver and firmware updates. This feature is in public preview |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Added Location for updates (Device) setting and value to the [Windows Autopatch - Office Configuration policy](../references/windows-autopatch-changes-to-tenant.md#microsoft-office-update-policies) |
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | Updated [deadline link](../operate/windows-autopatch-microsoft-365-apps-enterprise.md#behavior-during-updates) |
| [Microsoft 365 Apps for enterprise update policies](../references/windows-autopatch-microsoft-365-policies.md) | Updated the [Update policies](../references/windows-autopatch-microsoft-365-policies.md#update-policies) section |
### June service releases
| Message center post number | Description |
| ----- | ----- |
| [MC604889](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Expanding Windows Autopatch availability in August 2023 |
| [MC602590](https://admin.microsoft.com/adminportal/home#/MessageCenter) | June 2023 Windows Autopatch baseline configuration update |
| [MC591864](https://admin.microsoft.com/adminportal/home#/MessageCenter) | Updated ticket categories to reduce how long it takes to resolve support requests |
## May 2023
### May 2023 feature release
### May feature releases or updates
| Article | Description |
| ----- | ----- |
@ -51,7 +70,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Policy health and remediation](../operate/windows-autopatch-policy-health-and-remediation.md) | Add new Policy health and remediation feature. This feature is in public preview |
| [Windows Autopatch groups public preview addendum](../references/windows-autopatch-groups-public-preview-addendum.md) | Added addendum for the Windows Autopatch groups public preview |
## May service release
### May service releases
| Message center post number | Description |
| ----- | ----- |
@ -65,7 +84,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| ----- | ----- |
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated the [Deployment rings for Windows 10 and later](../references/windows-autopatch-changes-to-tenant.md#deployment-rings-for-windows-10-and-later) section |
### April service release
### April service releases
| Message center post number | Description |
| ----- | ----- |
@ -83,7 +102,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Microsoft 365 Apps for enterprise](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) | <ul><li>Added support for subscription versions of Microsoft Project and Visio desktop apps</li><li>Updated device eligibility criteria</li><li>Clarified update controls</li></ul> |
| [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) | New [Customize Windows Update settings](../operate/windows-autopatch-windows-update.md) feature. This feature is in public preview<ul><li>[MC524715](https://admin.microsoft.com/adminportal/home#/MessageCenter)</li></ul>|
### March service release
### March service releases
| Message center post number | Description |
| ----- | ----- |
@ -107,7 +126,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md) | Updated Feature update policies section with Windows Autopatch - DSS Policy [deployment ring] |
| [Register your devices](../deploy/windows-autopatch-register-devices.md) |<ul><li>Updated the [Built-in roles required for registration](../deploy/windows-autopatch-register-devices.md#built-in-roles-required-for-device-registration) section</li><li>Added more information about assigning less-privileged user accounts</li></ul> |
### February service release
### February service releases
| Message center post number | Description |
| ----- | ----- |
@ -126,7 +145,7 @@ Minor corrections such as typos, style, or formatting issues aren't listed.
| [Submit a tenant enrollment support request](../prepare/windows-autopatch-enrollment-support-request.md) | Added the Submit a tenant enrollment support request section. You can submit a tenant enrollment support request through the Tenant enrollment tool if you're running into issues with enrollment |
| [Submit a support request](../operate/windows-autopatch-support-request.md) | Added Premier and Unified support options section |
### January service release
### January service releases
| Message center post number | Description |
| ----- | ----- |

3
windows/hub/breadcrumb/toc.yml
View File

@ -59,9 +59,6 @@ items:
- name: OS
tocHref: /windows/security/operating-system-security/
topicHref: /windows/security/operating-system-security/
- name: Network
tocHref: /windows/security/operating-system-security/network-security/
topicHref: /windows/security/operating-system-security/network-security/
- name: Windows Defender Firewall
tocHref: /windows/security/operating-system-security/network-security/windows-firewall/
topicHref: /windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security

4
windows/hub/index.yml
View File

@ -30,7 +30,7 @@ highlightedContent:
url: https://www.microsoft.com/en-us/download/details.aspx?id=104594
- title: Windows release health
itemType: whats-new
url: /windows-insider/get-started
url: /windows/release-health
- title: Windows commercial licensing
itemType: overview
url: /windows/whats-new/windows-licensing
@ -73,7 +73,7 @@ productDirectory:
text: Windows Defender Credential Guard
- url: /windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust
text: Windows Hello for Business cloud Kerberos trust
- url: /education/windows/tutorial-school-deployment/windows/security/threat-protection/windows-defender-application-control/
- url: /windows/security/threat-protection/windows-defender-application-control
text: Windows Defender Application Control (WDAC)
- url: /windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview
text: Microsoft Defender Application Guard

17
windows/privacy/configure-windows-diagnostic-data-in-your-organization.md
View File

@ -368,21 +368,12 @@ If you dont sign up for any of these enterprise services, Microsoft will act
> - Windows 10, versions 1809, 1903, 1909, and 2004.
> - Newer versions of Windows 10 and Windows 11 that have not updated yet to at least the January 2023 preview cumulative update.
Use the instructions below to enable Windows diagnostic data processor configuration using a single setting, through Group Policy, or an MDM solution.
To enable Windows diagnostic data processor configuration, you can use Group Policy or a custom setting in an MDM solution, such as Microsoft Intune.
In Group Policy, to enable Windows diagnostic data processor configuration, go to **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** and switch the **Allow commercial data pipeline** setting to **enabled**.
- For Group Policy, you can use the “Allow commercial data pipeline” policy, which is also available in the Intune [settings catalog](/mem/intune/configuration/settings-catalog).
- For an MDM solution, you can use the AllowCommercialDataPipeline setting in the System Policy configuration service provider (CSP).
If you wish to disable, at any time, switch the same setting to **disabled**. The default state of the above setting is **disabled**.
To use an MDM solution, such as [Microsoft Intune](/mem/intune/configuration/custom-settings-windows-10), to deploy the Windows diagnostic data processor configuration to your supported devices, use the following custom OMA-URI setting configuration:
- **Name:** System/AllowCommercialDataPipeline
- **OMA-URI:** ./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline
- **Data type:** Integer
Under **Value**, use **1** to enable the service.
If you wish to disable, at any time, switch the same setting to **0**. The default value is **0**.
For more information about AllowCommercialDataPipeline and the “Allow commercial data pipeline” policy, [review this information](/windows/client-management/mdm/policy-csp-system#allowcommercialdatapipeline).
## Change privacy settings on a single server

8
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -1916,9 +1916,13 @@ Add a REG_DWORD value named **DisableOneSettingsDownloads** to **HKEY_LOCAL_MACH
Widgets is a news and feeds service that can be customized by the user. If you turn off this service, apps using this service may stop working.
You can turn off Widgets by setting the following registry entries:
To turn off Widgets, you can use Group Policy or a custom setting in an MDM solution, such as Microsoft Intune.
- For Group Policy, you can use the “Allow widgets” policy, which is also available in the Intune [settings catalog](/mem/intune/configuration/settings-catalog).
- For an MDM solution, you can use the AllowNewsAndInterests setting in the NewsandInterests configuration service provider (CSP).
For more information about AllowNewsAndInterests and the “Allow widgets” policy, [review this information](/windows/client-management/mdm/policy-csp-newsandinterests#allownewsandinterests).
Add a REG_DWORD value named **AllowWidgets** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Widgets** and set the value to **0**.
### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline

174
windows/privacy/manage-windows-11-endpoints.md
View File

@ -6,8 +6,8 @@ ms.technology: itpro-privacy
ms.localizationpriority: high
author: DHB-MSFT
ms.author: danbrown
manager: dougeby
ms.date: 01/18/2018
manager: laurawi
ms.date: 06/23/2023
ms.topic: reference
---
@ -26,15 +26,15 @@ Some Windows components, app, and related services transfer data to Microsoft ne
- Using your location to show a weather forecast.
Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md).
Where applicable, each endpoint covered in this topic includes a link to the specific details on how to control that traffic.
Where applicable, each endpoint covered in this article includes a link to the specific details on how to control that traffic.
The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 11 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
2. Leave the device(s) running idle for a week ("idle" means a user isn't interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
5. The test virtual machine(s) was logged into using a local account, and wasn't joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -42,109 +42,125 @@ The following methodology was used to derive these network endpoints:
> [!NOTE]
> Microsoft uses global load balancers that can appear in network trace-routes. For example, an endpoint for *.akadns.net might be used to load balance requests to an Azure datacenter, which can change over time.
To view endpoints for non-Enterprise Windows 11 editions, see [Windows 11 connection endpoints for non-Enterprise editions](windows-11-endpoints-non-enterprise-editions.md).
## Windows 11 Enterprise connection endpoints
|Area|Description|Protocol|Destination|
|----------------|----------|----------|------------|
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|Apps|||[Learn how to turn off traffic to the following endpoint(s) for apps.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
|Certificates|||[Learn how to turn off traffic to all of the following endpoint(s) for certificates.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
||Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or isn't trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they didn't receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. |TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s) for Cortana and Live Tiles.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you'll block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
|||HTTPS|business.bing.com|
|||HTTP|c.bing.com|
|||HTTP|th.bing.com|
|||HTTP|c-ring.msedge.net|
|||TLSv1.2/HTTPS/HTTP|fp.msedge.net|
|||TLSv1.2|I-ring.msedge.net|
|||HTTPS|s-ring.msedge.net|
|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
|||HTTP|dmd.metaservices.microsoft.com|
|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||HTTPS/HTTP|s-ring.msedge.net|
|||HTTP|dual-s-ring.msedge.net|
|||HTTP|creativecdn.com|
|||HTTP|edgeassetservice.azureedge.net|
|Device authentication|||[Learn how to turn off traffic to all of the following endpoint(s) for device authentication.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device won't be authenticated.|HTTPS|login.live.com*|
|Device metadata|||[Learn how to turn off traffic to all of the following endpoint(s) for device metadata.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
||The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata won't be updated for the device.|HTTP|dmd.metaservices.microsoft.com|
|Diagnostic Data| ||[Learn how to turn off traffic to all of the following endpoint(s) for diagnostic data.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
||The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, won't be sent back to Microsoft.|TLSv1.2/HTTP|self.events.data.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information won't be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
|||HTTPS|fs.microsoft.com|
|Licensing|The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
|||TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com|
|Maps|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps will not be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
|||TLSv1.2|www.telecommandsvc.microsoft.com|
|Font Streaming|||[Learn how to turn off traffic to all of the following endpoint(s) for font streaming.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
||The following endpoint is used to download fonts on demand. If you turn off traffic for these endpoints, you won't be able to download fonts on demand.|HTTPS|fs.microsoft.com|
|Licensing|||[Learn how to turn off traffic to all of the following endpoint(s) for licensing.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#9-license-manager)|
||The following endpoint is used for online activation and some app licensing. To turn off traffic for this endpoint, disable the Windows License Manager Service. This will also block online activation and app licensing may not work.|TLSv1.2/HTTPS/HTTP|licensing.mp.microsoft.com|
|Location|||[Learn how to turn off traffic to all of the following endpoint(s) for location.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#182-location)|
||The following endpoint is used for location data. If you turn off traffic for this endpoint, apps can't use location data.|TLSv1.2|inference.location.live.net|
|Maps|||[Learn how to turn off traffic to all of the following endpoint(s) for maps.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-offlinemaps)|
||The following endpoints are used to check for updates to maps that have been downloaded for offline use. If you turn off traffic for this endpoint, offline maps won't be updated.|TLSv1.2/HTTPS/HTTP|maps.windows.com|
|||HTTP|ecn.dev.virtualearth.net|
|||HTTP|ecn-us.dev.virtualearth.net|
|||HTTPS|weathermapdata.blob.core.windows.net|
|Microsoft Account|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft account.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-microsoft-account)|
||The following endpoint is used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users can't sign in with Microsoft accounts. |TLSv1.2/HTTPS/HTTP|login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Edge.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
|||TLSv1.2/HTTP|edge.microsoft.com|
|||TLSv1.2/HTTP|windows.msn.com|
||This network traffic is related to the Microsoft Edge browser. The Microsoft Edge browser requires this endpoint to contact external websites.|HTTPS|iecvlist.microsoft.com|
||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge wont be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Store.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoints are used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps can't be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|TLSv1.2/HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
|||HTTP|img-s-msn-com.akamaized.net|
||The following endpoints are needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
|||HTTP|storeedgefd.dsx.mp.microsoft.com|
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way. If you turn off traffic for this endpoint, push notifications will no longer work, including MDM device management, mail synchronization, settings synchronization.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to revoke licenses for malicious apps in the Microsoft Store. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|HTTPS|manage.devcenter.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps cannot be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store. If you turn off traffic for these endpoints, apps can't be installed or updated from the Microsoft Store.|TLSv1.2/HTTPS/HTTP|displaycatalog.mp.microsoft.com|
|||HTTP|share.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the Internet and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
|Office|The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||HTTPS|www.office.com|
|Microsoft To Do|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft To Do.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoints are used for the Microsoft To Do app.|HTTP|staging.to-do.officeppe.com|
|||HTTP|staging.to-do.microsoft.com|
|||TLSv1.2/HTTP|to-do.microsoft.com|
|Network Connection Status Indicator (NCSI)|||[Learn how to turn off traffic to all of the following endpoint(s) for Network Connection Status Indicator (NCSI).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-ncsi)|
||Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet. If you turn off traffic for this endpoint, NCSI won't be able to determine if the device is connected to the internet, and the network status tray icon will show a warning.|HTTPS|www.msftconnecttest.com*|
|||HTTP|ipv6.msftconnecttest.com|
|Office|||[Learn how to turn off traffic to all of the following endpoint(s) for Office.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoints are used to connect to the Office 365 portal's shared infrastructure, including Office in a browser. For more info, see Office 365 URLs and IP address ranges. You can turn this off by removing all Microsoft Office apps and the Mail and Calendar apps. If you turn off traffic for these endpoints, users won't be able to save documents to the cloud or see their recently used documents.|HTTPS|www.office.com|
|||HTTPS|blobs.officehome.msocdn.com|
|||HTTPS|officehomeblobs.blob.core.windows.net|
|||HTTPS|self.events.data.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|outlookmobile-office365-tas.msedge.net|
|OneDrive|The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
|||TLSv1.2/HTTPS/HTTP|g.live.com|
|||HTTP|officeclient.microsoft.com|
|||HTTP|ecs.nel.measure.office.net|
|||HTTPS/HTTP|telecommandstorageprod.blob.core.windows.net|
|OneDrive|||[Learn how to turn off traffic to all of the following endpoint(s) for OneDrive.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-onedrive)|
||The following endpoints are related to OneDrive. If you turn off traffic for these endpoints, anything that relies on g.live.com to get updated URL information will no longer work.|TLSv1.2/HTTPS/HTTP|g.live.com|
|||HTTP|onedrive.live.com|
|||TLSv1.2/HTTPS/HTTP|oneclient.sfx.ms|
|||HTTPS| logincdn.msauth.net|
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
|Settings|||[Learn how to turn off traffic to all of the following endpoint(s) for settings.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
||The following endpoints are used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.|TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
|||HTTPS|settings.data.microsoft.com|
|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
|||HTTPS/HTTP|*.pipe.aria.microsoft.com|
|Skype|||[Learn how to turn off traffic to all of the following endpoint(s) for Skype.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoints are used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps can't be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Microsoft Defender Antivirus|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||HTTPS/TLSv1.2|wdcp.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications will not appear.|HTTPS|*smartscreen-prod.microsoft.com|
|Teams|||[Learn how to turn off traffic to all of the following endpoint(s) for Teams.]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoints are used for Microsoft Teams application.|TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|||HTTP|teams.live.com|
|||TLSv1.2/HTTP|teams.events.data.microsoft.com|
|Microsoft Defender Antivirus|||[Learn how to turn off traffic to all of the following endpoint(s) for Microsoft Defender Antivirus.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
||The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device won't use Cloud-based Protection.|HTTPS/TLSv1.2|wdcp.microsoft.com|
||The following endpoints are used for Windows Defender SmartScreen reporting and notifications. If you turn off traffic for these endpoints, SmartScreen notifications won't appear.|HTTPS|*smartscreen-prod.microsoft.com|
|||HTTPS/HTTP|checkappexec.microsoft.com|
|Windows Spotlight|The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips will not be downloaded. For more information, see Windows Spotlight.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
|||TLSv1.2/HTTPS/HTTP|arc.msn.com|
|Windows Spotlight|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Spotlight.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-spotlight)|
||The following endpoints are used to retrieve Windows Spotlight metadata that describes content, such as references to image locations, as well as suggested apps, Microsoft account notifications, and Windows tips. If you turn off traffic for these endpoints, Windows Spotlight will still try to deliver new lock screen images and updated content but it will fail; suggested apps, Microsoft account notifications, and Windows tips won't be downloaded. |TLSv1.2/HTTPS/HTTP|arc.msn.com|
|||HTTPS|ris.api.iris.microsoft.com|
|Windows Update|The following endpoint is used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads will not be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network will not use peer devices for bandwidth reduction.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
|||TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||TLSv1.2/HTTP|api.msn.com|
|||TLSv1.2/HTTP|assets.msn.com|
|||HTTP|c.msn.com|
|||HTTP|ntp.msn.com|
|||HTTP|srtb.msn.com|
|||TLSv1.2/HTTP|www.msn.com|
|||TLSv1.2/HTTP|fd.api.iris.microsoft.com|
|Windows Update|||[Learn how to turn off traffic to all of the following endpoint(s) for Windows Update.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-updates)|
||The following endpoints are used for Windows Update downloads of apps and OS updates, including HTTP downloads or HTTP downloads blended with peers. If you turn off traffic for this endpoint, Windows Update downloads won't be managed, as critical metadata that is used to make downloads more resilient is blocked. Downloads may be impacted by corruption (resulting in re-downloads of full files). Additionally, downloads of the same update by multiple devices on the same local network won't use peer devices for bandwidth reduction.|TLSv1.2/HTTPS/HTTP|*.prod.do.dsp.mp.microsoft.com|
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device won't be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device won't be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device won't be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|The following endpoint is used for Xbox Live.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||HTTPS|dlassets-ssl.xboxlive.com|
## Other Windows 10 editions
To view endpoints for other versions of Windows 10 Enterprise, see:
- [Manage connection endpoints for Windows 10, version 21H1](manage-windows-21H1-endpoints.md)
- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1809](manage-windows-1809-endpoints.md)
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
- [Windows 10, version 1809, connection endpoints for non-Enterprise editions](windows-endpoints-1809-non-enterprise-editions.md)
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint, and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
|Xbox Live|||[Learn how to turn off traffic to all of the following endpoint(s) for Xbox Live.](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used for Xbox Live.|HTTPS|dlassets-ssl.xboxlive.com|
## Related links

3
windows/privacy/windows-11-endpoints-non-enterprise-editions.md
View File

@ -68,7 +68,6 @@ The following methodology was used to derive the network endpoints:
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
||The following endpoints are used get images that are used for Microsoft Store suggestions|TLSv1.2|store-images.s-microsoft.com|
@ -139,7 +138,6 @@ The following methodology was used to derive the network endpoints:
||The following endpoint is used for the Windows Push Notification Services (WNS). WNS enables third-party developers to send toast, tile, badge, and raw updates from their own cloud service. This provides a mechanism to deliver new updates to your users in a power-efficient and dependable way.|TLSv1.2/HTTPS|*.wns.windows.com|
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|
@ -210,7 +208,6 @@ The following methodology was used to derive the network endpoints:
||The following endpoint is used to revoke licenses for malicious apps in the Microsoft Store.|TLSv1.2/HTTPS/HTTP|storecatalogrevocation.storequality.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|1storecatalogrevocation.storequality.microsoft.com|
||The following endpoints are used to communicate with Microsoft Store.|TLSv1.2/HTTPS/HTTP|*displaycatalog.mp.microsoft.com|
|||HTTPS|pti.store.microsoft.com|
|||HTTPS|storesdk.dsx.mp.microsoft.com|
||The following endpoint is used to get Microsoft Store analytics.|TLSv1.2/HTTPS/HTTP|manage.devcenter.microsoft.com|
|Network Connection Status Indicator (NCSI)|Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to this endpoint to determine if the device can communicate with the Internet.|TLSv1.2/HTTP|www.msftconnecttest.com*|

17
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -124,6 +124,15 @@ sections:
- question: What is Event ID 300?
answer: |
This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. This is a normal condition and no further action is required.
- question: What happens when an unauthorized user gains possession of a device enrolled in Windows Hello for Business?
answer: |
The unauthorized user won't be able to utilize any biometric options and will have the only option to enter a PIN.
If the user attempts to unlock the device by entering random PINs, after three unsuccessful attempts the credential provider will display the following message: **You've entered an incorrect PIN several times. To try again, enter A1B2C3 below**.
Upon entering the challenge phrase *A1B2C3*, the user will be granted one more opportunity to enter the PIN. If unsuccessful, the provider will be disabled, leaving the user with the only option to reboot the device. Following the reboot, the aforementioned pattern repeats.
If unsuccessful attempts continue, the device will enter a lockout state, lasting for 1 minute after the first reboot, 2 minutes after the fourth reboot, and 10 minutes after the fifth reboot. The duration of each lockout increases accordingly. This behavior is a result of the TPM 2.0 anti-hammering feature.
For more information about the TPM anti-hammering feature, see [TPM 2.0 anti-hammering](/windows/security/information-protection/tpm/tpm-fundamentals#tpm-20-anti-hammering).
- name: Design and planning
questions:
@ -165,7 +174,7 @@ sections:
answer: |
A user will be prompted to set up a Windows Hello for Business key on an Azure AD registered devices if the feature is enabled by policy. If the user has an existing Windows Hello container, the Windows Hello for Business key will be enrolled in that container and will be protected using existing gestures.
If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
If a user has signed into their Azure AD registered device with Windows Hello, their Windows Hello for Business key will be used to authenticate the user's work identity when they try to use Azure AD resources. The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources.
It's possible to Azure AD register a domain joined device. If the domain joined device has a convenience PIN, sign in with the convenience PIN will no longer work. This configuration isn't supported by Windows Hello for Business.
@ -176,12 +185,12 @@ sections:
- question: Does Windows Hello for Business work with Azure Active Directory Domain Services (Azure AD DS) clients?
answer: |
No, Azure AD DS is a separately managed environment in Azure, and hybrid device registration with cloud Azure AD isn't available for it via Azure AD Connect. Hence, Windows Hello for Business doesn't work with Azure AD DS.
- question: Is Windows Hello for Business considered multi-factor authentication?
- question: Is Windows Hello for Business considered multifactor authentication?
answer: |
Windows Hello for Business is two-factor authentication based on the observed authentication factors of: *something you have*, *something you know*, and *something that's part of you*. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. By using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
> [!NOTE]
> The Windows Hello for Business key meets Azure AD multi-factor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
> The Windows Hello for Business key meets Azure AD multifactor authentication (MFA) requirements and reduces the number of MFA prompts users will see when accessing resources. For more information, see [What is a Primary Refresh Token](/azure/active-directory/devices/concept-primary-refresh-token#when-does-a-prt-get-an-mfa-claim).
- question: Which is a better or more secure for of authentication, key or certificate?
answer: |
Both types of authentication provide the same security; one is not more secure than the other.
@ -216,7 +225,7 @@ sections:
Windows Hello for Business credentials need access to device state, which is not available in private browser mode or incognito mode. Hence it can't be used in private browser or Incognito mode.
- question: Can I use both a PIN and biometrics to unlock my device?
answer: |
You can use *multi-factor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
You can use *multifactor unlock* to require users to provide an extra factor to unlock their device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. To learn more, see [Multifactor Unlock](feature-multifactor-unlock.md).
- name: Cloud Kerberos trust
questions:

4
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -4,7 +4,7 @@ description: Learn how Microsoft PIN reset services enable you to help users rec
ms.collection:
- highpri
- tier1
ms.date: 03/10/2023
ms.date: 07/03/2023
ms.topic: how-to
---
@ -63,13 +63,11 @@ You may find that PIN reset from settings only works post login. Also, the lock
- Hybrid Windows Hello for Business deployment
- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally. The key is added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication and multi-factor authentication to Azure AD, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it's then cleared from memory.
Using Group Policy, Microsoft Intune or a compatible MDM solution, you can configure Windows devices to securely use the **Microsoft PIN Reset Service** which enables users to reset their forgotten PIN without requiring re-enrollment.
>[!IMPORTANT]
> The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809 and later, and Windows 11. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and later, Windows 11.
> The Microsoft PIN Reset service is not currently available in Azure Government.
### Summary

2
windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
View File

@ -66,6 +66,6 @@ To configure account lockout threshold, follow these steps:
## Why do you need a PIN to use biometrics?
Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN first. This PIN enables you to sign in using the PIN when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
Windows Hello enables biometric sign-in for Windows: fingerprint, iris, or facial recognition. When you set up Windows Hello, you're asked to create a PIN after the biometric setup. The PIN enables you to sign in when you can't use your preferred biometric because of an injury or because the sensor is unavailable or not working properly.
If you only had a biometric sign-in configured and, for any reason, were unable to use that method to sign in, you would have to sign in using your account and password, which doesn't provide you with the same level of protection as Hello.

20
windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md
View File

@ -12,7 +12,7 @@ ms.topic: conceptual
ms.date: 06/07/2023
---
# Password must meet complexity requirements
# Password must meet complexity requirements
**Applies to**
- Windows 11
@ -30,11 +30,20 @@ The **Passwords must meet complexity requirements** policy setting determines wh
2. The password contains characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
- Non-alphanumeric characters (special characters): ``(~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/)``
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters).
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters).
- Base 10 digits (0 through 9).
- Non-alphanumeric characters (special characters):
```
'-!"#$%&()*,./:;?@[]^_`{|}~+<=>
```
Currency symbols such as the Euro or British Pound aren't counted as special characters for this policy setting.
- Any Unicode character that's categorized as an alphabetic character but isn't uppercase or lowercase. This group includes Unicode characters from Asian languages.
Complexity requirements are enforced when passwords are changed or created.
@ -104,3 +113,4 @@ The use of ALT key character combinations may greatly enhance the complexity of
## Related articles
- [Password Policy](/microsoft-365/admin/misc/password-policy-recommendations)

1
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -137,6 +137,7 @@ Table 3 describes the available resource header attribute options you can set wi
| **OriginalFileName** | Specifies the original file name, or the name with which the file was first created, of the binary. |
| **PackageFamilyName** | Specifies the package family name of the binary. The package family name consists of two parts: the name of the file and the publisher ID. |
| **ProductName** | Specifies the name of the product with which the binary ships. |
| **Filepath** | Specifies the file path of the binary. |
## More information about filepath rules

5
windows/whats-new/whats-new-windows-10-version-1909.md
View File

@ -55,7 +55,10 @@ Windows 10, version 1909 also includes two new features called **Key-rolling** a
### Transport Layer Security (TLS)
An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
An experimental implementation of TLS 1.3 is included in Windows 10, version 1909. TLS 1.3 is disabled by default system wide. If you enable TLS 1.3 on a device for testing, then it can also be enabled in Internet Explorer 11.0 and Microsoft Edge by using Internet Options. For beta versions of Microsoft Edge on Chromium, TLS 1.3 isn't built on the Windows TLS stack, and is instead configured independently, using the **Edge://flags** dialog. Also see [Microsoft Edge platform status](https://developer.microsoft.com/microsoft-edge/status/tls13/)
>[!NOTE]
>The experiental implementation of TLS 1.3 isn't supported. TLS 1.3 is only supported on Windows 11 and Server 2022. For more information, see [Protocols in TLS/SSL (Schannel SSP)](/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-).
## Virtualization