deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #6087 from MicrosoftDocs/master

Browse Source 
Publish 12/13/2021, 3:30 PM
This commit is contained in:
Gary Moore 2021-12-13 15:46:12 -08:00 committed by GitHub
commit 44b1222ec7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 259 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
browsers/edge/group-policies/index.yml
View File

@ -9,7 +9,7 @@ metadata:
keywords: Microsoft Edge Legacy, Windows 10
ms.localizationpriority: medium
ms.prod: edge
author: shortpatti
author: dougeby
ms.author: pashort
ms.topic: landing-page
ms.devlang: na

2
browsers/edge/index.yml
View File

@ -11,7 +11,7 @@ metadata:
ms.localizationpriority: medium
ms.topic: landing-page # Required
ms.collection: collection # Optional; Remove if no collection is used.
author: shortpatti #Required; your GitHub user alias, with correct capitalization.
author: dougeby #Required; your GitHub user alias, with correct capitalization.
ms.author: pashort #Required; microsoft alias of author; optional team alias.
ms.date: 07/07/2020 #Required; mm/dd/yyyy format.

6
browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
View File

@ -14,9 +14,7 @@ ms.author: dansimp
[!INCLUDE [Microsoft 365 workloads end of support for IE11](../includes/microsoft-365-ie-end-of-support.md)]
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)<br>
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
<p>
<img src="images/docmode-decisions-lg.png" alt="Full-sized flowchart detailing how document modes are chosen in IE11" width="1355" height="1625" style="max-width:none;">
</p>
:::image type="content" source="images/docmode-decisions-lg.png" alt-text="Full-sized flowchart detailing how document modes are chosen in IE11" lightbox="images/docmode-decisions-lg.png":::

9
browsers/internet-explorer/ie11-deploy-guide/manage-ie11-overview.md
View File

@ -36,11 +36,4 @@ Use the topics in this section to learn about how to auto detect your settings,
|------|------------|
|[Auto detect settings Internet Explorer 11](auto-detect-settings-for-ie11.md) |Guidance about how to update your automatic detection of DHCP and DNS servers. |
|[Auto configuration settings for Internet Explorer 11](auto-configuration-settings-for-ie11.md) |Guidance about how to add, update and lock your auto configuration settings. |
|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. | 
|[Auto proxy configuration settings for Internet Explorer 11](auto-proxy-configuration-settings-for-ie11.md) |Guidance about how to add, update, and lock your auto-proxy settings. |

2
education/windows/windows-11-se-overview.md
View File

@ -20,7 +20,7 @@ ms.topic: article
- Windows 11 SE
- Microsoft Intune for Education
Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled.
Windows 11 SE is a new edition of Windows that's designed for education. It runs on web-first devices that use essential education apps. Microsoft Office 365 is preinstalled (subscription sold separately).
For education customers seeking cost-effective devices, Microsoft Windows 11 SE is a great choice. Windows 11 SE includes the following benefits:

39
education/windows/windows-11-se-settings-list.md
View File

@ -62,6 +62,45 @@ The following settings can't be changed.
| Administrative tools | Administrative tools, such as the command prompt and Windows PowerShell, can't be opened. Windows PowerShell scripts deployed using Microsoft Endpoint Manager can run. |
| Apps | Only certain apps are allowed to run on Windows 11 SE. For more info on what apps can run on Windows 11 SE, see [Windows 11 SE for Education overview](windows-11-se-overview.md). |
## What's available in the Settings app
On Windows 11 SE devices, the Settings app shows the following setting pages. Depending on the hardware, some setting pages might not be shown.
- Accessibility
- Accounts
- Email & accounts
- Apps
- Bluetooth & devices
- Bluetooth
- Printers & scanners
- Mouse
- Touchpad
- Typing
- Pen
- AutoPlay
- Network & internet
- WiFi
- VPN
- Personalization
- Taskbar
- Privacy & security
- System
- Display
- Notifications
- Tablet mode
- Multitasking
- Projecting to this PC
- Time & Language
- Language & region
## Next steps
[Windows 11 SE for Education overview](windows-11-se-overview.md)

6
store-for-business/release-history-microsoft-store-business-education.md
View File

@ -1,6 +1,6 @@
---
title: Whats new in Microsoft Store for Business and Education
description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
title: Microsoft Store for Business and Education release history
description: Know the release history of Microsoft Store for Business and Microsoft Store for Education.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@ -18,7 +18,7 @@ manager: dansimp
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases.
Microsoft Store for Business and Education regularly releases new and improved features. Here's a summary of new or updated features in previous releases.
Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)

8
store-for-business/sfb-change-history.md
View File

@ -76,6 +76,7 @@ ms.localizationpriority: medium
| --- | --- |
| [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md) | New |
| [Microsoft Store for Business and Education overview - supported markets](./microsoft-store-for-business-overview.md#supported-markets) | Updates for added market support. |
| [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | New. Information about Windows Autopilot Deployment Program and how it is used in Microsoft Store for Business and Education. |
## June 2017
@ -84,10 +85,3 @@ ms.localizationpriority: medium
| [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md) | New. Information about notification model in Microsoft Store for Business and Education. |
| [Get Minecraft: Education Edition with Windows 10 device promotion](/education/windows/get-minecraft-device-promotion) | New. Information about redeeming Minecraft: Education Edition licenses with qualifying purchases of Windows 10 devices. |
| [Microsoft Store for Business and Education overview - supported markets](./microsoft-store-for-business-overview.md#supported-markets) | Updates for added market support. |
## July 2017
| New or changed topic | Description |
| -------------------- | ----------- |
| [Manage Windows device deployment with Windows Autopilot Deployment](add-profile-to-devices.md) | New. Information about Windows Autopilot Deployment Program and how it is used in Microsoft Store for Business and Education. |
| [Microsoft Store for Business and Education overview - supported markets](./microsoft-store-for-business-overview.md#supported-markets) | Updates for added market support. |

2
windows/client-management/change-default-removal-policy-external-storage-media.md
View File

@ -3,7 +3,7 @@ title: Windows 10 default media removal policy
description: In Windows 10, version 1809, the default removal policy for external storage media changed from "Better performance" to "Quick removal."
ms.prod: w10
author: Teresa-Motiv
ms.author: v-tea
ms.author: dougeby
ms.date: 11/25/2020
ms.topic: article
ms.custom:

2
windows/client-management/troubleshoot-event-id-41-restart.md
View File

@ -2,7 +2,7 @@
title: Advanced troubleshooting for Event ID 41 - "The system has rebooted without cleanly shutting down first"
description: Describes the circumstances that cause a computer to generate Event ID 41, and provides guidance for troubleshooting the issue
author: Teresa-Motiv
ms.author: v-tea
ms.author: dougeby
ms.date: 12/27/2019
ms.prod: w10
ms.topic: article

2
windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md
View File

@ -2,7 +2,7 @@
title: Stop error occurs when you update the in-box Broadcom network adapter driver
description: Describes an issue that causes a stop error when you update an in-box Broadcom driver on Windows Server 2019, version 1809.
author: Teresa-Motiv
ms.author: v-tea
ms.author: dougeby
ms.date: 2/3/2020
ms.prod: w10
ms.topic: article

3
windows/deployment/planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
View File

@ -105,8 +105,7 @@ You can use the **Fix Description** tab of the Query tool to add parameters that
The query runs and the results of the query are displayed in the lower pane.
## Querying by Using the Fix Description Tab
## Querying by Using the Advanced Tab
You can use the **Fix Description** tab of the Query tool to add additional SQL Server SELECT and WHERE clauses to your search criteria.

72
windows/deployment/update/windows-as-a-service.md
View File

@ -1,5 +1,5 @@
---
title: Windows as a service
title: Windows as a service
ms.prod: w10
ms.topic: landing-page
ms.manager: laurawi
@ -26,21 +26,20 @@ Find the latest and greatest news on Windows 10 deployment and servicing.
**Discovering the Windows 10 Update history pages**
> [!VIDEO https://www.youtube-nocookie.com/embed/mTnAb9XjMPY]
Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the <a href="/windows/release-health/">Windows release health dashboard</a> for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout.
Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. Bookmark the [Windows release health dashboard](/windows/release-health/) for near real-time information on known issues, workarounds, and resolutions--as well as the current status of the latest feature update rollout.
The latest news:
<ul compact style="list-style: none">
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807">How to get Extended Security Updates for eligible Windows devices </a> - October 17, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/End-of-service-reminders-for-Windows-10-versions-1703-and-1803/ba-p/903715">End of service reminders for Windows 10, versions 1703 and 1803 </a> - October 9, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860">Using machine learning to improve the Windows 10 update experience </a> - September 26, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054
">Publishing pre-release Windows 10 feature updates to WSUS </a> - September 24, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/New-extended-support-dates-for-MDOP-tools/ba-p/837312">New extended support dates for MDOP tools </a> - September 4, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/FastTrack-for-Windows-10-deployment-and-other-migration/ba-p/800406">FastTrack for Windows 10 deployment and other migration resources </a> - August 12, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979">Tactical considerations for creating Windows deployment rings </a> - July 10, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Upgrading-Windows-10-devices-with-installation-media-different/ba-p/746126">Upgrading Windows 10 devices with installation media different than the original OS install language</a> - July 9, 2019</li>
<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Moving-to-the-next-Windows-10-feature-update-for-commercial/ba-p/732968">Moving to the next Windows 10 feature update for commercial customers</a> - July 1, 2019</li>
</ul>
- [How to get Extended Security Updates for eligible Windows devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/How-to-get-Extended-Security-Updates-for-eligible-Windows/ba-p/917807) - October 17, 2019
- [End of service reminders for Windows 10, versions 1703 and 1803](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/End-of-service-reminders-for-Windows-10-versions-1703-and-1803/ba-p/903715) - October 9, 2019
- [Using machine learning to improve the Windows 10 update experience](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Using-machine-learning-to-improve-the-Windows-10-update/ba-p/877860) - September 26, 2019
- [Publishing pre-release Windows 10 feature updates to WSUS](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Publishing-pre-release-Windows-10-feature-updates-to-WSUS/ba-p/845054) - September 24, 2019
- [New extended support dates for MDOP tools](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/New-extended-support-dates-for-MDOP-tools/ba-p/837312) - September 4, 2019
- [FastTrack for Windows 10 deployment and other migration resources](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/FastTrack-for-Windows-10-deployment-and-other-migration/ba-p/800406) - August 12, 2019
- [Tactical considerations for creating Windows deployment rings](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979) - July 10, 2019
- [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Upgrading-Windows-10-devices-with-installation-media-different/ba-p/746126) - July 9, 2019
- [Moving to the next Windows 10 feature update for commercial customers](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Moving-to-the-next-Windows-10-feature-update-for-commercial/ba-p/732968) - July 1, 2019
[See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog).
@ -49,20 +48,19 @@ Written by IT pros for IT pros, sharing real world examples and scenarios for Wi
<img src="images/champs-2.png" alt="Champs" width="640" height="320">
<a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979">**NEW** Tactical considerations for creating Windows deployment rings</a>
[**NEW** Tactical considerations for creating Windows deployment rings](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979)
<a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-Enterprise-vs-Windows-10-Pro-Modern-management/ba-p/720445">**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization</a>
[**NEW** Windows 10 Enterprise vs. Windows 10 Pro: Modern management considerations for your organization](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-Enterprise-vs-Windows-10-Pro-Modern-management/ba-p/720445)
<a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Deployment-rings-The-hidden-strategic-gem-of-Windows-as-a/ba-p/659622">Deployment rings: The hidden [strategic] gem of Windows as a service</a>
[Deployment rings: The hidden [strategic] gem of Windows as a service](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Deployment-rings-The-hidden-strategic-gem-of-Windows-as-a/ba-p/659622)
<a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Classifying-Windows-updates-in-common-deployment-tools/ba-p/331175">Classifying Windows updates in common deployment tools</a>
[Classifying Windows updates in common deployment tools](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Classifying-Windows-updates-in-common-deployment-tools/ba-p/331175)
<a href="/windows-server/get-started/express-updates">Express updates for Windows Server 2016 re-enabled for November 2018 update
</a>
[Express updates for Windows Server 2016 re-enabled for November 2018 update](/windows-server/get-started/express-updates)
<a href="https://support.microsoft.com/help/4472027/">2019 SHA-2 Code Signing Support requirement for Windows and WSUS</a>
[2019 SHA-2 Code Signing Support requirement for Windows and WSUS](https://support.microsoft.com/help/4472027/)
<a href="/windows/deployment/update/feature-update-mission-critical">Deploying Windows 10 Feature Updates to 24/7 Mission Critical Devices</a>
[What is Windows Update for Business?](waas-manage-updates-wufb.md)
## Discover
@ -70,14 +68,14 @@ Learn more about Windows as a service and its value to your organization.
<img src="images/discover-land.png" alt="Discover">
<a href="waas-overview.md">Overview of Windows as a service</a>
[Overview of Windows as a service](waas-overview.md)
<a href="waas-quick-start.md">Quick guide to Windows as a service</a>
[Quick guide to Windows as a service](waas-quick-start.md)
<a href="../deploy-whats-new.md">What's new in Windows 10 deployment</a>
[What's new in Windows 10 deployment](../deploy-whats-new.md)
<a href="https://channel9.msdn.com/events/Ignite/2015/BRK3303">How Microsoft IT deploys Windows 10</a></font>
[How Microsoft IT deploys Windows 10](https://channel9.msdn.com/events/Ignite/2015/BRK3303)</font>
## Plan
@ -85,15 +83,15 @@ Prepare to implement Windows as a service effectively using the right tools, pro
<img src="images/plan-land.png" alt="Plan" />
<a href="https://www.microsoft.com/windowsforbusiness/simplified-updates">Simplified updates</a>
[Simplified updates](https://www.microsoft.com/windowsforbusiness/simplified-updates)
<a href="https://www.microsoft.com/itpro/windows-10/end-user-readiness">Windows 10 end user readiness</a>
[Windows 10 end user readiness](https://www.microsoft.com/itpro/windows-10/end-user-readiness)
<a href="https://developer.microsoft.com/windows/ready-for-windows#/">Ready for Windows</a>
[Ready for Windows](https://developer.microsoft.com/windows/ready-for-windows#/)
<a href="/mem/configmgr/desktop-analytics/overview">Manage Windows upgrades with Upgrade Readiness</a>
[Manage Windows upgrades with Upgrade Readiness](/mem/configmgr/desktop-analytics/overview)
<a href="https://www.microsoft.com/itshowcase/windows10deployment">Preparing your organization for a seamless Windows 10 deployment</a>
[Preparing your organization for a seamless Windows 10 deployment](https://www.microsoft.com/itshowcase/windows10deployment)
## Deploy
@ -101,18 +99,18 @@ Secure your organization's deployment investment.
<img src="images/deploy-land.png" alt="Deploy" />
<a href="index.md">Update Windows 10 in the enterprise</a>
[Update Windows 10 in the enterprise](index.md)
<a href="https://www.microsoft.com/itshowcase/Article/Content/668/Deploying-Windows-10-at-Microsoft-as-an-inplace-upgrade">Deploying as an in-place upgrade</a>
[Deploying as an in-place upgrade](https://www.microsoft.com/itshowcase/Article/Content/668/Deploying-Windows-10-at-Microsoft-as-an-inplace-upgrade)
<a href="waas-configure-wufb.md">Configure Windows Update for Business</a>
[Configure Windows Update for Business](waas-configure-wufb.md)
<a href="waas-optimize-windows-10-updates.md#express-update-delivery">Express update delivery</a>
[Express update delivery](waas-optimize-windows-10-updates.md#express-update-delivery)
<a href="../planning/windows-10-deployment-considerations.md">Windows 10 deployment considerations</a>
[Windows 10 deployment considerations](../planning/windows-10-deployment-considerations.md)
## Microsoft Ignite 2018
<img src="images/ignite-land.jpg" alt="Ignite" width="640" height="320"/>
Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).
Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).

15
windows/deployment/upgrade/upgrade-error-codes.md
View File

@ -21,10 +21,9 @@ ms.collection: highpri
- Windows 10
>[!NOTE]
>This is a 400 level topic (advanced).<br>
>This is a 400 level topic (advanced).
>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
If the upgrade process is not successful, Windows Setup will return two codes:
1. **A result code**: The result code corresponds to a specific Win32 or NTSTATUS error.
@ -39,7 +38,7 @@ Note: If only a result code is returned, this can be because a tool is being use
## Result codes
A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. <br>To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article.
A result code of **0xC1900101** is generic and indicates that a rollback occurred. In most cases, the cause is a driver compatibility issue. To troubleshoot a failed upgrade that has returned a result code of 0xC1900101, analyze the extend code to determine the Windows Setup phase, and see the [Resolution procedures](resolution-procedures.md) section later in this article.
The following set of result codes are associated with [Windows Setup](/windows-hardware/manufacture/desktop/windows-setup-command-line-options) compatibility warnings:
@ -144,8 +143,8 @@ For example: An extend code of **0x4000D**, represents a problem during phase 4
## Related topics
[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
<br>[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
<br>[Windows 10 Specifications](https://www.microsoft.com/windows/Windows-/ifications)
<br>[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
<br>[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
[Windows 10 FAQ for IT professionals](../planning/windows-10-enterprise-faq-itpro.yml)
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
[Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications)
[Microsoft Windows Q & A](/answers/products/windows)
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)

5
windows/deployment/windows-10-deployment-scenarios.md
View File

@ -19,6 +19,7 @@ ms.collection: highpri
# Windows 10 deployment scenarios
**Applies to**
- Windows 10
To successfully deploy the Windows 10 operating system in your organization, it is important to understand the different ways that it can be deployed, especially now that there are new scenarios to consider. Choosing among these scenarios, and understanding the capabilities and limitations of each, is a key task.
@ -32,9 +33,9 @@ The following tables summarize various Windows 10 deployment scenarios. The scen
> [!NOTE]
> Once you have deployed Windows 10 in your organization, it is important to stay up to date by [creating a deployment plan](update/create-deployment-plan.md) for Windows 10 feature updates.
- Dynamic deployment methods enable you to configure applications and settings for specific use cases.
- Dynamic deployment methods enable you to configure applications and settings for specific use cases.
- Traditional deployment methods use existing tools to deploy operating system images.<br>&nbsp;
- Traditional deployment methods use existing tools to deploy operating system images.
### Modern

3
windows/privacy/windows-endpoints-1909-non-enterprise-editions.md
View File

@ -148,7 +148,8 @@ The following methodology was used to derive the network endpoints:
|ris.api.iris.microsoft.com|TLS v1.2|Windows Spotlight
|settings-win.data.microsoft.com|HTTPS/TLS v1.2|Used for Windows apps to dynamically update their configuration
|spo-ring.msedge.net|TLSv1.2|Cortana and Live Tiles
|telecommand.telemetry.microsoft.com|TLS v1.2|Used by Windows Error Reporting ||tile-service.weather.microsoft.com|HTTP|Used for the Weather app
|telecommand.telemetry.microsoft.com|TLS v1.2|Used by Windows Error Reporting
|tile-service.weather.microsoft.com|HTTP|Used for the Weather app
|tsfe.trafficshaping.dsp.mp.microsoft.com|HTTPS|Used for content regulation
|v10.events.data.microsoft.com/onecollector/1.0/|HTTPS/TLS v1.2|Diagnostic Data
|v10.events.data.microsoft.com|HTTPS/TLS v1.2|Used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service

2
windows/security/threat-protection/windows-defender-application-control/TOC.yml
View File

@ -50,6 +50,8 @@
href: create-wdac-policy-for-fully-managed-devices.md
- name: Create a WDAC policy for fixed-workload devices
href: create-initial-default-policy.md
- name: Create a WDAC deny list policy
href: create-wdac-deny-policy.md
- name: Microsoft recommended block rules
href: microsoft-recommended-block-rules.md
- name: Microsoft recommended driver block rules

153
windows/security/threat-protection/windows-defender-application-control/create-wdac-deny-policy.md Normal file
View File

@ -0,0 +1,153 @@
---
title: Create WDAC Deny Policy
description: Explains how to create WDAC deny policies
keywords: WDAC, policy
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance
author: jgeurten
ms.reviewer: jsuther1974
ms.author: dansimp
manager: dansimp
ms.date: 11/29/2021
ms.technology: windows-sec
---
# Guidance on Creating WDAC Deny Policies
With Windows Defender Application Control (WDAC), you can create application control policies to explicitly deny specific drivers and applications, as well as signatures and certificates and file paths.
Topics this article will be discussing are:
1. File Rule Precedence Order
2. Adding Allow Rules
3. Singe Policy Considerations
4. Multiple Policy Considerations
5. Best Practices
6. Tutorial/Walkthrough
## File Rule Precedence Order
To create effective WDAC deny policies, it is crucial to understand how WDAC parses the policy. The WDAC engine evaluates files against the policy in the following order.
1. Explicit deny rules - if there is an explicit deny rule, do not process the rest of the rules; the file is untrusted.
2. Explicit allow rules.
3. WDAC will then check for the [Managed Installer extended (EA)](configure-authorized-apps-deployed-with-a-managed-installer.md) or the [Intelligent Security Graph (ISG) EA](use-windows-defender-application-control-with-intelligent-security-graph.md) on the file.
4. Lastly, WDAC will call the Intelligent Security Graph (ISG) to get reputation on file, if the policy has support for the ISG.
Explicit allow and deny rules encompass rules at any level (for example hash rules, signer rules path rules, attribute rules, or package family name rules). If there is an explicit deny rule, WDAC does not process any other rules, meaning a deny rule always takes precedence in the case where a deny and allow rule would be at odds.
## Interaction with Existing Policies
### Adding Allow Rules
In the scenario where there is not an explicit allow rule, there is not a managed installer or ISG EA and ISG is not configured, WDAC will block the file as there is nothing in the policy vouching for trust of the file.
If this deny policy is the only policy on the device, the following rule(s) need to be added to the policy in addition to the deny/block rules to trust for the driver files outside of the intended blocklisted ones:
```xml
<FileRules>
<Allow ID="ID_ALLOW_A_1" FriendlyName="Allow Kernel Drivers" FileName="*" />
</FileRules>
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Kernel Mode Signing Scenario">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_ALLOW_A_1" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
```
If the policy enables user mode code integrity via the ***Enabled:UMCI*** rule-option, the following section needs to be added to the policy in addition to the deny/block rules to trust for the driver and user mode files outside of the intended blocklisted ones:
```xml
<FileRules>
<Allow ID="ID_ALLOW_A_1" FriendlyName="Allow Kernel Drivers" FileName="*" />
<Allow ID="ID_ALLOW_A_2" FriendlyName="Allow User mode components" FileName="*" />
</FileRules>
<SigningScenarios>
<SigningScenario Value="131" ID="ID_SIGNINGSCENARIO_DRIVERS_1" FriendlyName="Kernel Mode Signing Scenario">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_ALLOW_A_1" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
<SigningScenario Value="12" ID="ID_SIGNINGSCENARIO_WINDOWS" FriendlyName="User Mode Signing Scenario">
<ProductSigners>
<FileRulesRef>
<FileRuleRef RuleID="ID_ALLOW_A_2" />
</FileRulesRef>
</ProductSigners>
</SigningScenario>
</SigningScenarios>
```
## Single Policy Considerations
If the set of deny rules is to be added into an existing policy with allow rules, then the above Allow All rules should not be added to the policy. Instead, the deny policy should be merged with the existing WDAC policy via the [WDAC Wizard](wdac-wizard-merging-policies.md) or using the following PowerShell command:
```PowerShell
$DenyPolicy = <path_to_deny_policy>
$ExistingPolicy = <path_to_existing_policy>
Merge-CIPolicy -PolicyPaths $ DenyPolicy, $ExistingPolicy -OutputFilePath $ExistingPolicy
```
## Multiple Policy Considerations
If you are currently using [multiple policies](deploy-multiple-windows-defender-application-control-policies.md) on a device, there are two options for integrating the blocklist into your policy set.
(Recommended) The first option is to keep the blocklist as its own policy isolated from your allow policies as it is easier to manage. Since applications need to be [allowed by both WDAC policies to run on the device](deploy-multiple-windows-defender-application-control-policies.md#base-and-supplemental-policy-interaction), you will need to add the Allow All rule(s) to your deny policy. This will not override the set of applications allowed by WDAC illustrated by the following example:
Policy 1 is an allowlist of Windows and Microsoft-signed applications. Policy 2 is our new deny policy, which blocks MaliciousApp.exe with the Allow All rules. MaliciousApp.exe will be blocked since there is an explicit block rule in Policy 2. Windows and Microsoft applications will be allowed since there is an explicit allow rule in Policy 1 and Policy 2 (due to the Allow All rules). All other applications, if not Windows and Microsoft signed, for example, ExampleApp.exe, will not be allowed as this application is only trusted by Policy 2 (due to the Allow All rules) and not Policy 1.
The second option involves merging the blocklist with your existing WDAC policy, regardless if the policy is an allowlist policy and contains allow and/or deny rules.
## Best Practices
1. **Starting with Audit Mode Policies** - as with all new policies, we recommend rolling out your new deny policy in Audit Mode and monitoring the [3077 block events](event-id-explanations.md#optional-intelligent-security-graph-isg-or-managed-installer-mi-diagnostic-events) to ensure only the applications you intended to block are being blocked. More information on monitoring block events via the Event Viewer logs and Advanced Hunting: [Managing and troubleshooting Windows Defender Application Control policies](windows-defender-application-control-operational-guide.md)
2. **Recommended Deny Rules Types** - signer and file attribute rules are recommended from a security, manageability, and performance perspective. Hash rules should only be utilized where otherwise impossible. The hash of an application is updated for every new version released by the publisher, which quickly becomes impractical to manage and protect against new threats where the attacker is quickly iterating on the payload. Additionally, WDAC has optimized parsing of hash rules, but devices may see performance impacts at runtime evaluation when policies have tens of thousands or more hash rules.
## Creating a Deny Policy Tutorial
Deny rules and policies can be created using the PowerShell cmdlets or the [WDAC Wizard](https://webapp-wdac-wizard.azurewebsites.net/). We recommend creating signer rules (PCACertificate, Publisher, and FilePublisher) wherever possible. In the cases of unsigned binaries, rules must be created on attributes of the file, such as the original filename, or the hash.
### Software Publisher Based Deny Rule
```Powershell
$DenyRules += New-CIPolicyRule -Level FilePublisher -DriverFilePath <binary_to_block> -Deny -Fallback FileName,Hash
```
### Software Attributes Based Deny Rule
```Powershell
$DenyRules += New-CIPolicyRule -Level FileName -DriverFilePath <binary_to_block> -Deny -Fallback Hash
```
### Hash Based Deny Rule
```PowerShell
New-CIPolicyRule -Level Hash -DriverFilePath <binary_to_block> -Deny
```
### Adding Allow All Rules
If necessary, as in the cases listed above, [Allow All Rules](#adding-allow-rules) may need to be added to the policy. The Allow All rules can be manually added to the policy xml or by merging with the Allow All xml present on the client system in the WDAC template folder:
```PowerShell
$DenyPolicy = <path_to_deny_policy>
$AllowAllPolicy = $Env:windir + "\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml"
Merge-CIPolicy -PolicyPaths $DenyPolicy, $AllowAllPolicy -OutputFilePath $DenyPolicy
```
### Deploying the Deny Policy
Policies should be thoroughly evaluated and first rolled out in audit mode before strict enforcement. Policies can be deployed via multiple options:
1. Mobile Device Management (MDM): [Deploy WDAC policies using Mobile Device Management (MDM) (Windows)](deploy-windows-defender-application-control-policies-using-intune.md)
2. Microsoft Endpoint Configuration Manager (MEMCM): [Deploy Windows Defender Application Control (WDAC) policies by using Microsoft Endpoint Configuration Manager (MEMCM) (Windows)](deployment/deploy-wdac-policies-with-memcm.md)
3. Scripting [Deploy Windows Defender Application Control (WDAC) policies using script (Windows)](deployment/deploy-wdac-policies-with-script.md)
4. Group Policy: [Deploy WDAC policies via Group Policy (Windows)](deploy-windows-defender-application-control-policies-using-group-policy.md)

2
windows/security/threat-protection/windows-defender-application-control/index.yml
View File

@ -52,6 +52,8 @@ landingContent:
url: create-wdac-policy-for-fully-managed-devices.md
- text: Create a WDAC policy for a fixed-workload
url: create-initial-default-policy.md
- text: Create a WDAC deny list policy
url: create-wdac-deny-policy.md
- text: Deploying catalog files for WDAC management
url: deploy-catalog-files-to-support-windows-defender-application-control.md
- text: Using the WDAC Wizard

3
windows/whats-new/windows-10-insider-preview.md
View File

@ -14,7 +14,8 @@ ms.topic: article
# Documentation for Windows 10 Insider Preview
> <span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. ]</span>
>[!NOTE]
> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This section contains preliminary documentation for some enterprise features in Windows 10 Insider Preview. Information in this section may change frequently.