From 7c8677283e96d6a80c7859849ac10ee5a9f2220c Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Sun, 17 Oct 2021 21:33:28 +0200 Subject: [PATCH 001/169] Update set-up-mdt-for-bitlocker.md Removed a surplus Notes section, seems like an old version that was supposed to have been removed when a newer Notes section was previously added. --- .../deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 481df59b4a..e41a843bb8 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -42,9 +42,6 @@ If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), > [!NOTE] > Backing up TPM to Active Directory was supported only on Windows 10 version 1507 and 1511. ->[!NOTE] ->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For more information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](/previous-versions/windows/it-pro/windows-7/dd875529(v=ws.10)). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. - For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). ## Configure Active Directory for BitLocker @@ -174,4 +171,4 @@ In the following task sequence, we added five actions: [Use the MDT database to stage Windows 10 deployment information](use-the-mdt-database-to-stage-windows-10-deployment-information.md)
[Assign applications using roles in MDT](assign-applications-using-roles-in-mdt.md)
[Use web services in MDT](use-web-services-in-mdt.md)
-[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) \ No newline at end of file +[Use Orchestrator runbooks with MDT](use-orchestrator-runbooks-with-mdt.md) From 6ad2b380099407d9b8c0a0cc981e7c6dbaf0f347 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 18 Oct 2021 11:20:55 -0700 Subject: [PATCH 002/169] Added formatting to the file. --- .../.vscode/settings.json | 8 ++ .../understanding-wdac-policy-settings.md | 76 +++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json create mode 100644 windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md diff --git a/windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json b/windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json new file mode 100644 index 0000000000..ed9462b7e6 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json @@ -0,0 +1,8 @@ +{ + "markdownlint.config": { + "MD028": false, + "MD025": { + "front_matter_title": "" + } + } +} \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md new file mode 100644 index 0000000000..e966d5669a --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -0,0 +1,76 @@ +--- +title: Understanding WDAC secure settings. +description: Learn about secure settings in Windows Defender Application Control. +keywords: security, malware +ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb +ms.prod: m365-security +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +ms.collection: M365-security-compliance +author: creator of the word doc +ms.reviewer: jogeurte +ms.author: dansimp +manager: dansimp +ms.date: 10/11/2021 +ms.technology: mde +--- + +# Understanding WDAC Policy Settings +Windows Defender Application Control (WDAC) Policies expose a Settings section where policy authors can define arbitrary secure settings. Secure Settings provide local admin tamper-free settings for secure boot enabled systems, with policy signing enabled. Settings consist of a Provider, Key, and ValueName, as well as a setting value. Setting values can be of type boolean, ulong, binary, and string. Applications can query for policy settings using [WldpQuerySecurityPolicy].
+ +An example settings section of a WDAC Policy: +```xml + + + + true + + + +``` + +### Example Scenario +An application that may want to restrict its capabilities, when used on a system with an active WDAC policy. Application authors can define a WDAC policy, setting their application queries, in order to disable certain features. For example, if Contoso’s Foo Application wants to disable a risky feature, such as macro execution, they can define a WDAC policy setting, and query for it at runtime. Contoso can then instruct IT administrators to configure the setting in their WDAC policy, if they don’t want Foo Application to execute macros on a system with a WDAC policy.
+ + +### WldpQuerySecurityPolicy +API that queries the secure settings of a WDAC policy. + +#### Syntax +``` C++ +HRESULT WINAPI WldpQuerySecurityPolicy( + _In_ const UNICODE_STRING * Provider, + _In_ const UNICODE_STRING * Key, + _In_ const UNICODE_STRING * ValueName, + _Out_ PWLDP_SECURE_SETTING_VALUE_TYPE ValueType, + _Out_writes_bytes_opt_(*ValueSize) PVOID Value, + _Inout_ PULONG ValueSize) +``` + +#### Parameters +Provider [in] +Setting Provider name. + +Key [in] +Key name of the Key-Value pair under Setting Provider "Provider". + +ValueName [in] +The value name of the "Key-Value" pair. + +ValueType [in, out] +Pointer to receive the value type. + +Value [in, out] +Pointer to a buffer to receive the value. The buffer should be of size “ValueSize”. If this value is NULL, this function will return the required buffer size for Value. + +ValueSize [in, out] +On input, it indicates the buffer size of "Value". On successful return, it indicates the size of data written to Value buffer. + +#### Return Value +This method returns S_OK if successful or a failure code otherwise. + +#### Remarks +See [WDAC Policy Settings] for more information on WDAC policy settings. From 371c645f32e0abf8712d513e98504e14c724c195 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 18 Oct 2021 11:30:01 -0700 Subject: [PATCH 003/169] added new file to index and toc --- .../windows-defender-application-control/TOC.yml | 2 ++ .../windows-defender-application-control/index.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 6e2bbdd64b..47bc7d1ad7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -22,6 +22,8 @@ href: understand-windows-defender-application-control-policy-design-decisions.md - name: Understand WDAC policy rules and file rules href: select-types-of-rules-to-create.md + - name: Understand WDAC secure settings + href: understand-wdac-policy-settings.md items: - name: Allow apps installed by a managed installer href: configure-authorized-apps-deployed-with-a-managed-installer.md diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml index ef5892459f..152d5cb75f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/index.yml +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -69,6 +69,8 @@ landingContent: links: - text: Understanding policy and file rules url: select-types-of-rules-to-create.md + - text: Understanding WDAC secure settings + url: understanding-wdac-policy-settings.md - linkListType: how-to-guide links: - text: Allow managed installer and configure managed installer rules From 0ff09040b4199de166bd4486c7a9d05545432945 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 18 Oct 2021 12:19:12 -0700 Subject: [PATCH 004/169] removed brackets in wldpquerysecuritypolicy --- .../understanding-wdac-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index e966d5669a..6f583d977a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -19,7 +19,7 @@ ms.technology: mde --- # Understanding WDAC Policy Settings -Windows Defender Application Control (WDAC) Policies expose a Settings section where policy authors can define arbitrary secure settings. Secure Settings provide local admin tamper-free settings for secure boot enabled systems, with policy signing enabled. Settings consist of a Provider, Key, and ValueName, as well as a setting value. Setting values can be of type boolean, ulong, binary, and string. Applications can query for policy settings using [WldpQuerySecurityPolicy].
+Windows Defender Application Control (WDAC) Policies expose a Settings section where policy authors can define arbitrary secure settings. Secure Settings provide local admin tamper-free settings for secure boot enabled systems, with policy signing enabled. Settings consist of a Provider, Key, and ValueName, as well as a setting value. Setting values can be of type boolean, ulong, binary, and string. Applications can query for policy settings using WldpQuerySecurityPolicy.
An example settings section of a WDAC Policy: ```xml From 80c417c09fe88702e1623c22c5a1b7ad7468123b Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 18 Oct 2021 13:19:02 -0700 Subject: [PATCH 005/169] updated the author --- .../understanding-wdac-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index 6f583d977a..530c147315 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: creator of the word doc +author: Robert Wait ms.reviewer: jogeurte ms.author: dansimp manager: dansimp From 000a26dc6eabada6db05cb2334017c03caa8c551 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 18 Oct 2021 13:20:20 -0700 Subject: [PATCH 006/169] corrected the md file name --- .../windows-defender-application-control/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 47bc7d1ad7..9cfa2e9982 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -23,7 +23,7 @@ - name: Understand WDAC policy rules and file rules href: select-types-of-rules-to-create.md - name: Understand WDAC secure settings - href: understand-wdac-policy-settings.md + href: understanding-wdac-policy-settings.md items: - name: Allow apps installed by a managed installer href: configure-authorized-apps-deployed-with-a-managed-installer.md From e1834ca4c51520b046f39208eb864de39340bb5d Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 18 Oct 2021 13:24:33 -0700 Subject: [PATCH 007/169] Update understanding-wdac-policy-settings.md --- .../understanding-wdac-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index 530c147315..28eb21e297 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: Robert Wait +author: Robert Waite ms.reviewer: jogeurte ms.author: dansimp manager: dansimp From 6510b6f40162de8281c7ecd928b82e0e0bc1a6bb Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Wed, 27 Oct 2021 23:49:42 +0200 Subject: [PATCH 008/169] Update demonstrate-deployment-on-vm.md Aligned some PS code with https://docs.microsoft.com/en-us/mem/autopilot/windows-autopilot. --- .../demonstrate-deployment-on-vm.md | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index b47dd4d0f2..01cbe2b0fe 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -161,7 +161,7 @@ After you download this file, the name will be extremely long (ex: 19042.508.200 The **Get-NetAdaper** cmdlet is used to automatically find the network adapter that's most likely to be the one you use to connect to the internet. You should test this command first by running the following at an elevated Windows PowerShell prompt: ```powershell -(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name +(Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name ``` The output of this command should be the name of the network interface you use to connect to the internet. Verify that this is the correct interface name. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name. @@ -180,7 +180,7 @@ All VM data will be created under the current path in your PowerShell prompt. Co >- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a currently list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch). ```powershell -New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name +New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot Start-VM -VMName WindowsAutopilot @@ -237,7 +237,6 @@ PS C:\autopilot> Make sure that the VM booted from the installation ISO, select **Next**, select **Install now**, and then complete the Windows installation process. See the following examples: - ![Windows setup example 1](images/winsetup1.png) ![Windows setup example 2](images/winsetup2.png) @@ -250,7 +249,6 @@ Make sure that the VM booted from the installation ISO, select **Next**, select ![Windows setup example 6](images/winsetup6.png) - After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This offers the fastest way to the desktop. For example: ![Windows setup example 7.](images/winsetup7.png) @@ -278,12 +276,12 @@ Follow these steps to run the PowerShell script: 1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same whether you're using a VM or a physical device: ```powershell - md c:\HWID - Set-Location c:\HWID - Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force + New-Item -Type Directory -Path "C:\HWID" + Set-Location C:\HWID + Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned Install-Script -Name Get-WindowsAutopilotInfo -Force $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" - Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv + Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv ``` 1. When you're prompted to install the NuGet package, choose **Yes**. @@ -615,7 +613,7 @@ To use the device (or VM) for other purposes after completion of this lab, you n ### Delete (deregister) Autopilot device -You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the MEM admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu. +You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the MEM admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu. > [!div class="mx-imgBorder"] > ![Delete device step 1.](images/delete-device1.png) From f66a308a843f25803e92ccb07f21d6047c132d09 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Fri, 29 Oct 2021 22:47:52 +0200 Subject: [PATCH 009/169] Update windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../windows-autopilot/demonstrate-deployment-on-vm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 01cbe2b0fe..fabd6a01f0 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -177,7 +177,7 @@ All VM data will be created under the current path in your PowerShell prompt. Co > >- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal." >- If you have never created an external VM switch before, then just run the commands below. ->- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a currently list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch). +>- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a current list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch). ```powershell New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter | Where-Object {$_.Status -eq "Up" -and !$_.Virtual}).Name From 59eed88aea573972a8ddd291da37330535aad2e0 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 1 Nov 2021 11:58:16 -0700 Subject: [PATCH 010/169] added headers for each parameter section Also removed Robert Waite as author since GitHub doesn't have him listed as an approved author. --- .../understanding-wdac-policy-settings.md | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index 28eb21e297..9a9fe9f38b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -10,7 +10,6 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: Robert Waite ms.reviewer: jogeurte ms.author: dansimp manager: dansimp @@ -39,7 +38,7 @@ An application that may want to restrict its capabilities, when used on a system ### WldpQuerySecurityPolicy API that queries the secure settings of a WDAC policy. -#### Syntax +### Syntax ``` C++ HRESULT WINAPI WldpQuerySecurityPolicy( _In_ const UNICODE_STRING * Provider, @@ -50,23 +49,23 @@ HRESULT WINAPI WldpQuerySecurityPolicy( _Inout_ PULONG ValueSize) ``` -#### Parameters +### Parameters Provider [in] Setting Provider name. -Key [in] +#### Key [in] Key name of the Key-Value pair under Setting Provider "Provider". -ValueName [in] +#### ValueName [in] The value name of the "Key-Value" pair. -ValueType [in, out] +#### ValueType [in, out] Pointer to receive the value type. -Value [in, out] +#### Value [in, out] Pointer to a buffer to receive the value. The buffer should be of size “ValueSize”. If this value is NULL, this function will return the required buffer size for Value. -ValueSize [in, out] +#### ValueSize [in, out] On input, it indicates the buffer size of "Value". On successful return, it indicates the size of data written to Value buffer. #### Return Value From d40a2d17978763a90dad4e3692e0e9c201fc9186 Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 8 Nov 2021 12:21:00 -0800 Subject: [PATCH 011/169] added settings.json to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 9841e0daea..3a642828d6 100644 --- a/.gitignore +++ b/.gitignore @@ -13,6 +13,7 @@ common/ .openpublishing.build.mdproj .openpublishing.buildcore.ps1 packages.config +settings.json # User-specific files .vs/ From 89d1befa026685fa1423ad6f39b1794dd044c12d Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Mon, 8 Nov 2021 12:23:08 -0800 Subject: [PATCH 012/169] Deleted settings.json from .vscode --- .../.vscode/settings.json | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json diff --git a/windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json b/windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json deleted file mode 100644 index ed9462b7e6..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/.vscode/settings.json +++ /dev/null @@ -1,8 +0,0 @@ -{ - "markdownlint.config": { - "MD028": false, - "MD025": { - "front_matter_title": "" - } - } -} \ No newline at end of file From 305a3a0479a7b601a621f64b5138eddfc2c1c13a Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 9 Nov 2021 12:49:43 -0800 Subject: [PATCH 013/169] Listed jogeurte as the author --- .../understanding-wdac-policy-settings.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index 9a9fe9f38b..d54ed1b819 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -10,6 +10,7 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance +author: jogeurte ms.reviewer: jogeurte ms.author: dansimp manager: dansimp From cc9e3d5a617417f2fc5ddb8dabbb7499f73c5a7a Mon Sep 17 00:00:00 2001 From: Kim Klein Date: Tue, 9 Nov 2021 12:57:38 -0800 Subject: [PATCH 014/169] corrected Jordan's ID in both the author and ms.reviewer fields. --- .../understanding-wdac-policy-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md index d54ed1b819..d68f3d6a3f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md @@ -10,8 +10,8 @@ ms.pagetype: security ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance -author: jogeurte -ms.reviewer: jogeurte +author: jgeurten +ms.reviewer: jgeurten ms.author: dansimp manager: dansimp ms.date: 10/11/2021 From 33e1161180590e27d9459a6082b012d5df3b82a6 Mon Sep 17 00:00:00 2001 From: Snrat Date: Wed, 17 Nov 2021 15:36:27 +0800 Subject: [PATCH 015/169] Update index.md Fixed. --- windows/whats-new/ltsc/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index 28bc3db429..0d7830f328 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -36,7 +36,7 @@ The following table summarizes equivalent feature update versions of Windows 10 | Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 | | Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 | | Windows 10 Enterprise LTSC 2019 | Windows 10, Version 1809 | 11/13/2018 | -| Windows 10 Enterprise LTSC 2019 | Windows 10, Version 21H2 | 11/16/2021 | +| Windows 10 Enterprise LTSC 2021 | Windows 10, Version 21H2 | 11/16/2021 | > [!NOTE] > The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. @@ -51,4 +51,4 @@ For detailed information about Windows 10 servicing, see [Overview of Windows as ## See Also [What's New in Windows 10](../index.yml): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](/windows/release-health/release-information): Windows 10 current versions by servicing option. \ No newline at end of file +[Windows 10 - Release information](/windows/release-health/release-information): Windows 10 current versions by servicing option. From b80bba8a2be17cf1f6121473999157f966d6a945 Mon Sep 17 00:00:00 2001 From: midoliy <78302178+tatsuya-midorikawa@users.noreply.github.com> Date: Fri, 19 Nov 2021 08:33:54 +0900 Subject: [PATCH 016/169] fix index.md Correction of typographical errors. --- windows/whats-new/ltsc/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index 28bc3db429..0d7830f328 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -36,7 +36,7 @@ The following table summarizes equivalent feature update versions of Windows 10 | Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 | | Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 | | Windows 10 Enterprise LTSC 2019 | Windows 10, Version 1809 | 11/13/2018 | -| Windows 10 Enterprise LTSC 2019 | Windows 10, Version 21H2 | 11/16/2021 | +| Windows 10 Enterprise LTSC 2021 | Windows 10, Version 21H2 | 11/16/2021 | > [!NOTE] > The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. @@ -51,4 +51,4 @@ For detailed information about Windows 10 servicing, see [Overview of Windows as ## See Also [What's New in Windows 10](../index.yml): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](/windows/release-health/release-information): Windows 10 current versions by servicing option. \ No newline at end of file +[Windows 10 - Release information](/windows/release-health/release-information): Windows 10 current versions by servicing option. From e5d84d5a6d6238a0267b51c21e80d05117036712 Mon Sep 17 00:00:00 2001 From: Makazeu Date: Fri, 19 Nov 2021 21:32:37 +0800 Subject: [PATCH 017/169] Update index.md Fixes a typo --- windows/whats-new/ltsc/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/whats-new/ltsc/index.md b/windows/whats-new/ltsc/index.md index 28bc3db429..0d7830f328 100644 --- a/windows/whats-new/ltsc/index.md +++ b/windows/whats-new/ltsc/index.md @@ -36,7 +36,7 @@ The following table summarizes equivalent feature update versions of Windows 10 | Windows 10 Enterprise LTSC 2015 | Windows 10, Version 1507 | 7/29/2015 | | Windows 10 Enterprise LTSC 2016 | Windows 10, Version 1607 | 8/2/2016 | | Windows 10 Enterprise LTSC 2019 | Windows 10, Version 1809 | 11/13/2018 | -| Windows 10 Enterprise LTSC 2019 | Windows 10, Version 21H2 | 11/16/2021 | +| Windows 10 Enterprise LTSC 2021 | Windows 10, Version 21H2 | 11/16/2021 | > [!NOTE] > The Long-Term Servicing Channel was previously called the Long-Term Servicing Branch (LTSB). All references to LTSB are changed in this article to LTSC for consistency, even though the name of previous versions might still be displayed as LTSB. @@ -51,4 +51,4 @@ For detailed information about Windows 10 servicing, see [Overview of Windows as ## See Also [What's New in Windows 10](../index.yml): See what’s new in other versions of Windows 10.
-[Windows 10 - Release information](/windows/release-health/release-information): Windows 10 current versions by servicing option. \ No newline at end of file +[Windows 10 - Release information](/windows/release-health/release-information): Windows 10 current versions by servicing option. From 458ff0e6b8a7bd627833f26e83a24923e768a6fa Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 24 Nov 2021 15:01:10 +0530 Subject: [PATCH 018/169] Update policy-csp-start.md --- .../client-management/mdm/policy-csp-start.md | 143 ++++++++++++++++++ 1 file changed, 143 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 588586543f..a7bfb4c8ba 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -51,6 +51,9 @@ manager: dansimp
Start/AllowPinnedFolderVideos
+
+ Start/ConfigureStartPins +
Start/DisableContextMenus
@@ -108,6 +111,9 @@ manager: dansimp
Start/NoPinningToTaskbar
+
+ Start/ShowOrHideMostUsedApps +
Start/StartLayout
@@ -766,6 +772,73 @@ The following list shows the supported values:
+ +**Start/ConfigureStartPins** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +This policy will allow admins to push a new list of pinned apps to override the default/current list of pinned apps in the SV start menu experience. + +>[!NOTE] +> TFS information describes feature area owners and policy handling work, but the work to implement the policy itself is being completed by OS\WDX\DASH\Cloud-powered Windows Devices\Project Hailey --> Deliverable 32179178. + + + + +This string policy will take a JSON file (expected name LayoutModification.json), which enumerates the items to pin and their relative order. + + + + +
+ + **Start/DisableContextMenus** @@ -2197,6 +2270,76 @@ To validate on Desktop, do the following:
+ + +**Start/ShowOrHideMostUsedApps** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device +> * User + +
+ + + +This supports a key Enterprise manageability request targeted for Iron. + + + +The following list shows the supported values: + +- 1 - Force showing of Most Used Apps in Start Menu, user cannot change in Settings +- 0 - Force hiding of Most Used Apps in Start Menu, user cannot change in Settings +- Not set - User can use Settings to hide or show Most Used Apps in Start Menu + +On clean install, the user setting defaults to "hide". + + + + + +
+ **Start/StartLayout** From 58631b2a54ea4644dceec28f1c31e577e3c0aedf Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 24 Nov 2021 19:00:02 +0530 Subject: [PATCH 019/169] Update policy-csp-printers.md --- .../mdm/policy-csp-printers.md | 302 ++++++++++++++++++ 1 file changed, 302 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index 3902457217..d6f2240333 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -22,6 +22,18 @@ manager: dansimp ## Printers policies
+
+ Printers/ApprovedUsbPrintDevices +
+
+ Printers/ApprovedUsbPrintDevicesUser +
+
+ Printers/EnableDeviceControl +
+
+ Printers/EnableDeviceControlUser +
Printers/PointAndPrintRestrictions
@@ -42,6 +54,296 @@ manager: dansimp
+ +**Printers/ApprovedUsbPrintDevices** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy implements the print portion of the Device Control requirements. +These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. +This policy will contain the comma separated list of approved USB Vid&Pid combinations which the print spooler will allow to print when Device Control is enabled. +The format of this setting is /[,/] + +Parent deliverable: 26209274 - Device Control: Printer + + + +ADMX Info: +- GP Friendly name: *Support for new Device Control Print feature* +- GP name: *ApprovedUsbPrintDevices* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + + + +
+ + +**Printers/ApprovedUsbPrintDevicesUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy implements the print portion of the Device Control requirements. +These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. +This policy will contain the comma separated list of approved USB Vid&Pid combinations which the print spooler will allow to print when Device Control is enabled. +The format of this setting is /[,/] + + + + +ADMX Info: +- GP Friendly name: *Support for new Device Control Print feature* +- GP name: *ApprovedUsbPrintDevicesUser* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + +
+ + +**Printers/EnableDeviceControl** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy implements the print portion of the Device Control requirements. +These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. +This policy will control whether the print spooler will attempt to restrict printing as part of Device Control. + +The default value of the policy will be Unconfigured. + +If the policy value is either Unconfigured or Disabled the print spooler will not restrict printing. + +If the policy value is Enabled the print spooler will restrict local printing to USB devices in the Approved Device list. + + + + + +ADMX Info: +- GP Friendly name: *Support for new Device Control Print feature* +- GP name: *EnableDeviceControl* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + + +
+ + + +**Printers/EnableDeviceControlUser** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy implements the print portion of the Device Control requirements. +These requirements include restricting printing to USB connected printers which match a list of approved USB Vid/Pid combinations or to corporate connected printers while either directly connected to the corporate network or when using a VPN connection to the corporate network. +This policy will control whether the print spooler will attempt to restrict printing as part of Device Control. + +The default value of the policy will be Unconfigured. + +If the policy value is either Unconfigured or Disabled the print spooler will not restrict printing. + +If the policy value is Enabled the print spooler will restrict local printing to USB devices in the Approved Device list. + + + + + +ADMX Info: +- GP Friendly name: *Support for new Device Control Print feature* +- GP name: *EnableDeviceControlUser* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + + +
+ **Printers/PointAndPrintRestrictions** From 5f70354e96cd88c2f0e4ccebda539d1d37c192f2 Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Mon, 29 Nov 2021 16:42:16 -0500 Subject: [PATCH 020/169] Update security-compliance-toolkit-10.md Updated Edge to v96 --- .../security-compliance-toolkit-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index 2d66169700..a7d705c22e 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -50,7 +50,7 @@ The Security Compliance Toolkit consists of: - Office 2016 - Microsoft Edge security baseline - - Edge Browser Version 93 + - Edge Browser Version 96 - Tools - Policy Analyzer tool From 0f60a6706e4a67acc18c2057c9f8285a1914e603 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 2 Dec 2021 11:06:01 +0530 Subject: [PATCH 021/169] Added windows 10 After reading this article, I added windows 10 under applies to section. --- windows/whats-new/windows-11-prepare.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/whats-new/windows-11-prepare.md b/windows/whats-new/windows-11-prepare.md index 18d9c7bbea..f76ae48be7 100644 --- a/windows/whats-new/windows-11-prepare.md +++ b/windows/whats-new/windows-11-prepare.md @@ -18,6 +18,7 @@ ms.collection: highpri **Applies to** - Windows 11 +- Windows 10 Windows 10 and Windows 11 are designed to coexist, so that you can use the same familiar tools and process to manage both operating systems. Using a single management infrastructure that supports common applications across both Windows 10 and Windows 11 helps to simplify the migration process. You can analyze endpoints, determine application compatibility, and manage Windows 11 deployments in the same way that you do with Windows 10. From 61c39782ff7a47c6cc5f3d3604210faacd5ac10b Mon Sep 17 00:00:00 2001 From: JW0914 Date: Sat, 4 Dec 2021 09:34:04 -0600 Subject: [PATCH 022/169] Update resolution-procedures.md Error 0x8007025D can [occur](https://superuser.com/questions/1691157/how-to-fix-error-0x8007025d-when-installing-windows-10) during the installation of Windows due to an issue with the storage medium; in the case of WinPE, this is RAM since WinPE is mounted into the RAM disk mounted at `X:` --- windows/deployment/upgrade/resolution-procedures.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 227541cee7..619b51c300 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -93,7 +93,7 @@ See the following general troubleshooting procedures associated with a result co | Error Codes | Cause | Mitigation | | --- | --- | --- | |0x80070003- 0x20007|This is a failure during SafeOS phase driver installation.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.| -|0x8007025D - 0x2000C|This error occurs if the ISO file's metadata is corrupt.|Re-download the ISO/Media and re-attempt the upgrade

Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).| +|0x8007025D - 0x2000C|This error occurs if the ISO file's metadata is corrupt or if there is an issue with the storage medium, such as a RAM module containing bad blocks during the installation of Windows.|Re-download the ISO/Media and re-attempt the upgrade

Alternatively, re-create installation media the [Media Creation Tool](https://www.microsoft.com/software-download/windows10).| |0x80070490 - 0x20007|An incompatible device driver is present.|[Verify device drivers](/windows-hardware/drivers/install/troubleshooting-device-and-driver-installations) on the computer, and [analyze log files](log-files.md#analyze-log-files) to determine the problem driver.| |0xC1900101 - 0x2000c|An unspecified error occurred in the SafeOS phase during WIM apply. This can be caused by an outdated driver or disk corruption.|Run checkdisk to repair the file system. For more information, see the [quick fixes](quick-fixes.md) section in this guide.
Update drivers on the computer, and select "Download and install updates (recommended)" during the upgrade process. Disconnect devices other than the mouse, keyboard and display.| |0xC1900200 - 0x20008|The computer doesn’t meet the minimum requirements to download or upgrade to Windows 10.|See [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) and verify the computer meets minimum requirements.

Review logs for [compatibility information](/archive/blogs/askcore/using-the-windows-10-compatibility-reports-to-understand-upgrade-issues).| From 2b3f030def07c40b104fba0019cdd8825358fa6c Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Fri, 17 Dec 2021 20:03:39 -0700 Subject: [PATCH 023/169] Update waas-delivery-optimization.md --- .../update/waas-delivery-optimization.md | 47 +++++++++++-------- 1 file changed, 28 insertions(+), 19 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 9ebb4c84ec..b3d6858afe 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -46,29 +46,38 @@ For information about setting up Delivery Optimization, including tips for the b The following table lists the minimum Windows 10 version that supports Delivery Optimization: -| Device type | Minimum Windows version | +| Device type | Minimum Windows version |------------------|---------------| -| Computers running Windows 10 | 1511 | -| Computers running Server Core installations of Windows Server | 1709 | -| IoT devices | 1803 | +| Computers running Windows 10 | Win 10 1511 | +| Computers running Server Core installations of Windows Server | Windows Server 2019 | +| Windows IoT devices | Win 10 1803 | -**Types of download packages supported by Delivery Optimization** +### Types of download content supported by Delivery Optimization -| Download package | Minimum Windows version | -|------------------|---------------| -| Windows client updates (feature updates and quality updates) | 1511 | -| Windows client drivers | 1511 | -| Windows Store files | 1511 | -| Windows Store for Business files | 1511 | -| Windows Defender definition updates | 1511 | -| Microsoft 365 Apps and updates | 1709 (for more information, see [Delivery Optimization and Microsoft 365 Apps](/deployoffice/delivery-optimization)) | -| Win32 apps for Intune | 1709 | -| Xbox game pass games | 2004 | -| MSIX apps (HTTP downloads only) | 2004 | -| Configuration Manager Express updates | 1709 + Configuration Manager version 1711 | -| Edge browser installs and updates | 1809 | -| [Dynamic updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-benefits-of-windows-10-dynamic-update/ba-p/467847) | 1903 | +| Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) +|------------------|---------------|----------------|----------|----------------| +| Windows Update (feature updates quality updates, language packs, drivers) | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Windows 10 Store files | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Windows 10 Store for Business files | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Windows Defender definition updates | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Intune Win32 apps| Win 10 1709, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Microsoft 365 Apps and updates | Win 10 1709, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Edge Browser Updates | Win 10 1809, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Configuration Manager Express updates| Win 10 1709 + Configuration Manager version Win 10 1711, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Dynamic updates| Win 10 1903, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| MDM Agent | Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Xbox Game Pass (PC) | Win 10 1809, Win 11 | :heavy_check_mark: | | :heavy_check_mark: | +| Windows Package Manager| Win 10 1809, Win 11 | :heavy_check_mark: | | | +| MSIX | Win 10 2004, Win 11 | :heavy_check_mark: | | | +| Windows Server | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) +|----------------|--------------------------|----------------|----------|----------------| +| Windows Update | Windows Server 2019 (1809) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Edge Browser Updates | Windows Server 2019 (1809) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | + +| Linux ([Public Preview](https://github.com/microsoft/do-client)) | Linux versions | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) +|------------------------|----------------|-----------------|--------------|---------------| +| Device Update for IoT Hub | Ubuntu 18.04, 20.04 / Debian 9, 10 | :heavy_check_mark: | | :heavy_check_mark: | > [!NOTE] > Starting with Configuration Manager version 1910, you can use Delivery Optimization for the distribution of all Windows update content for clients running Windows 10 version 1709 or newer, not just express installation files. For more, see [Delivery Optimization starting in version 1910](/mem/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#bkmk_DO-1910). From 20e354aa4af8d0f57f13bffb09f9ed002a478637 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Fri, 17 Dec 2021 20:10:16 -0700 Subject: [PATCH 024/169] Update waas-delivery-optimization.md --- windows/deployment/update/waas-delivery-optimization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index b3d6858afe..f14347e816 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -90,7 +90,7 @@ For more information, see "Download mode" in [Delivery optimization reference](w ## Set up Delivery Optimization -See [Set up Delivery Optimization](waas-delivery-optimization-setup.md) for suggested values for a number of common scenarios. +See [Set up Delivery Optimization](waas-delivery-optimization-setup.md) for suggested values for many common scenarios. You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. @@ -109,7 +109,7 @@ For complete list of every possible Delivery Optimization setting, see [Delivery ## How Microsoft uses Delivery Optimization At Microsoft, to help ensure that ongoing deployments weren't affecting our network and taking away bandwidth for other services, Microsoft IT used a couple of different bandwidth management strategies. Delivery Optimization, peer-to-peer caching enabled through Group Policy, was piloted and then deployed to all managed devices using Group Policy. Based on recommendations from the Delivery Optimization team, we used the "group" configuration to limit sharing of content to only the devices that are members of the same Active Directory domain. The content is cached for 24 hours. More than 76 percent of content came from peer devices versus the Internet. -For more details, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study. +For more information, check out the [Adopting Windows as a Service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft) technical case study. From 2b17c7931c7483d6a33d40529ee266c9752a5644 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 18 Dec 2021 09:11:06 +0500 Subject: [PATCH 025/169] Update demonstrate-deployment-on-vm.md --- .../windows-autopilot/demonstrate-deployment-on-vm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 5cbb5a3e71..b25a3ab8b9 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -349,7 +349,7 @@ Follow these steps to run the PowerShell script: With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE. On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**. -Select **Remove everything** and **Just remove my files**. If you're asked **How would you like to reinstall Windows**, select Local reinstall. Finally, select **Reset**. +Select **Remove everything**, then, on the **How would you like to reinstall Windows**, select Local reinstall. Finally, select **Reset**. ![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg) From fe835d46e4edb9e42d457bba8a80fcc9c995c53d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Peter=20Edstr=C3=B8m?= <22084975+timpeteren@users.noreply.github.com> Date: Sun, 19 Dec 2021 23:56:07 +0100 Subject: [PATCH 026/169] Replaced old Azure AD Graph-based examples Updated section "Verify the onPremisesDistinguishedName attribute is synchronized" as suggested in user feedback for issue #10216 Replaced Azure AD Graph examples with Microsoft Graph. #ATCP --- .../hello-hybrid-aadj-sso-cert.md | 46 ++++++++++++++++--- 1 file changed, 40 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index cd403a4167..d6ce21bdd3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -87,17 +87,51 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad ### Verify the onPremisesDistinguishedName attribute is synchronized -The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer. +The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph. -1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/ +1. Open a web browser and navigate to https://developer.microsoft.com/en-us/graph/graph-explorer -2. Click **Login** and provide Azure credentials +2. Click **Sign in to Graph Explorer** and provide Azure credentials -3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go** +> [!NOTE] +> To successfully query the Graph API, adequate [permissions](/graph/api/user-get?view=graph-rest-1.0&tabs=http#permissions) must be granted. -4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user. +3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and click **Consent**. You will now be prompted for delegated permissions consent. - ![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png) +4. In the Graph Explorer URL, type https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in the Azure Active Directory. Click **Run query** + +> [!NOTE] +> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters we will use the $select [Optional OData query parameter](/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios. + +#### Request + + +```msgraph-interactive +GET https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,userPrincipalName,onPremisesDistinguishedName +``` + +5. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and that the value is accurate for the given user. If the **onPremisesDistinguishedName** attribute is not synchronized the value will be **null**. + +#### Response + +```http +HTTP/1.1 200 OK +Content-type: application/json + +{ + "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(displayName,userPrincipalName,onPremisesDistinguishedName)/$entity", + "displayName": "Nestor Wilke", + "userPrincipalName": "NestorW@contoso.com", + "onPremisesDistinguishedName" : "CN=Nestor Wilke,OU=Operations,DC=contoso,DC=com" +} +``` ## Prepare the Network Device Enrollment Services (NDES) Service Account From 28b5dbc5b87461f5e74fb36f8f1fba7cc16a0f70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Peter=20Edstr=C3=B8m?= <22084975+timpeteren@users.noreply.github.com> Date: Mon, 20 Dec 2021 15:14:13 +0100 Subject: [PATCH 027/169] Update Graph Explorer URL Was uncertain as to keep or not keep the locale in the URL. I noticed it worked either way, so thanks for clarifying! :-) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index d6ce21bdd3..30fa08883f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -89,7 +89,7 @@ Sign-in to computer running Azure AD Connect with access equivalent to _local ad The easiest way to verify that the onPremisesDistingushedNamne attribute is synchronized is to use the Graph Explorer for Microsoft Graph. -1. Open a web browser and navigate to https://developer.microsoft.com/en-us/graph/graph-explorer +1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). 2. Click **Sign in to Graph Explorer** and provide Azure credentials From ffbe7994c5809665ddb01c5fe7cafd1ca367734b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Peter=20Edstr=C3=B8m?= <22084975+timpeteren@users.noreply.github.com> Date: Mon, 20 Dec 2021 15:15:05 +0100 Subject: [PATCH 028/169] Select rather than Click ...and a full stop, thanks :-) Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 30fa08883f..70de4da80f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -91,7 +91,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync 1. Open a web browser and navigate to [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer). -2. Click **Sign in to Graph Explorer** and provide Azure credentials +2. Select **Sign in to Graph Explorer** and provide Azure credentials. > [!NOTE] > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?view=graph-rest-1.0&tabs=http#permissions) must be granted. From bf9231540fac8dc39bef2ff66a3fd720bbc976d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Peter=20Edstr=C3=B8m?= <22084975+timpeteren@users.noreply.github.com> Date: Mon, 20 Dec 2021 15:16:13 +0100 Subject: [PATCH 029/169] Lets get rid of click! Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 70de4da80f..74e6286f69 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -96,7 +96,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync > [!NOTE] > To successfully query the Graph API, adequate [permissions](/graph/api/user-get?view=graph-rest-1.0&tabs=http#permissions) must be granted. -3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and click **Consent**. You will now be prompted for delegated permissions consent. +3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You will now be prompted for delegated permissions consent. 4. In the Graph Explorer URL, type https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in the Azure Active Directory. Click **Run query** From 01dc646ce3e1972a8bfe8d11cc2c58b24cb1e765 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Peter=20Edstr=C3=B8m?= <22084975+timpeteren@users.noreply.github.com> Date: Mon, 20 Dec 2021 15:17:01 +0100 Subject: [PATCH 030/169] Clean up text Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 74e6286f69..4892c11eb3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -98,7 +98,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync 3. Select **Modify permissions (Preview)**. Scroll down and locate **User.Read.All** (or any other required permission) and select **Consent**. You will now be prompted for delegated permissions consent. -4. In the Graph Explorer URL, type https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in the Azure Active Directory. Click **Run query** +4. In the Graph Explorer URL, enter https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**. > [!NOTE] > Because the v1.0 endpoint of the Graph API only provides a limited set of parameters we will use the $select [Optional OData query parameter](/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios. From 53f68a50da0331345fc890a615e6404121a943e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Peter=20Edstr=C3=B8m?= <22084975+timpeteren@users.noreply.github.com> Date: Mon, 20 Dec 2021 15:17:40 +0100 Subject: [PATCH 031/169] Correct writing. Thanks for reading through and proposing changes! Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 4892c11eb3..b7b190c49c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -101,7 +101,7 @@ The easiest way to verify that the onPremisesDistingushedNamne attribute is sync 4. In the Graph Explorer URL, enter https://graph.microsoft.com/v1.0/users/[userid]?$select=displayName,userPrincipalName,onPremisesDistinguishedName, where **[userid]** is the user principal name of a user in Azure Active Directory. Select **Run query**. > [!NOTE] -> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters we will use the $select [Optional OData query parameter](/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios. +> Because the v1.0 endpoint of the Graph API only provides a limited set of parameters, we will use the $select [Optional OData query parameter](/graph/api/user-get?view=graph-rest-1.0&tabs=http#optional-query-parameters). For convenience, it is possible to switch the API version selector from **v1.0** to **beta** before performing the query. This will provide all available user information, but remember, **beta** endpoint queries should not be used in production scenarios. #### Request From b824aa70baba2ef414a9804c57576808d49dfc1f Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Mon, 20 Dec 2021 14:08:39 -0700 Subject: [PATCH 032/169] Update waas-delivery-optimization-reference.md Added formatting for defaults. --- .../waas-delivery-optimization-reference.md | 62 ++++++++++--------- 1 file changed, 32 insertions(+), 30 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 2aea9ec10f..fac7435814 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -111,11 +111,11 @@ Download mode dictates which download sources clients are allowed to use when do | Download mode option | Functionality when set | | --- | --- | | HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | -| LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.| +| LAN (**1 – Default**) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then try to connect to other peers on the same network by using their private subnet IP.| | Group (2) | When group mode is set, the group is automatically selected based on the device's Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | -|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | +|Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using Configuration Manager. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **(0)** or **(99)**. | > [!NOTE] > Starting with Windows 10, version 2006 (and in Windows 11), the Bypass option of Download Mode is no longer used. @@ -125,7 +125,7 @@ Download mode dictates which download sources clients are allowed to use when do ### Group ID -By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. +By default, peer sharing on clients using the Group download mode (option 2) is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a subgroup representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. [//]: # (Configuration Manager boundary group option; GroupID Source policy) @@ -135,7 +135,7 @@ By default, peer sharing on clients using the group download mode is limited to >This configuration is optional and not required for most implementations of Delivery Optimization. ### Select the source of Group IDs -Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source. The options are: +Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source, when using a GroupID policy. The options are: - 0 = not set - 1 = AD Site - 2 = Authenticated domain SID @@ -148,11 +148,11 @@ When set, the Group ID is assigned automatically from the selected source. If yo ### Minimum RAM (inclusive) allowed to use Peer Caching -This setting specifies the minimum RAM size in GB required to use Peer Caching. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4, and the default value is 4 GB. +This setting specifies the minimum RAM size in GB required to use Peer Caching. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. The recommended values are 1 to 4, and **the default value is 4 GB**. ### Minimum disk size allowed to use Peer Caching -This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256, and the default value is 32 GB. +This setting specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The recommended values are 64 to 256, and **the default value is 32 GB**. >[!NOTE] >If the [Modify Cache Drive](#modify-cache-drive) policy is set, the disk size check will apply to the new working directory specified by this policy. @@ -160,62 +160,62 @@ This setting specifies the required minimum disk size (capacity in GB) for the d ### Max Cache Age -In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. The default Max Cache Age value is 259,200 seconds (three days). Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers re-downloading content. When "Unlimited" value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). +In environments configured for Delivery Optimization, you might want to set an expiration on cached updates and Windows application installation files. If so, this setting defines the maximum number of seconds each file can be held in the Delivery Optimization cache on each Windows 10 client device. Alternatively, organizations might choose to set this value to "0" which means "unlimited" to avoid peers re-downloading content. When "Unlimited" value is set, Delivery Optimization will hold the files in the cache longer and will clean up the cache as needed (for example when the cache size exceeded the maximum space allowed). **The default value is 259,200 seconds (three days)**. ### Max Cache Size -This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. The default value for this setting is 20. +This setting limits the maximum amount of space the Delivery Optimization cache can use as a percentage of the available drive space, from 1 to 100. For example, if you set this value to 10 on a Windows client device that has 100 GB of available drive space, then Delivery Optimization will use up to 10 GB of that space. Delivery Optimization will constantly assess the available drive space and automatically clear the cache to keep the maximum cache size under the set percentage. **The default value is 20**. ### Absolute Max Cache Size -This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. The default value for this setting is 10 GB. +This setting specifies the maximum number of gigabytes the Delivery Optimization cache can use. This is different from the [**Max Cache Size**](#max-cache-size) setting, which is a percentage of available disk space. Also, if you configure this policy, it will override the [**Max Cache Size**](#max-cache-size) setting. **The default value is 10 GB**. ### Minimum Peer Caching Content File Size -This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. +This setting specifies the minimum content file size in MB enabled to use Peer Caching. The recommended values are from 1 to 100000. **The default file size is 50MB** to participate in peering. ### Maximum Download Bandwidth -This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). A default value of "0" means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used. +This setting specifies the maximum download bandwidth that can be used across all concurrent Delivery Optimization downloads in kilobytes per second (KB/s). **A default value of "0"** means that Delivery Optimization will dynamically adjust and optimize the maximum bandwidth used. ### Maximum Foreground Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set. +Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set. ### Maximum Background Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set. +Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set. ### Percentage of Maximum Download Bandwidth -This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. The default value 0 means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. +This setting specifies the maximum download bandwidth that Delivery Optimization can use across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. ### Max Upload Bandwidth -This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). The default setting is "0", or "unlimited" which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. +This setting allows you to limit the number of upload bandwidth individual clients can use for Delivery Optimization. Consider this setting when clients are providing content to requesting peers on the network. This option is set in kilobytes per second (KB/s). **The default value is "0", or "unlimited"** which means Delivery Optimization dynamically optimizes for minimal usage of upload bandwidth; however it does not cap the upload bandwidth rate at a set rate. ### Set Business Hours to Limit Background Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. +Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy is not set.** ### Set Business Hours to Limit Foreground Download Bandwidth -Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. +Starting in Windows 10, version 1803, specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. **By default, this policy is not set.** ### Select a method to restrict peer selection -Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). +Starting in Windows 10, version 1803, set this policy to restrict peer selection via selected option. In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer discovery to the local network. Currently the available options include: 0 = NAT, 1 = Subnet mask, and 2 = Local Peer Discovery. These options apply to both Download Modes LAN (1) and Group (2) and therefore means there is no peering between subnets. **The default value in Windows 11 is set to "Local Peer Discovery"**. If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). ### Delay background download from http (in secs) -Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. +Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. **By default, this policy is not set.** ### Delay foreground download from http (in secs) -Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. +Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. **By default, this policy is not set.** ### Delay Foreground Download Cache Server Fallback (in secs) -Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first). +Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.** ### Delay Background Download Cache Server Fallback (in secs) -Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If you set the policy to delay background download from http, it will apply first (to allow downloads from peers first). +Starting in Windows 10, version 1903, set this policy to delay the fallback from cache server to the HTTP source for a background content download by X seconds. If you set the policy to delay background download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.** ### Minimum Background QoS @@ -223,15 +223,15 @@ This value specifies the minimum download speed guarantee that a client attempts ### Modify Cache Drive -This setting allows for an alternate Delivery Optimization cache location on the clients. By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable. You can set the value to an environment variable (for example, %SYSTEMDRIVE%), a drive letter (for example, D:), or a folder path (for example, D:\DOCache). +This setting allows for an alternate Delivery Optimization cache location on the clients. **By default, the cache is stored on the operating system drive through the %SYSTEMDRIVE% environment variable.** You can set the value to an environment variable (for example, %SYSTEMDRIVE%), a drive letter (for example, D:), or a folder path (for example, D:\DOCache). ### Monthly Upload Data Cap -This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of "0" means that an unlimited amount of data can be uploaded. The default value for this setting is 20 GB. +This setting specifies the total amount of data in gigabytes that a Delivery Optimization client can upload to Internet peers per month. A value of "0" means that an unlimited amount of data can be uploaded. **The default value for this setting is 20 GB.** ### Enable Peer Caching while the device connects via VPN -This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. +This setting determines whether a device will be allowed to participate in Peer Caching while connected to VPN. **By default, if a VPN connection is detected, peering is not allowed.** Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network. The device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. ### Allow uploads while the device is on battery while under set Battery level @@ -239,12 +239,14 @@ This setting specifies battery levels at which a device will be allowed to uploa The device can download from peers while on battery regardless of this policy. >[!IMPORTANT] -> By default, devices **will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause. +> **By default, devices will not upload while on battery**. To enable uploads while on battery, you need to enable this policy and set the battery value under which uploads pause. ### Cache Server Hostname -Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma separated, for example: myhost.somerandomhost.com,myhost2.somrandomhost.com,10.10.1.7. +Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma separated, for example: myhost.somerandomhost.com,myhost2.somrandomhost.com,10.10.1.7. **By default, this policy is empty.** +>[!IMPORTANT] +> Any value will signify that the policy is set. For example, an empty string ("") is not considered empty. ### Cache Server Hostname Source @@ -252,7 +254,7 @@ This policy allows you to specify how your client(s) can discover Delivery Optim - 1 = DHCP Option 235. - 2 = DHCP Option 235 Force. -With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. +With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. **By default, this policy has no value.** Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas. @@ -263,11 +265,11 @@ Set this policy to designate one or more Delivery Optimization in Network Cache Specifies the maximum foreground download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. -The default value of 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. +**The default value of "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.** ### Maximum Background Download Bandwidth (in KB/s) Specifies the maximum background download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. -The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. \ No newline at end of file +**The default value "0" means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.** From c09f3eb3429323f6b7a19a112ba25cd08d882616 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Mon, 20 Dec 2021 14:14:45 -0700 Subject: [PATCH 033/169] Update waas-delivery-optimization-reference.md --- .../deployment/update/waas-delivery-optimization-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index fac7435814..0e734ae920 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -219,7 +219,7 @@ Starting in Windows 10, version 1903, set this policy to delay the fallback from ### Minimum Background QoS -This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. The lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. +This value specifies the minimum download speed guarantee that a client attempts to achieve and will fulfill by downloading more kilobytes from Windows Update servers or WSUS. The lower this value is, the more content will be sourced using peers on the network rather than Windows Update. The higher this value, the more content is received from Windows Update servers or WSUS, versus peers on the local network. **The default value is 500KB/s** ### Modify Cache Drive From 4a62ff62f7b23fb0209a4051cf12c72fe00579b9 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Mon, 20 Dec 2021 14:26:28 -0700 Subject: [PATCH 034/169] Update waas-delivery-optimization-reference.md --- .../deployment/update/waas-delivery-optimization-reference.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 0e734ae920..23451245e0 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -243,7 +243,7 @@ The device can download from peers while on battery regardless of this policy. ### Cache Server Hostname -Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma separated, for example: myhost.somerandomhost.com,myhost2.somrandomhost.com,10.10.1.7. **By default, this policy is empty.** +Set this policy to designate one or more Microsoft Connected Cache servers to be used by Delivery Optimization. You can set one or more FQDNs or IP Addresses that are comma-separated, for example: myhost.somerandomhost.com,myhost2.somrandomhost.com,10.10.1.7. **By default, this policy is empty.** >[!IMPORTANT] > Any value will signify that the policy is set. For example, an empty string ("") is not considered empty. @@ -256,7 +256,7 @@ This policy allows you to specify how your client(s) can discover Delivery Optim With either option, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if set. **By default, this policy has no value.** -Set this policy to designate one or more Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas. +Set this policy to designate Delivery Optimization in Network Cache servers through a custom DHCP Option. Specify the custom DHCP option on your server as *text* type. You can add one or more values as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address with commas. > [!NOTE] > If you format the DHCP Option ID incorrectly, the client will fall back to the Cache Server Hostname policy value if that value has been set. From 18903b1777024223675c6bd9d025ba84252457c2 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Mon, 20 Dec 2021 20:13:45 -0700 Subject: [PATCH 035/169] Update waas-delivery-optimization-reference.md --- .../deployment/update/waas-delivery-optimization-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 23451245e0..99f8072ef2 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -22,7 +22,7 @@ ms.custom: seo-marvel-apr2020 - Windows 10 - Windows 11 -> **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/download/details.aspx?id=102158). +> **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=103506). There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md). From f1739b2abd7c07dd41a9e7ba64e5a7a0f31046d3 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Mon, 20 Dec 2021 20:16:19 -0700 Subject: [PATCH 036/169] Update waas-delivery-optimization-reference.md --- .../deployment/update/waas-delivery-optimization-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 99f8072ef2..077af5fc54 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -24,7 +24,7 @@ ms.custom: seo-marvel-apr2020 > **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=103506). -There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows 10 updates](waas-delivery-optimization-setup.md). +There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows client updates](waas-delivery-optimization-setup.md). ## Delivery Optimization options From ca3b605dfb70be14d1f5f75daa161ed3a5a5957c Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Mon, 20 Dec 2021 20:19:06 -0700 Subject: [PATCH 037/169] Update waas-delivery-optimization-reference.md --- .../deployment/update/waas-delivery-optimization-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 077af5fc54..f64a3f21b0 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -24,7 +24,7 @@ ms.custom: seo-marvel-apr2020 > **Looking for more Group Policy settings?** See the master spreadsheet available at the [Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=103506). -There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows client updates](waas-delivery-optimization-setup.md). +There are a great many details you can set in Delivery Optimization to customize it to do just what you need it to. This topic summarizes them for your reference. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows client updates](waas-delivery-optimization.md). If you need information about setting up Delivery Optimization, including tips for the best settings in different scenarios, see [Set up Delivery Optimization for Windows client updates](waas-delivery-optimization-setup.md). ## Delivery Optimization options From 9769ac251301fc0bed6f227a858b2b5301f84efa Mon Sep 17 00:00:00 2001 From: Doug Eby Date: Mon, 20 Dec 2021 21:58:07 -0800 Subject: [PATCH 038/169] Updated table to separate platforms --- windows/deployment/update/waas-delivery-optimization.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index f14347e816..729348bf6b 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -54,6 +54,8 @@ The following table lists the minimum Windows 10 version that supports Delivery ### Types of download content supported by Delivery Optimization +#### Windows Client + | Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) |------------------|---------------|----------------|----------|----------------| | Windows Update (feature updates quality updates, language packs, drivers) | Win 10 1511, Win 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | @@ -70,11 +72,15 @@ The following table lists the minimum Windows 10 version that supports Delivery | Windows Package Manager| Win 10 1809, Win 11 | :heavy_check_mark: | | | | MSIX | Win 10 2004, Win 11 | :heavy_check_mark: | | | +#### Windows Server + | Windows Server | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) |----------------|--------------------------|----------------|----------|----------------| | Windows Update | Windows Server 2019 (1809) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Edge Browser Updates | Windows Server 2019 (1809) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +#### Linux (Public Preview) + | Linux ([Public Preview](https://github.com/microsoft/do-client)) | Linux versions | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) |------------------------|----------------|-----------------|--------------|---------------| | Device Update for IoT Hub | Ubuntu 18.04, 20.04 / Debian 9, 10 | :heavy_check_mark: | | :heavy_check_mark: | From 378a99d6a42a64317ecda368b8745ed89e9fdc52 Mon Sep 17 00:00:00 2001 From: Carmen Forsmann Date: Tue, 21 Dec 2021 11:19:53 -0700 Subject: [PATCH 039/169] Update waas-delivery-optimization-reference.md --- .../deployment/update/waas-delivery-optimization-reference.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index f64a3f21b0..df97bd1017 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -206,10 +206,10 @@ Starting in Windows 10, version 1803, set this policy to restrict peer selection If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID). ### Delay background download from http (in secs) -Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. **By default, this policy is not set.** +Starting in Windows 10, version 1803, this allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.** ### Delay foreground download from http (in secs) -Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. **By default, this policy is not set.** +Starting in Windows 10, version 1803, allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. The maximum value is 4294967295 seconds. **By default, this policy is not set.** ### Delay Foreground Download Cache Server Fallback (in secs) Starting in Windows 10, version 1903, allows you to delay the fallback from cache server to the HTTP source for foreground content download by X seconds. If you set the policy to delay foreground download from http, it will apply first (to allow downloads from peers first). **By default, this policy is not set.** From 1426334e4c0543e1dd5a24be8f668ea9254d0b18 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 23 Dec 2021 11:05:31 +0500 Subject: [PATCH 040/169] Update windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../windows-autopilot/demonstrate-deployment-on-vm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index b25a3ab8b9..019e02cf8e 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -349,7 +349,7 @@ Follow these steps to run the PowerShell script: With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE. On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**. -Select **Remove everything**, then, on the **How would you like to reinstall Windows**, select Local reinstall. Finally, select **Reset**. +Select **Remove everything**, then, on **How would you like to reinstall Windows**, select **Local reinstall**. Finally, select **Reset**. ![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg) From 03b7c032003c780a41288111e9977ed09765bf2b Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 30 Dec 2021 16:23:58 +0500 Subject: [PATCH 041/169] Update activate-using-active-directory-based-activation-client.md --- ...ctive-directory-based-activation-client.md | 23 ++++++++----------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 169a4416a4..743b11044a 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -20,18 +20,11 @@ ms.collection: highpri # Activate using Active Directory-based activation -> Applies to -> ->- Windows 10 ->- Windows 8.1 ->- Windows 8 ->- Windows Server 2012 R2 ->- Windows Server 2012 ->- Windows Server 2016 ->- Windows Server 2019 ->- Office 2013* ->- Office 2016* ->- Office 2019* +**Applies to** +- Windows 8.1 or later +- Windows Server 2012 or later +- Microsoft Office 2013 or later + **Looking for retail activation?** @@ -109,7 +102,7 @@ When a reactivation event occurs, the client queries AD DS for the activation o **Figure 15**. Choosing how to activate your product > [!NOTE] - > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. + > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. For more details see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory) > > > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584) @@ -117,6 +110,8 @@ When a reactivation event occurs, the client queries AD DS for the activation o > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164) > > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342) + > + > - [Office LTSC 2021 VL pack](https://www.microsoft.com/en-us/download/details.aspx?id=103446) 8. After activating the key, click **Commit**, and then click **Close**. @@ -139,4 +134,4 @@ To verify your Active Directory-based activation configuration, complete the fol ## See also -- [Volume Activation for Windows 10](volume-activation-windows-10.md) \ No newline at end of file +- [Volume Activation for Windows 10](volume-activation-windows-10.md) From b1b0e275c5127ffed29c11a811b0369333dffb6b Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 31 Dec 2021 09:57:01 +0500 Subject: [PATCH 042/169] Update windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../activate-using-active-directory-based-activation-client.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 743b11044a..84c3e742ea 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -25,7 +25,6 @@ ms.collection: highpri - Windows Server 2012 or later - Microsoft Office 2013 or later - **Looking for retail activation?** - [Get Help Activating Microsoft Windows 7 or Windows 8.1](https://support.microsoft.com/help/15083/windows-activate-windows-7-or-8-1) From ab0cf6f436e0aecaeeeaf9a8a6724e975fd9f540 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 31 Dec 2021 09:57:17 +0500 Subject: [PATCH 043/169] Update windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../activate-using-active-directory-based-activation-client.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 84c3e742ea..6dfb6da50b 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -101,7 +101,8 @@ When a reactivation event occurs, the client queries AD DS for the activation o **Figure 15**. Choosing how to activate your product > [!NOTE] - > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. For more details see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory) + > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed. For more details, see [Activate volume licensed versions of Office by using Active Directory](/deployoffice/vlactivation/activate-office-by-using-active-directory). + > > > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584) From aa78c5bc121c3cf7b162b7e8becddaa60fd1922a Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 31 Dec 2021 09:57:27 +0500 Subject: [PATCH 044/169] Update windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../activate-using-active-directory-based-activation-client.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 6dfb6da50b..9c96dae840 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -111,7 +111,8 @@ When a reactivation event occurs, the client queries AD DS for the activation o > > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342) > - > - [Office LTSC 2021 VL pack](https://www.microsoft.com/en-us/download/details.aspx?id=103446) + > - [Office LTSC 2021 VL pack](https://www.microsoft.com/download/details.aspx?id=103446) + 8. After activating the key, click **Commit**, and then click **Close**. From 5d2ea2ae4a4f49b74462312d67117b1502cffd91 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 3 Jan 2022 13:29:36 +0200 Subject: [PATCH 045/169] update licensing info https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10036 --- windows/deployment/vda-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index a7081e65f1..9310bdfa44 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -153,4 +153,4 @@ To create custom RDP settings for Azure: [Windows 10/11 Subscription Activation](windows-10-subscription-activation.md)
[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations) -
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf) \ No newline at end of file +
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/9/8/d/98d6a56c-4d79-40f4-8462-da3ecba2dc2c/licensing_windows_desktop_os_for_virtual_machines.pdf) From 4c67a5189e088e5c2fc7ec690b41f8190acc197c Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 01:28:35 +0530 Subject: [PATCH 046/169] Update policy-csp-defender.md --- .../mdm/policy-csp-defender.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index d8c5c80c8c..f39d034b33 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -128,6 +128,9 @@ ms.collection: highpri

Defender/ScheduleScanTime
+
+ Defender/SecurityIntelligenceLocation +
Defender/SignatureUpdateFallbackOrder
@@ -2063,6 +2066,56 @@ Valid values: 0–1380.
+ +**Defender/SecurityIntelligenceLocation** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting allows you to define the security intelligence location for VDI-configured computers. + +​If you disable or do not configure this setting, security intelligence will be referred from the default local source. + + + +ADMX Info: +- GP Friendly name: *Signature (Security intelligence) delivery optimization for Defender in Virtual Environments* +- GP name: *SecurityIntelligenceLocation* +- GP element: *SecurityIntelligenceLocation* +- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* +- GP ADMX file name: *WindowsDefender.admx* + + + +Empty string - no policy is set +Non-empty string - the policy is set and security intelligence is gathered from the location + + + + +
+ **Defender/SignatureUpdateFallbackOrder** From b55a211f6f61c494201b4dabd9a26dcba4ce79eb Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 02:11:59 +0530 Subject: [PATCH 047/169] Update policy-csp-experience.md --- .../mdm/policy-csp-experience.md | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index e4e0453c5f..cb785576ec 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -40,9 +40,15 @@ manager: dansimp
Experience/AllowSaveAsOfOfficeFiles
+
+ Experience/AllowScreenCapture +
Experience/AllowSharingOfOfficeFiles
+
+ Experience/AllowSIMErrorDialogPromptWhenNoSIM +
Experience/AllowSyncMySettings
@@ -362,6 +368,43 @@ This policy is deprecated.
+ +**Experience/AllowScreenCapture** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + + + +Describe what value are supported in by this policy and meaning of each value is default value. + + + + +
+ **Experience/AllowSharingOfOfficeFiles** @@ -371,6 +414,40 @@ This policy is deprecated. + +**Experience/AllowSIMErrorDialogPromptWhenNoSIM** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + + +Describes what value are supported in by this policy and meaning of each value is default value. + + + +
From c791533fdeba706af5681f2507e8702b4154d192 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 15:41:59 +0530 Subject: [PATCH 048/169] Update policy-csp-internetexplorer.md --- windows/client-management/mdm/policy-csp-internetexplorer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 12fd5be044..37c6285576 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -210,7 +210,7 @@ manager: dansimp InternetExplorer/DoNotBlockOutdatedActiveXControls
- InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains + InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains
InternetExplorer/IncludeAllLocalSites From bb2f5d07d97f655797d57e82603ca4caddac1911 Mon Sep 17 00:00:00 2001 From: Meghana Athavale Date: Tue, 4 Jan 2022 17:41:49 +0530 Subject: [PATCH 049/169] Updated table --- .../ie11-deploy-guide/new-group-policy-settings-for-ie11.md | 1 + 1 file changed, 1 insertion(+) diff --git a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md index 557d57b34a..e6c30a056e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/new-group-policy-settings-for-ie11.md @@ -34,6 +34,7 @@ Internet Explorer 11 gives you some new Group Policy settings to help you manage | Always send Do Not Track header | Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Advanced Page | At least Internet Explorer 10 | This policy setting allows you to configure how IE sends the Do Not Track (DNT) header.

If you enable this policy setting, IE sends a `DNT:1` header with all HTTP and HTTPS requests. The `DNT:1` header signals to the servers not to track the user.

**In Internet Explorer 9 and 10:**
If you disable this policy setting, IE only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used.

**In at least IE11:**
If you disable this policy setting, IE only sends the Do Not Track header if inPrivate Browsing mode is used.

If you don't configure the policy setting, users can select the **Always send Do Not Track header** option on the **Advanced\* tab of the \*\*Internet Options** dialog box. By selecting this option, IE sends a `DNT:1` header with all HTTP and HTTPS requests; unless the user grants a site-specific exception, in which case IE sends a `DNT:0` header. By default, this option is enabled. | | Don't run antimalware programs against ActiveX controls
(Internet, Restricted Zones) |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using the Internet Explorer's **Security** settings. | | Don't run antimalware programs against ActiveX controls
(Intranet, Trusted, Local Machine Zones) |

  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
  • Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
| IE11 on Windows 10 | This policy setting determines whether IE runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.

If you enable this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you disable this policy setting, IE always checks with your antimalware program to see if it's safe to create an instance of the ActiveX control.

If you don't configure this policy setting, IE won't check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off, using Internet Explorer's **Security** settings. | +| Hide Internet Explorer 11 Application Retirement Notification | Administrative Templates\Windows Components\Internet Explorer | Internet Explorer 11 on Windows 10 20H2 & newer | This policy setting allows you to prevent the notification bar that informs users of Internet Explorer 11’s retirement from showing up.
If you disable or don’t configure this setting, the notification will be shown. | | Hide the button (next to the New Tab button) that opens Microsoft Edge | User Configuration\Administrative Templates\Windows Components/Internet Explorer\Internet Settings\Advanced Settings\Browsing\ | IE11 on Windows 10, version 1703 | This policy setting lets you decide whether employees can see the open Microsoft Edge button, which appears next to the New Tab button.

If you enable this policy setting, the button to open Microsoft Edge from Internet Explorer will be hidden.

If you disable this policy setting, the button to open Microsoft Edge from Internet Explorer appears.

If you don't configure this policy setting, the button to open Microsoft Edge from Internet Explorer can be configured by your employees. | | Let users turn on and use Enterprise Mode from the **Tools** menu | Administrative Templates\Windows Components\Internet Explorer | IE11 on Windows 10 | This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the **Tools** menu.

If you enable this policy setting, users can see and use the **Enterprise Mode** option from the **Tools** menu. If you enable this setting, but don’t specify a report location, Enterprise Mode will still be available to your users, but you won’t get any reports.

If you disable or don’t configure this policy setting, the menu option won’t appear and users won’t be able to turn on Enterprise Mode locally. | | Limit Site Discovery output by Domain | Administrative Templates\Windows Components\Internet Explorer | At least Internet Explorer 8 | This policy setting allows you to control which domains are included in the discovery function of the Internet Explorer Site Discovery Toolkit.

If you enable this policy setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in your specified domains, configured by adding one domain per line to the included text box.

If you disable or don’t configure this setting, the Internet Explorer Site Discovery Toolkit collects data from all sites in all domains.

**Note:**
You can use this setting in conjunction with the other settings that control the Internet Explorer Site Discovery Toolkit. | From 72febff49b7ea7998c973f3ca47a98c216d7b23e Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 23:16:28 +0530 Subject: [PATCH 050/169] Update policy-csp-start.md --- windows/client-management/mdm/policy-csp-start.md | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index a7bfb4c8ba..3ef4e79b17 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -779,33 +779,27 @@ The following list shows the supported values: - - - - - -
EditionWindows 10 Windows 11
Home NoNo
Pro YesYes
Business YesYes
Enterprise YesYes
Education YesYes
@@ -823,12 +817,12 @@ The following list shows the supported values: -This policy will allow admins to push a new list of pinned apps to override the default/current list of pinned apps in the SV start menu experience. +This policy will allow admins to push a new list of pinned apps to override the default/current list of pinned apps in the Windows 11 start menu experience. ->[!NOTE] -> TFS information describes feature area owners and policy handling work, but the work to implement the policy itself is being completed by OS\WDX\DASH\Cloud-powered Windows Devices\Project Hailey --> Deliverable 32179178. +It contains details on how to configure the start menu on Windows 11, see https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/customize-the-windows-11-start-menu + This string policy will take a JSON file (expected name LayoutModification.json), which enumerates the items to pin and their relative order. @@ -2322,7 +2316,6 @@ To validate on Desktop, do the following: -This supports a key Enterprise manageability request targeted for Iron. From 483b9e10f8d29ea2c98409b67d4ea73ec2b879da Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 5 Jan 2022 11:15:52 +0200 Subject: [PATCH 051/169] Add info https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10018 --- windows/deployment/upgrade/resolution-procedures.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md index 608df22ec5..cd1bfa68f2 100644 --- a/windows/deployment/upgrade/resolution-procedures.md +++ b/windows/deployment/upgrade/resolution-procedures.md @@ -45,7 +45,7 @@ See the following general troubleshooting procedures associated with a result co | :--- | :--- | :--- | | 0xC1900101 - 0x20004 | Uninstall antivirus applications.
Remove all unused SATA devices.
Remove all unused devices and drivers.
Update drivers and BIOS. | Windows Setup encountered an error during the SAFE_OS with the INSTALL_RECOVERY_ENVIRONMENT operation.
This is generally caused by out-of-date drivers. | | 0xC1900101 - 0x2000c | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Contact your hardware vendor to obtain updated device drivers.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | Windows Setup encountered an unspecified error during Wim apply in the WinPE phase.
This is generally caused by out-of-date drivers | -| 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.
Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](/troubleshoot/windows-client/deployment/windows-setup-log-file-locations).
Update or uninstall the problem drivers. | A driver has caused an illegal operation.
Windows was not able to migrate the driver, resulting in a rollback of the operating system.
This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software. | +| 0xC1900101 - 0x20017 | Ensure that all that drivers are updated.
Open the Setuperr.log and Setupact.log files in the %windir%\Panther directory, and then locate the problem drivers.
For more information, see [Windows Vista, Windows 7, Windows Server 2008 R2, Windows 8.1, and Windows 10 setup log file locations](/troubleshoot/windows-client/deployment/windows-setup-log-file-locations).
Update or uninstall the problem drivers. | A driver has caused an illegal operation.
Windows was not able to migrate the driver, resulting in a rollback of the operating system.
This is a SafeOS boot failure, typically caused by drivers or non-Microsoft disk encryption software.
This can also be caused by a hardware failure. | | 0xC1900101 - 0x30018 | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Contact your hardware vendor to obtain updated device drivers.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | A device driver has stopped responding to setup.exe during the upgrade process. | | 0xC1900101 - 0x3000D | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Update or uninstall the display driver. | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
This can occur due to a problem with a display driver. | | 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
Review the rollback log and determine the stop code.
The rollback log is located in the $Windows.~BT\Sources\Rollback folder. An example analysis is shown below. This example is not representative of all cases:
 
Info SP Crash 0x0000007E detected
Info SP Module name :
Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
Info SP Cannot recover the system.
Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
 
Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
 
1. Make sure you have enough disk space.
2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
3. Try changing video adapters.
4. Check with your hardware vendor for any BIOS updates.
5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.
Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
This can occur because of incompatible drivers. | From c9766eefa956eaeeaa14ccc4ce920e47d13af587 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 5 Jan 2022 13:02:03 +0200 Subject: [PATCH 052/169] Add info about next version https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10051 --- ...e-guard-signing-portal-in-microsoft-store-for-business.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md index 7311563492..cc73221cbc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md @@ -26,6 +26,9 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above +> [!IMPORTANT] +> The existing web-based mechanism for the Device Guard Signing service v1 will be retired on June 9, 2021. Please transition to the PowerShell based version of the service [(DGSS v2)](https://docs.microsoft.com/en-us/microsoft-store/device-guard-signing-portal). More details can be found [here](https://docs.microsoft.com/en-us/windows/msix/package/signing-package-device-guard-signing) and [here](https://docs.microsoft.com/en-us/microsoft-store/device-guard-signing-portal). + > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). @@ -47,4 +50,4 @@ Before you get started, be sure to review these best practices: 4. After the files are uploaded, click **Sign** to sign the code integrity policy. 5. Click **Download** to download the signed code integrity policy. - When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then sign the policy again. \ No newline at end of file + When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then sign the policy again. From 25d4a0950f71c2e502a375619ff982e6ea4613a0 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 5 Jan 2022 13:31:25 +0200 Subject: [PATCH 053/169] add info https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10070 --- .../hello-hybrid-cert-new-install.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 893bb67c67..7fc2f3cb26 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -55,15 +55,17 @@ Windows Hello for Business must have a public key infrastructure regardless of t This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. +More details about configuring a Windows enterprise public key infrastructure and installing Active Directory Certificate Services can be found [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki#follow-the-windows-hello-for-business-hybrid-key-trust-deployment-guide) and [here](https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority). + +>[!NOTE] +>Never install a certificate authority on a domain controller in a production environment. + ### Lab-based public key infrastructure The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. ->[!NOTE] ->Never install a certificate authority on a domain controller in a production environment. - 1. Open an elevated Windows PowerShell prompt. 2. Use the following command to install the Active Directory Certificate Services role. ```PowerShell @@ -148,4 +150,4 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation 3. New Installation Baseline (*You are here*) 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md) -6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) \ No newline at end of file +6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) From 007b329f4833bfed68f2a503095f43efb07ee4be Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 19:49:03 +0530 Subject: [PATCH 054/169] Update policy-csp-defender.md --- windows/client-management/mdm/policy-csp-defender.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index f39d034b33..4e05320c00 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -2100,16 +2100,17 @@ This policy setting allows you to define the security intelligence location for ADMX Info: -- GP Friendly name: *Signature (Security intelligence) delivery optimization for Defender in Virtual Environments* +- GP Friendly name: *Define security intelligence location for VDI clients* - GP name: *SecurityIntelligenceLocation* - GP element: *SecurityIntelligenceLocation* -- GP path: *Windows Components/Microsoft Defender Antivirus/Scan* +- GP path: *Windows Components/Microsoft Defender Antivirus/Security Intelligence Updates* - GP ADMX file name: *WindowsDefender.admx* -Empty string - no policy is set -Non-empty string - the policy is set and security intelligence is gathered from the location + +- Empty string - no policy is set +- Non-empty string - the policy is set and security intelligence is gathered from the location From b06079f3acef6f0ff5fb392769236597645c0dda Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 5 Jan 2022 20:19:52 +0530 Subject: [PATCH 055/169] Update policy-csp-printers.md --- windows/client-management/mdm/policy-csp-printers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-printers.md b/windows/client-management/mdm/policy-csp-printers.md index d6f2240333..52f26fbc86 100644 --- a/windows/client-management/mdm/policy-csp-printers.md +++ b/windows/client-management/mdm/policy-csp-printers.md @@ -55,7 +55,7 @@ manager: dansimp

-**Printers/ApprovedUsbPrintDevices** +**Printers/ApprovedUsbPrintDevices** From 5c669bde762a84a0779e938a257c1e568a497a28 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 6 Jan 2022 10:22:46 +0200 Subject: [PATCH 056/169] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-new-install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index 7fc2f3cb26..c93d1abad1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -55,7 +55,7 @@ Windows Hello for Business must have a public key infrastructure regardless of t This guide assumes most enterprises have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. -More details about configuring a Windows enterprise public key infrastructure and installing Active Directory Certificate Services can be found [here](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki#follow-the-windows-hello-for-business-hybrid-key-trust-deployment-guide) and [here](https://docs.microsoft.com/en-us/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority). +For more details about configuring a Windows enterprise public key infrastructure and installing Active Directory Certificate Services, see [Follow the Windows Hello for Business hybrid key trust deployment guide](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki#follow-the-windows-hello-for-business-hybrid-key-trust-deployment-guide) and [Install the Certification Authority](/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority). >[!NOTE] >Never install a certificate authority on a domain controller in a production environment. From 618bad0a8532ac48d1b91b27b900844a7fe67dd7 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 6 Jan 2022 10:30:52 +0200 Subject: [PATCH 057/169] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-new-install.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md index c93d1abad1..05d4a7b317 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md @@ -57,8 +57,8 @@ This guide assumes most enterprises have an existing public key infrastructure. For more details about configuring a Windows enterprise public key infrastructure and installing Active Directory Certificate Services, see [Follow the Windows Hello for Business hybrid key trust deployment guide](/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki#follow-the-windows-hello-for-business-hybrid-key-trust-deployment-guide) and [Install the Certification Authority](/windows-server/networking/core-network-guide/cncg/server-certs/install-the-certification-authority). ->[!NOTE] ->Never install a certificate authority on a domain controller in a production environment. +> [!NOTE] +> Never install a certificate authority on a domain controller in a production environment. ### Lab-based public key infrastructure From 03c95d0f0909232244c48b4ccd5e0204a03ed74f Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 6 Jan 2022 11:35:47 +0200 Subject: [PATCH 058/169] Update windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...vice-guard-signing-portal-in-microsoft-store-for-business.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md index cc73221cbc..5956abbc56 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md @@ -27,7 +27,7 @@ ms.technology: windows-sec - Windows Server 2016 and above > [!IMPORTANT] -> The existing web-based mechanism for the Device Guard Signing service v1 will be retired on June 9, 2021. Please transition to the PowerShell based version of the service [(DGSS v2)](https://docs.microsoft.com/en-us/microsoft-store/device-guard-signing-portal). More details can be found [here](https://docs.microsoft.com/en-us/windows/msix/package/signing-package-device-guard-signing) and [here](https://docs.microsoft.com/en-us/microsoft-store/device-guard-signing-portal). +> The existing web-based mechanism for the Device Guard Signing Service v1 will be retired on June 9, 2021. Please transition to the PowerShell based version of the service [(DGSS v2)](/microsoft-store/device-guard-signing-portal). For more details, see [Sign an MSIX package with Device Guard signing](/windows/msix/package/signing-package-device-guard-signing) and [Device Guard signing](/microsoft-store/device-guard-signing-portal). > [!NOTE] > Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). From 864049b0d8b2b1469fdea8b90f57a81b2798898d Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 7 Jan 2022 17:42:56 +0530 Subject: [PATCH 059/169] Update policy-csp-browser.md --- windows/client-management/mdm/policy-csp-browser.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index ba8ac722c2..7bab2b690f 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium # Policy CSP - Browser > [!NOTE] -> You've reached the documentation for Microsoft Edge version 45 and earlier. To see the documentation for Microsoft Edge version 77 or later, go to the [Microsoft Edge documentation landing page](/DeployEdge/). +> These settings are for the previous version of Microsoft Edge and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge and use the appropriate CSPs for the Chromium version of the Microsoft Edge browser. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](https://docs.microsoft.com/deployedge/configure-edge-with-mdm). ## Browser policies From f4e2c4ee26ae295581d2e6b3052363f3d4f02242 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Sat, 8 Jan 2022 00:36:02 +0530 Subject: [PATCH 060/169] Update policy-csp-browser.md --- windows/client-management/mdm/policy-csp-browser.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 7bab2b690f..7b3f0a6fb4 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -15,7 +15,8 @@ ms.localizationpriority: medium # Policy CSP - Browser > [!NOTE] -> These settings are for the previous version of Microsoft Edge and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge and use the appropriate CSPs for the Chromium version of the Microsoft Edge browser. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](https://docs.microsoft.com/deployedge/configure-edge-with-mdm). +> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](https://docs.microsoft.com/deployedge/configure-edge-with-mdm). + ## Browser policies From 8c6c0790d2c9caa886ac3d8a3fd7eaa83f2e36cb Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Sat, 8 Jan 2022 00:42:50 +0530 Subject: [PATCH 061/169] Update policy-csp-browser.md --- windows/client-management/mdm/policy-csp-browser.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 7b3f0a6fb4..3ab4a15f8d 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium # Policy CSP - Browser > [!NOTE] -> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](https://docs.microsoft.com/deployedge/configure-edge-with-mdm). +> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](deployedge/configure-edge-with-mdm). From da7399f346a57f55461383014aa39a5632ede6d0 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 10 Jan 2022 15:28:32 +0530 Subject: [PATCH 062/169] Update policy-csp-browser.md --- windows/client-management/mdm/policy-csp-browser.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 3ab4a15f8d..7b3f0a6fb4 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium # Policy CSP - Browser > [!NOTE] -> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](deployedge/configure-edge-with-mdm). +> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](https://docs.microsoft.com/deployedge/configure-edge-with-mdm). From 02af56b64a72a8ac99155346a85ffd126a2df8b7 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 10 Jan 2022 15:35:47 +0530 Subject: [PATCH 063/169] Update policy-csp-browser.md --- windows/client-management/mdm/policy-csp-browser.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 7b3f0a6fb4..cbf9ef190b 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium # Policy CSP - Browser > [!NOTE] -> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](https://docs.microsoft.com/deployedge/configure-edge-with-mdm). +> These settings are for the previous version of Microsoft Edge (version 45 and earlier) and are deprecated. These settings will be removed in a future Windows release. Microsoft recommends updating your version of Microsoft Edge to version 77 or later and use the ADMX Ingestion function for management. Learn more about how to [Configure Microsoft Edge using Mobile Device Management](/deployedge/configure-edge-with-mdm). From 6d2d48751f5c93be28772a5f81e44916ded8d032 Mon Sep 17 00:00:00 2001 From: sravanigannavarapu <95500630+sravanigannavarapu@users.noreply.github.com> Date: Tue, 11 Jan 2022 18:26:47 -0800 Subject: [PATCH 064/169] Update audit-registry.md --- windows/security/threat-protection/auditing/audit-registry.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md index ace2bfd284..39a62a47c9 100644 --- a/windows/security/threat-protection/auditing/audit-registry.md +++ b/windows/security/threat-protection/auditing/audit-registry.md @@ -48,6 +48,6 @@ If success auditing is enabled, an audit entry is generated each time any accoun > [!NOTE] -> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". +> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". This behaviour is expected only on the newer versions of the OS (Windows 11 / Windows Server 2022 and above). On older versions, 4656 events are not generated during subkey creation. > -> Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. +> Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would. From 7989520aefbc586218db85b719b2695b6a221fa8 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 12 Jan 2022 16:26:49 +0530 Subject: [PATCH 065/169] Updated --- .../client-management/mdm/bitlocker-csp.md | 34 ++-- .../mdm/enable-admx-backed-policies-in-mdm.md | 2 +- .../mdm/policy-csp-admx-icm.md | 52 ++--- .../mdm/policy-csp-admx-iscsi.md | 6 +- .../mdm/policy-csp-admx-kdc.md | 12 +- .../mdm/policy-csp-admx-kerberos.md | 16 +- .../mdm/policy-csp-admx-lanmanserver.md | 8 +- .../mdm/policy-csp-admx-lanmanworkstation.md | 6 +- .../mdm/policy-csp-admx-leakdiagnostic.md | 2 +- ...icy-csp-admx-linklayertopologydiscovery.md | 4 +- .../mdm/policy-csp-admx-logon.md | 30 +-- ...icy-csp-admx-microsoftdefenderantivirus.md | 186 +++++++++--------- .../mdm/policy-csp-admx-mmc.md | 10 +- .../mdm/policy-csp-admx-mmcsnapins.md | 48 ++--- .../mdm/policy-csp-attachmentmanager.md | 2 +- .../mdm/policy-csp-remotedesktopservices.md | 12 +- .../mdm/policy-csp-remotemanagement.md | 30 +-- .../mdm/policy-csp-remoteprocedurecall.md | 4 +- .../mdm/policy-csp-remoteshell.md | 14 +- .../mdm/policy-csp-search.md | 24 +-- .../mdm/policy-csp-security.md | 2 +- .../mdm/policy-csp-servicecontrolmanager.md | 2 +- 22 files changed, 253 insertions(+), 253 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 96b516b939..4530da2896 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -142,7 +142,7 @@ Allows you to set the default encryption method for each of the different drive ADMX Info: