From d25b88cf3392d84617af9be7ba0e0d62e56c5dcf Mon Sep 17 00:00:00 2001 From: Carmen Date: Tue, 16 May 2023 13:44:22 -0600 Subject: [PATCH 01/80] Doc updates to commonly asked questions --- .../do/waas-delivery-optimization-faq.yml | 19 +++++++++++++++++++ windows/deployment/update/wufb-reports-do.md | 18 +++++++++++++++--- 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 1a0f413fd5..fdc38b3b61 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -106,4 +106,23 @@ sections: - question: How does Delivery Optimization determine which content is available for peering? answer: | Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots. + + - question: What is the recommended configuration for Delivery Optimization used with Zscaler? + answer: | + The best configuration with Zscaler is to bypass the [hostnames](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) for Delivery Optimization services and allow that traffic to go directly to the Internet and not through Zscaler. + For communication between clients and the Delivery Optimization cloud service: + + • *.do.dsp.mp.microsoft.com + + If that's not an option, that try using Group Download mode '2' would be the best next step. For more information on using Group mode, https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-reference#select-the-source-of-group-ids + - question: How do I turn Delivery Optimization off? + answer: | + Delivery Optimization is an HTTP downloader used by a majority of content providers from Microsoft. When a Windows device is configured to use Delivery Optimization peering (on by default), for the content types, in addition to the HTTP downloader capabilities the Delivery Optimization peering service + can be used to optimize bandwidth. If you'd like to prevent the peering capabilities of Delivery Optimization, you can simply change the setting to Download Mode '99', [Simple mode](waas-delivery-optimization-reference.md#download-mode). This will prevent any peering for the downloaded content. + Delivery Optimization will still be used as the HTTP downloader, but any communication to the cloud peering service will be disabled. + + - question: Delivery Optimization is using device resources and I can't tell why? + answer: | + Delivery Optimization is used by a majority of content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often times customers don't realize the vast application of Delivery Optimization and different apps can be + running in the background. There are different Delivery Optimization [settings](waas-delivery-optimization-reference.md) that can help manage the amount of bandwidth, time of day, etc. Also note that depending on the app, closing the app don't necessarily stop the download. diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index 580d459ff8..69aafe106a 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -92,7 +92,7 @@ There are several calculated values that appear on the Delivery Optimization rep In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example: ```powershell -$text = "" ; +$text = "" ; $hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64" ``` @@ -106,8 +106,8 @@ Get-DeliveryOptimizationLog -Flush | Set-Content C:\dosvc.log The below two lines are together in verbose logs: ```text -2023-02-15T12:33:11.3811337Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Using groupID = **** -2023-02-15T12:33:11.3811432Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Hashed groupID = **** +2023-02-15T12:33:11.3811337Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Using groupID = **** +2023-02-15T12:33:11.3811432Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Hashed groupID = **** ``` ## Sample queries @@ -167,3 +167,15 @@ A row in UCDOAggregatedStatus represents data summarized at the tenant level (Az - **How are BytesFromCache calculated when there's a Connected Cache server used by my ISP?** If there's a Connected Cache server at the ISP level, BytesFromCache will filter out any bytes coming the ISP's Connected Cache. + +- **What does the 'Other' content type represent?** +The 'Other' category is a subset of the [complete list](../do/waas-delivery-optimization.md) of supported Delivery Optimization content types including: + * Windows Defender definition updates + * Intune Win32 apps + * Edge Browser updates + * Configuration Manager Express updates + * Dynamic updates + * MDM Agent + * Xbox Game Pass (PC) + * Windows Package Manager + * MSIX From 429b7817fce8a083bed046a4a2e55cf3deb46823 Mon Sep 17 00:00:00 2001 From: Carmen Date: Tue, 16 May 2023 13:50:40 -0600 Subject: [PATCH 02/80] Updates for 'Other' content --- windows/deployment/update/wufb-reports-do.md | 181 ------------------- 1 file changed, 181 deletions(-) diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index 8087bbcab2..e69de29bb2 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -1,181 +0,0 @@ ---- -title: Delivery Optimization data in Windows Update for Business reports -manager: aaroncz -description: Provides information about Delivery Optimization data in Windows Update for Business reports -ms.prod: windows-client -author: mestew -ms.author: mstewart -ms.topic: article -ms.date: 04/12/2023 -ms.technology: itpro-updates ---- - -# Delivery Optimization data in Windows Update for Business reports - -***(Applies to: Windows 11 & Windows 10)*** - -[Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement. - -Windows Update for Business reports provides Delivery Optimization information in the following places: -- The Windows Update for Business reports [workbook](wufb-reports-workbook.md) -- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) -- [UCDOStatus](wufb-reports-schema-ucdostatus.md) - -Windows Update for Business reports doesn't include Delivery Optimization data for Windows Insider devices. - -## Delivery Optimization terms - -Windows Update for Business reports uses the following Delivery Optimization terms: - -- **Peer**: A device in the solution -- **Peering 'ON'** - Devices where DO peer-to-peer is enabled in one of the following modes: - - LAN (1) - - Group (2) - - Internet (3) -- **Peering 'OFF'**: Devices where DO peer-to-peer is disabled, set to one of the following modes: - - HTTP Only (0) - - Simple Mode (99) - - Bypass (100), deprecated in Windows 11 -- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache (MCC) out of the total amount of data downloaded. - - If bandwidth savings are <= 60%, a *Warning* icon is displayed - - When bandwidth savings are <10%, an *Error* icon is displayed. -- **Configurations**: Based on the DownloadMode configuration set via MDM, Group Policy, or end-user via the user interface. -- **P2P Device Count**: The device count is the number of devices configured to use peering. -- **Microsoft Connected Cache (MCC)**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md). -- **MCC Device Count**: The device count is the number of devices that have received bytes from the cache server, for supported content types. -- **Total # of Devices**: The total number of devices with activity in last 28 days. -- **LAN Bytes**: Bytes delivered from LAN peers. -- **Group Bytes**: Bytes from Group peers. If a device is using Group DownloadMode, Delivery Optimization will first look for peers on the LAN and then in the Group. Therefore, if bytes are delivered from LAN peers, they'll be calculated in 'LAN Bytes'. -- **CDN Bytes**: Bytes delivered from Content Delivery Network (CDN). -- **City**: City is determined based on the location of the device where the maximum amount of data is downloaded. -- **Country**: Country is determined based on the location of the device where the maximum amount of data is downloaded. -- **ISP**: ISP is determined based on the ISP delivering the maximum bytes to the device. - -## Calculations for Delivery Optimization - -There are several calculated values that appear on the Delivery Optimization report. Listed below each calculation is the table that's used for it: - -**Efficiency (%) Calculations**: - -- Bandwidth Savings (BW SAV%) = 100 * (BytesFromPeers + BytesFromGroupPeers + BytesFromCache) / -(BytesFromPeers + BytesFromGroupPeers+BytesFromCDN + BytesFromCache) - - [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table -- % P2P Efficiency = 100 * (BytesFromPeers + BytesFromGroupPeers) / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache) - - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table -- % MCC Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache) - - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table - -**Bytes Calculations**: - -- TotalBytes = BytesFromCDN + BytesFromEnterpriseCache + BytesFromPeers + BytesFromGroupPeers - - [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table -- BytesFromCDN = BytesFromCDN - - [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table -- BytesFromPeers = BytesFromLAN - - [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table -- BytesFromGroupPeers = BytesFromGroupPeers - - [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table -- BytesFromCache = BytesFromCache - - [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table - -**Volume Calculations**: - -- Volume by P2P = BytesFromPeers + BytesFromGroupPeers - - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table -- Volume by MCC = BytesFromCache - - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table -- Volume by CDN = BytesFrom CDN - - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table - -## Mapping GroupID - -In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example: - -```powershell -$text = "" ; - -$hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64" -``` - -In addition, you can see both the encoded and decoded GroupIDs in the Delivery Optimization logs. - -```powershell -Get-DeliveryOptimizationLog -Flush | Set-Content C:\dosvc.log -``` - -The below two lines are together in verbose logs: - -```text -2023-02-15T12:33:11.3811337Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Using groupID = **** -2023-02-15T12:33:11.3811432Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Hashed groupID = **** -``` - -## Sample queries - -You can use the data in [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) -and [UCDOStatus](wufb-reports-schema-ucdostatus.md) to create your own queries. Create your custom queries using [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/), but note that Windows Update for Business reports uses Azure Monitor, so some operators aren't supported. The KQL documentation specifies which operators aren't supported by Azure Monitor or if they have different functionality. For more information about KQL in Azure Monitor, see [Log queries in Azure Monitor](/azure/azure-monitor/logs/log-query-overview). The following queries are examples of how you can use the data: - -### Example UCDOAggregatedStatus table query - -The following query is used to display the total bandwidth savings % value: - -```kusto -UCDOAggregatedStatus| where TimeGenerated == _SnapshotTime -| extend LocalSourceBytes = BytesFromCache + BytesFromGroupPeers + BytesFromPeers -| summarize LocalSources_BWSAV = round((sum(0.0 + LocalSourceBytes)/ sum(LocalSourceBytes+BytesFromCDN)) * 100.0 ,2) -| extend Title = "BW SAV%" , SubTitle = "Local Sources" -``` - -### Example UCDOStatus table query - -The following query is used to display the Top 10 GroupIDs: - -```kusto -UCDOStatus | where TimeGenerated == _SnapshotTime -| summarize sum(BytesFromCDN) , sum(BytesFromGroupPeers) , sum(BytesFromPeers) , sum(BytesFromCache) , -DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount desc -| extend TotalBytes = (sum_BytesFromPeers + sum_BytesFromGroupPeers+sum_BytesFromCDN+sum_BytesFromCache) -| extend P2PPercentage = ((0.0 + sum_BytesFromPeers + sum_BytesFromGroupPeers)/TotalBytes ) * 100.0 -| extend MCCPercentage = ((0.0 + sum_BytesFromCache)/ TotalBytes) * 100.0 , - VolumeBytesFromPeers = sum_BytesFromPeers + sum_BytesFromGroupPeers -| extend VolumeBytesFromMCC = sum_BytesFromCache , VolumeByCDN = sum_BytesFromCDN -| project GroupID , P2PPercentage , MCCPercentage , VolumeBytesFromPeers , VolumeBytesFromMCC ,VolumeByCDN , DeviceCount -``` - -## Frequency Asked Questions - -- **What time period does the Delivery Optimization data include?** -Data is generated/aggregated for the last 28 days for active devices. - -- **Data is showing as 'Unknown', what does that mean?** -You may see data in the report listed as 'Unknown'. This status indicates that the Delivery Optimization DownloadMode setting is either invalid or empty. - -- **How are the 'Top 10' groups identified?** -The top groups are represented by the number of devices in a particular group, for any of the four group types (GroupID, City, Country, and ISP). - -- **The GroupIDs don't look familiar, why are they different?** -The GroupID values are encoded for data protection telemetry requirements. You can find more information in the 'Mapping GroupIDs' section above. - -- **How can I see data for device in the office vs. out of the office?** -Today, we don't have a distinction for data that was downloaded by location. - -- **What does the data in UCDOStatus table represent?** -A row in UCDOStatus represents data downloaded by a combination of a single device ID (AzureADDeviceId) by content type (ContentType). - -- **What does the data in UCDOAggregatedStatus table represent?** -A row in UCDOAggregatedStatus represents data summarized at the tenant level (AzureADTenantID) for each content type (ContentType). - -- **How are BytesFromCache calculated when there's a Connected Cache server used by my ISP?** -If there's a Connected Cache server at the ISP level, BytesFromCache will filter out any bytes coming the ISP's Connected Cache. - -- **What does the 'Other' content type represent?** -The 'Other' category is a subset of the [complete list](../do/waas-delivery-optimization.md) of supported Delivery Optimization content types including: - * Windows Defender definition updates - * Intune Win32 apps - * Edge Browser updates - * Configuration Manager Express updates - * Dynamic updates - * MDM Agent - * Xbox Game Pass (PC) - * Windows Package Manager - * MSIX From 6ae7499a87698a054537073dfc68ac7002622620 Mon Sep 17 00:00:00 2001 From: Carmen Date: Tue, 16 May 2023 13:51:52 -0600 Subject: [PATCH 03/80] Updates --- windows/deployment/update/wufb-reports-do.md | 181 +++++++++++++++++++ 1 file changed, 181 insertions(+) diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index e69de29bb2..69aafe106a 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -0,0 +1,181 @@ +--- +title: Delivery Optimization data in Windows Update for Business reports +manager: aaroncz +description: Provides information about Delivery Optimization data in Windows Update for Business reports +ms.prod: windows-client +author: mestew +ms.author: mstewart +ms.topic: article +ms.date: 04/12/2023 +ms.technology: itpro-updates +--- + +# Delivery Optimization data in Windows Update for Business reports + +***(Applies to: Windows 11 & Windows 10)*** + +[Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement. + +Windows Update for Business reports provides Delivery Optimization information in the following places: +- The Windows Update for Business reports [workbook](wufb-reports-workbook.md) +- [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) +- [UCDOStatus](wufb-reports-schema-ucdostatus.md) + +Windows Update for Business reports doesn't include Delivery Optimization data for Windows Insider devices. + +## Delivery Optimization terms + +Windows Update for Business reports uses the following Delivery Optimization terms: + +- **Peer**: A device in the solution +- **Peering 'ON'** - Devices where DO peer-to-peer is enabled in one of the following modes: + - LAN (1) + - Group (2) + - Internet (3) +- **Peering 'OFF'**: Devices where DO peer-to-peer is disabled, set to one of the following modes: + - HTTP Only (0) + - Simple Mode (99) + - Bypass (100), deprecated in Windows 11 +- **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache (MCC) out of the total amount of data downloaded. + - If bandwidth savings are <= 60%, a *Warning* icon is displayed + - When bandwidth savings are <10%, an *Error* icon is displayed. +- **Configurations**: Based on the DownloadMode configuration set via MDM, Group Policy, or end-user via the user interface. +- **P2P Device Count**: The device count is the number of devices configured to use peering. +- **Microsoft Connected Cache (MCC)**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md). +- **MCC Device Count**: The device count is the number of devices that have received bytes from the cache server, for supported content types. +- **Total # of Devices**: The total number of devices with activity in last 28 days. +- **LAN Bytes**: Bytes delivered from LAN peers. +- **Group Bytes**: Bytes from Group peers. If a device is using Group DownloadMode, Delivery Optimization will first look for peers on the LAN and then in the Group. Therefore, if bytes are delivered from LAN peers, they'll be calculated in 'LAN Bytes'. +- **CDN Bytes**: Bytes delivered from Content Delivery Network (CDN). +- **City**: City is determined based on the location of the device where the maximum amount of data is downloaded. +- **Country**: Country is determined based on the location of the device where the maximum amount of data is downloaded. +- **ISP**: ISP is determined based on the ISP delivering the maximum bytes to the device. + +## Calculations for Delivery Optimization + +There are several calculated values that appear on the Delivery Optimization report. Listed below each calculation is the table that's used for it: + +**Efficiency (%) Calculations**: + +- Bandwidth Savings (BW SAV%) = 100 * (BytesFromPeers + BytesFromGroupPeers + BytesFromCache) / +(BytesFromPeers + BytesFromGroupPeers+BytesFromCDN + BytesFromCache) + - [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table +- % P2P Efficiency = 100 * (BytesFromPeers + BytesFromGroupPeers) / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache) + - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table +- % MCC Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache) + - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table + +**Bytes Calculations**: + +- TotalBytes = BytesFromCDN + BytesFromEnterpriseCache + BytesFromPeers + BytesFromGroupPeers + - [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table +- BytesFromCDN = BytesFromCDN + - [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table +- BytesFromPeers = BytesFromLAN + - [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table +- BytesFromGroupPeers = BytesFromGroupPeers + - [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table +- BytesFromCache = BytesFromCache + - [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) table + +**Volume Calculations**: + +- Volume by P2P = BytesFromPeers + BytesFromGroupPeers + - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table +- Volume by MCC = BytesFromCache + - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table +- Volume by CDN = BytesFrom CDN + - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table + +## Mapping GroupID + +In the **Efficiency By Group** subsection, the **GroupID** is displayed as an encoded SHA256 hash. You can create a mapping of original to encoded GroupIDs using the following PowerShell example: + +```powershell +$text = "" ; + +$hashObj = [System.Security.Cryptography.HashAlgorithm]::Create('sha256') ; $dig = $hashObj.ComputeHash([System.Text.Encoding]::Unicode.GetBytes($text)) ; $digB64 = [System.Convert]::ToBase64String($dig) ; Write-Host "$text ==> $digB64" +``` + +In addition, you can see both the encoded and decoded GroupIDs in the Delivery Optimization logs. + +```powershell +Get-DeliveryOptimizationLog -Flush | Set-Content C:\dosvc.log +``` + +The below two lines are together in verbose logs: + +```text +2023-02-15T12:33:11.3811337Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Using groupID = **** +2023-02-15T12:33:11.3811432Z 1514 1F4 {CGlobalConfigManager::GetGroupId} Hashed groupID = **** +``` + +## Sample queries + +You can use the data in [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) +and [UCDOStatus](wufb-reports-schema-ucdostatus.md) to create your own queries. Create your custom queries using [Kusto Query Language (KQL)](/azure/data-explorer/kusto/query/), but note that Windows Update for Business reports uses Azure Monitor, so some operators aren't supported. The KQL documentation specifies which operators aren't supported by Azure Monitor or if they have different functionality. For more information about KQL in Azure Monitor, see [Log queries in Azure Monitor](/azure/azure-monitor/logs/log-query-overview). The following queries are examples of how you can use the data: + +### Example UCDOAggregatedStatus table query + +The following query is used to display the total bandwidth savings % value: + +```kusto +UCDOAggregatedStatus| where TimeGenerated == _SnapshotTime +| extend LocalSourceBytes = BytesFromCache + BytesFromGroupPeers + BytesFromPeers +| summarize LocalSources_BWSAV = round((sum(0.0 + LocalSourceBytes)/ sum(LocalSourceBytes+BytesFromCDN)) * 100.0 ,2) +| extend Title = "BW SAV%" , SubTitle = "Local Sources" +``` + +### Example UCDOStatus table query + +The following query is used to display the Top 10 GroupIDs: + +```kusto +UCDOStatus | where TimeGenerated == _SnapshotTime +| summarize sum(BytesFromCDN) , sum(BytesFromGroupPeers) , sum(BytesFromPeers) , sum(BytesFromCache) , +DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount desc +| extend TotalBytes = (sum_BytesFromPeers + sum_BytesFromGroupPeers+sum_BytesFromCDN+sum_BytesFromCache) +| extend P2PPercentage = ((0.0 + sum_BytesFromPeers + sum_BytesFromGroupPeers)/TotalBytes ) * 100.0 +| extend MCCPercentage = ((0.0 + sum_BytesFromCache)/ TotalBytes) * 100.0 , + VolumeBytesFromPeers = sum_BytesFromPeers + sum_BytesFromGroupPeers +| extend VolumeBytesFromMCC = sum_BytesFromCache , VolumeByCDN = sum_BytesFromCDN +| project GroupID , P2PPercentage , MCCPercentage , VolumeBytesFromPeers , VolumeBytesFromMCC ,VolumeByCDN , DeviceCount +``` + +## Frequency Asked Questions + +- **What time period does the Delivery Optimization data include?** +Data is generated/aggregated for the last 28 days for active devices. + +- **Data is showing as 'Unknown', what does that mean?** +You may see data in the report listed as 'Unknown'. This status indicates that the Delivery Optimization DownloadMode setting is either invalid or empty. + +- **How are the 'Top 10' groups identified?** +The top groups are represented by the number of devices in a particular group, for any of the four group types (GroupID, City, Country, and ISP). + +- **The GroupIDs don't look familiar, why are they different?** +The GroupID values are encoded for data protection telemetry requirements. You can find more information in the 'Mapping GroupIDs' section above. + +- **How can I see data for device in the office vs. out of the office?** +Today, we don't have a distinction for data that was downloaded by location. + +- **What does the data in UCDOStatus table represent?** +A row in UCDOStatus represents data downloaded by a combination of a single device ID (AzureADDeviceId) by content type (ContentType). + +- **What does the data in UCDOAggregatedStatus table represent?** +A row in UCDOAggregatedStatus represents data summarized at the tenant level (AzureADTenantID) for each content type (ContentType). + +- **How are BytesFromCache calculated when there's a Connected Cache server used by my ISP?** +If there's a Connected Cache server at the ISP level, BytesFromCache will filter out any bytes coming the ISP's Connected Cache. + +- **What does the 'Other' content type represent?** +The 'Other' category is a subset of the [complete list](../do/waas-delivery-optimization.md) of supported Delivery Optimization content types including: + * Windows Defender definition updates + * Intune Win32 apps + * Edge Browser updates + * Configuration Manager Express updates + * Dynamic updates + * MDM Agent + * Xbox Game Pass (PC) + * Windows Package Manager + * MSIX From f33dcdabccc4d77000d444172891bfc26e4a8d71 Mon Sep 17 00:00:00 2001 From: Carmen Date: Tue, 16 May 2023 14:01:53 -0600 Subject: [PATCH 04/80] Address Acrolinx --- .../do/waas-delivery-optimization-faq.yml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 8d189a99df..b450c3408c 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -23,13 +23,13 @@ sections: - name: Ignored questions: - question: Does Delivery Optimization work with WSUS? - answer: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. + answer: Yes. Devices obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - question: Which ports does Delivery Optimization use? answer: | - Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). + Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service registers and opens this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). To enable this scenario, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + Delivery Optimization uses Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). To enable this scenario, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. @@ -66,11 +66,11 @@ sections: - question: How does Delivery Optimization handle VPNs? answer: | - Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection is treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." - If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + If the connection is identified as a VPN, Delivery Optimization suspends uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN. + If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there is no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN. With split tunneling, make sure to allow direct access to these endpoints: @@ -115,15 +115,15 @@ sections: • *.do.dsp.mp.microsoft.com - If that's not an option, that try using Group Download mode '2' would be the best next step. For more information on using Group mode, https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-reference#select-the-source-of-group-ids + If that's not an option, try using Group Download mode '2' would be the best next step. For more information on using Group mode, https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-reference#select-the-source-of-group-ids - - question: How do I turn Delivery Optimization off? + - question: How do I turn off Delivery Optimization? answer: | - Delivery Optimization is an HTTP downloader used by a majority of content providers from Microsoft. When a Windows device is configured to use Delivery Optimization peering (on by default), for the content types, in addition to the HTTP downloader capabilities the Delivery Optimization peering service - can be used to optimize bandwidth. If you'd like to prevent the peering capabilities of Delivery Optimization, you can simply change the setting to Download Mode '99', [Simple mode](waas-delivery-optimization-reference.md#download-mode). This will prevent any peering for the downloaded content. + Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a Windows device is configured to use Delivery Optimization peering (on by default), for the content types, in addition to the HTTP downloader capabilities the Delivery Optimization peering service + can be used to optimize bandwidth. If you'd like to prevent the peering capabilities of Delivery Optimization, you can change the setting to Download Mode '99', [Simple mode](waas-delivery-optimization-reference.md#download-mode). Simple mode prevents any peering for the downloaded content. Delivery Optimization will still be used as the HTTP downloader, but any communication to the cloud peering service will be disabled. - question: Delivery Optimization is using device resources and I can't tell why? answer: | - Delivery Optimization is used by a majority of content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often times customers don't realize the vast application of Delivery Optimization and different apps can be + Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often times customers don't realize the vast application of Delivery Optimization and different apps can be running in the background. There are different Delivery Optimization [settings](waas-delivery-optimization-reference.md) that can help manage the amount of bandwidth, time of day, etc. Also note that depending on the app, closing the app don't necessarily stop the download. From a017e6c6eac442be7c7cde2df73300570431afa9 Mon Sep 17 00:00:00 2001 From: Carmen Date: Tue, 16 May 2023 14:12:30 -0600 Subject: [PATCH 05/80] Link updates --- windows/deployment/do/waas-delivery-optimization-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index b450c3408c..57edcf79a1 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -115,7 +115,7 @@ sections: • *.do.dsp.mp.microsoft.com - If that's not an option, try using Group Download mode '2' would be the best next step. For more information on using Group mode, https://learn.microsoft.com/en-us/windows/deployment/do/waas-delivery-optimization-reference#select-the-source-of-group-ids + If that's not an option, try using Group Download mode '2' would be the best next step. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode. - question: How do I turn off Delivery Optimization? answer: | From e4df5d7523b6fd2380fbeeed6c92cda78675390b Mon Sep 17 00:00:00 2001 From: Carmen Date: Tue, 16 May 2023 14:31:26 -0600 Subject: [PATCH 06/80] Re-wording --- .../do/waas-delivery-optimization-faq.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 57edcf79a1..871bd6fc78 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -110,20 +110,21 @@ sections: - question: What is the recommended configuration for Delivery Optimization used with Zscaler? answer: | - The best configuration with Zscaler is to bypass the [hostnames](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) for Delivery Optimization services and allow that traffic to go directly to the Internet and not through Zscaler. + The best configuration with Zscaler is to bypass the [hostnames](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) for Delivery Optimization services, allowing traffic to go directly to the Internet and not through Zscaler. For communication between clients and the Delivery Optimization cloud service: - • *.do.dsp.mp.microsoft.com + • *.do.dsp.mp.microsoft.com - If that's not an option, try using Group Download mode '2' would be the best next step. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode. + If that's not an option, try using Group Download mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode. - question: How do I turn off Delivery Optimization? answer: | - Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a Windows device is configured to use Delivery Optimization peering (on by default), for the content types, in addition to the HTTP downloader capabilities the Delivery Optimization peering service - can be used to optimize bandwidth. If you'd like to prevent the peering capabilities of Delivery Optimization, you can change the setting to Download Mode '99', [Simple mode](waas-delivery-optimization-reference.md#download-mode). Simple mode prevents any peering for the downloaded content. - Delivery Optimization will still be used as the HTTP downloader, but any communication to the cloud peering service will be disabled. + Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default) it will do so inconjunction with the HTTP downloader capabilities to optimize bandwidth usage. + If you'd like to prevent the peering capabilities of Delivery Optimization, you can change the Delivery Optimization Download mode setting '99', [Simple mode](waas-delivery-optimization-reference.md#download-mode). Simple mode prevents any peering for the downloaded content. + Delivery Optimization will still be used as the HTTP downloader, but any communication to the cloud peering service is disabled. - question: Delivery Optimization is using device resources and I can't tell why? answer: | - Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often times customers don't realize the vast application of Delivery Optimization and different apps can be - running in the background. There are different Delivery Optimization [settings](waas-delivery-optimization-reference.md) that can help manage the amount of bandwidth, time of day, etc. Also note that depending on the app, closing the app don't necessarily stop the download. + Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often times customers don't realize the vast application of Delivery Optimization and how it is used across different apps. + Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app don't necessarily stop the download. + There are different Delivery Optimization [settings](waas-delivery-optimization-reference.md) that can help manage the amount of bandwidth, time of day, etc. From 5f0c4a80930b62f2d3dcf4e38ba0ad401b28ca8c Mon Sep 17 00:00:00 2001 From: Carmen Date: Tue, 16 May 2023 14:47:56 -0600 Subject: [PATCH 07/80] More clarity --- .../do/waas-delivery-optimization-faq.yml | 5 +- windows/deployment/update/wufb-reports-do.md | 48 ++++++++++--------- 2 files changed, 27 insertions(+), 26 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 871bd6fc78..c49c4ad964 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -119,9 +119,8 @@ sections: - question: How do I turn off Delivery Optimization? answer: | - Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default) it will do so inconjunction with the HTTP downloader capabilities to optimize bandwidth usage. - If you'd like to prevent the peering capabilities of Delivery Optimization, you can change the Delivery Optimization Download mode setting '99', [Simple mode](waas-delivery-optimization-reference.md#download-mode). Simple mode prevents any peering for the downloaded content. - Delivery Optimization will still be used as the HTTP downloader, but any communication to the cloud peering service is disabled. + Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default) it will do so in conjunction with the HTTP downloader capabilities to optimize bandwidth usage. + If you'd like to prevent the peering capabilities of Delivery Optimization, you have two options, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to either '0' or '99'. Both modes prevent any peering for the downloaded content while still using the HTTP downloader. - question: Delivery Optimization is using device resources and I can't tell why? answer: | diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index 69aafe106a..88e13ccce3 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -14,14 +14,15 @@ ms.technology: itpro-updates ***(Applies to: Windows 11 & Windows 10)*** -[Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement. +[Delivery Optimization](../do/waas-delivery-optimization.md) (DO) is a Windows feature that can be used to reduce bandwidth consumption by sharing the work of downloading updates among multiple devices in your environment. You can use DO with many other deployment methods, but it's a cloud-managed solution, and access to the DO cloud services is a requirement. Windows Update for Business reports provides Delivery Optimization information in the following places: + - The Windows Update for Business reports [workbook](wufb-reports-workbook.md) - [UCDOAggregatedStatus](wufb-reports-schema-ucdoaggregatedstatus.md) - [UCDOStatus](wufb-reports-schema-ucdostatus.md) -Windows Update for Business reports doesn't include Delivery Optimization data for Windows Insider devices. +Windows Update for Business reports doesn't include Delivery Optimization data for Windows Insider devices. ## Delivery Optimization terms @@ -29,16 +30,17 @@ Windows Update for Business reports uses the following Delivery Optimization ter - **Peer**: A device in the solution - **Peering 'ON'** - Devices where DO peer-to-peer is enabled in one of the following modes: - - LAN (1) - - Group (2) - - Internet (3) + - LAN (1) + - Group (2) + - Internet (3) + - **Peering 'OFF'**: Devices where DO peer-to-peer is disabled, set to one of the following modes: - - HTTP Only (0) - - Simple Mode (99) - - Bypass (100), deprecated in Windows 11 + - HTTP Only (0) + - Simple Mode (99) + - Bypass (100), deprecated in Windows 11 - **Bandwidth savings**: The percentage of bandwidth that was downloaded from alternate sources (Peers or Microsoft Connected Cache (MCC) out of the total amount of data downloaded. - - If bandwidth savings are <= 60%, a *Warning* icon is displayed - - When bandwidth savings are <10%, an *Error* icon is displayed. +- If bandwidth savings are <= 60%, a *Warning* icon is displayed +- When bandwidth savings are <10%, an *Error* icon is displayed. - **Configurations**: Based on the DownloadMode configuration set via MDM, Group Policy, or end-user via the user interface. - **P2P Device Count**: The device count is the number of devices configured to use peering. - **Microsoft Connected Cache (MCC)**: Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. For more information, see [Microsoft Connected Cache overview](../do/waas-microsoft-connected-cache.md). @@ -56,13 +58,13 @@ Windows Update for Business reports uses the following Delivery Optimization ter There are several calculated values that appear on the Delivery Optimization report. Listed below each calculation is the table that's used for it: **Efficiency (%) Calculations**: - + - Bandwidth Savings (BW SAV%) = 100 * (BytesFromPeers + BytesFromGroupPeers + BytesFromCache) / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN + BytesFromCache) - [UCDOAggregatedStatus](wufb-reports-schema-ucdostatus.md) table - % P2P Efficiency = 100 * (BytesFromPeers + BytesFromGroupPeers) / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache) - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table -- % MCC Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache) +- % MCC Efficiency = 100 * BytesFromCache / (BytesFromPeers + BytesFromGroupPeers+BytesFromCDN+BytesFromCache) - [UCDOStatus](wufb-reports-schema-ucdostatus.md) table **Bytes Calculations**: @@ -157,10 +159,10 @@ The top groups are represented by the number of devices in a particular group, f The GroupID values are encoded for data protection telemetry requirements. You can find more information in the 'Mapping GroupIDs' section above. - **How can I see data for device in the office vs. out of the office?** -Today, we don't have a distinction for data that was downloaded by location. +Today, we don't have a distinction for data that was downloaded by location. - **What does the data in UCDOStatus table represent?** -A row in UCDOStatus represents data downloaded by a combination of a single device ID (AzureADDeviceId) by content type (ContentType). +A row in UCDOStatus represents data downloaded by a combination of a single device ID (AzureADDeviceId) by content type (ContentType). - **What does the data in UCDOAggregatedStatus table represent?** A row in UCDOAggregatedStatus represents data summarized at the tenant level (AzureADTenantID) for each content type (ContentType). @@ -170,12 +172,12 @@ If there's a Connected Cache server at the ISP level, BytesFromCache will filter - **What does the 'Other' content type represent?** The 'Other' category is a subset of the [complete list](../do/waas-delivery-optimization.md) of supported Delivery Optimization content types including: - * Windows Defender definition updates - * Intune Win32 apps - * Edge Browser updates - * Configuration Manager Express updates - * Dynamic updates - * MDM Agent - * Xbox Game Pass (PC) - * Windows Package Manager - * MSIX + - Windows Defender definition updates + - Intune Win32 apps + - Edge Browser updates + - Configuration Manager Express updates + - Dynamic updates + - MDM Agent + - Xbox Game Pass (PC) + - Windows Package Manager + - MSIX From 3785bc07fa4bae00327579c88a8ade2a4995305f Mon Sep 17 00:00:00 2001 From: itsrlyAria <82474610+itsrlyAria@users.noreply.github.com> Date: Thu, 18 May 2023 04:32:24 -0700 Subject: [PATCH 08/80] Update wufb-compliancedeadlines.md Changing the Deadline and GP numbers to be correct --- windows/deployment/update/wufb-compliancedeadlines.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md index 3549b7bdb6..96a06feeab 100644 --- a/windows/deployment/update/wufb-compliancedeadlines.md +++ b/windows/deployment/update/wufb-compliancedeadlines.md @@ -36,7 +36,7 @@ With a current version, it's best to use the new policy introduced in June 2019 |Policy|Location|Quality update deadline in days|Feature update deadline in days|Grace period in days| |-|-|-|-|-| -|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 3 | 7 | 2 | +|(Windows 10, version 1709 and later) Specify deadlines for automatic updates and restarts | GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Specify deadlines for automatic updates and restarts | 2 | 2 | 5 | When **Specify deadlines for automatic updates and restarts** is set (Windows 10, version 1709 and later): From 6c6828abe7d00e2b916faeaa0155ac017992d951 Mon Sep 17 00:00:00 2001 From: itsrlyAria <82474610+itsrlyAria@users.noreply.github.com> Date: Thu, 18 May 2023 04:34:04 -0700 Subject: [PATCH 09/80] Update update-policies.md Fixing Deadline and GP recommendations to be accurate --- windows/deployment/update/update-policies.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md index 1eb791b4fd..d4302cecac 100644 --- a/windows/deployment/update/update-policies.md +++ b/windows/deployment/update/update-policies.md @@ -37,8 +37,8 @@ to opt out of automatic restarts until the deadline is reached (although we reco restarts for maximum update velocity). We recommend you set deadlines as follows: -- Quality update deadline, in days: 3 -- Feature update deadline, in days: 7 +- Quality update deadline, in days: 2 +- Feature update deadline, in days: 2 Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you @@ -62,7 +62,7 @@ be forced to update immediately when the user returns. We recommend you set the following: -- Grace period, in days: 2 +- Grace period, in days: 5 Once the deadline and grace period have passed, updates are applied automatically, and a restart occurs regardless of [active hours](#active-hours). From 3908a11ed36e3d0df82975d124ab77fae1f02739 Mon Sep 17 00:00:00 2001 From: Carmen Date: Wed, 24 May 2023 18:18:08 -0600 Subject: [PATCH 10/80] More updates --- .../do/waas-delivery-optimization-faq.yml | 12 ++++---- windows/deployment/do/whats-new-do.md | 6 ++-- windows/deployment/update/wufb-reports-do.md | 29 ++++++++++++------- 3 files changed, 27 insertions(+), 20 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index c49c4ad964..edc90c17df 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -45,7 +45,6 @@ sections: **For Delivery Optimization metadata**: - `*.dl.delivery.mp.microsoft.com` - - `*.emdl.ws.microsoft.com` **For the payloads (optional)**: @@ -80,7 +79,6 @@ sections: Delivery Optimization metadata: - - `http://emdl.ws.microsoft.com` - `http://download.windowsupdate.com` - `http://*.dl.delivery.mp.microsoft.com` @@ -108,14 +106,14 @@ sections: answer: | Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots. - - question: What is the recommended configuration for Delivery Optimization used with Zscaler? + - question: What is the recommended configuration for Delivery Optimization used with cloud proxies (e.g. Zscaler)? answer: | - The best configuration with Zscaler is to bypass the [hostnames](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) for Delivery Optimization services, allowing traffic to go directly to the Internet and not through Zscaler. - For communication between clients and the Delivery Optimization cloud service: - + The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (e.g. Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy. + At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service: + • *.do.dsp.mp.microsoft.com - If that's not an option, try using Group Download mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode. + If allowing direct Internet access is not an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode. - question: How do I turn off Delivery Optimization? answer: | diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index 87d135c896..651373e7dc 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -23,9 +23,11 @@ ms.collection: tier3 Microsoft Connected Cache (MCC) is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. -For more information about MCC, see [Microsoft Connected Cache overview](waas-microsoft-connected-cache.md). +For more information about MCC, see [Microsoft Connected Cache overview](waas-microsoft-connected-cache.md) There are two different verions, [Microsoft Connected Cache for Enterprise and Education](mcc-ent-edu-overview.md) and [Microsoft Connected Cache for ISPs](mcc-isp-overview.md). -## New in Delivery Optimization for Windows 10, version 20H2 and Windows 11 +## New in Delivery Optimization for Windows + +- Delivery Optimization introduced support for receiver side ledbat (rLedbat) in Windows 22H2. - New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)." - Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization will connect to locally discovered peers that are also part of the same group, for those devices with the same Group ID). diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index 88e13ccce3..1251a120d0 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -144,6 +144,19 @@ DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount | project GroupID , P2PPercentage , MCCPercentage , VolumeBytesFromPeers , VolumeBytesFromMCC ,VolumeByCDN , DeviceCount ``` +### Delivery Optimization Supported Content Types + +There are many Microsoft [content types](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization) that are supported by Delivery Optimization. All of these content types show up in the 'Content Distribution' section in the Delivery Optimization report. + +| Content Category | Content Types Included | +| --- | --- | +| Apps | Windows 10 Store files, Windows 10 Store for Business files, Windows 11 UWP Store apps | +| Driver Updates | Windows Update Driver updates | +| Feature and Flighting Updates | Windows Update Feature and Flighting updates, language packs | +| Office | Microsoft 365 Apps and updates | +| Other | Windows Defender definition updates, Intune Win32 apps, Edge Browser updates, Configuration Manager Express updates, Dynamic updates, MDM Agent, Xbox Game Pass (PC), Windows Package Manager, MSIX Installer (includes Windows 11 Store Win32 apps, Windows 11 Teams updates) | +| Quality Updates | Windows Updates Quality updates | + ## Frequency Asked Questions - **What time period does the Delivery Optimization data include?** @@ -170,14 +183,8 @@ A row in UCDOAggregatedStatus represents data summarized at the tenant level (Az - **How are BytesFromCache calculated when there's a Connected Cache server used by my ISP?** If there's a Connected Cache server at the ISP level, BytesFromCache will filter out any bytes coming the ISP's Connected Cache. -- **What does the 'Other' content type represent?** -The 'Other' category is a subset of the [complete list](../do/waas-delivery-optimization.md) of supported Delivery Optimization content types including: - - Windows Defender definition updates - - Intune Win32 apps - - Edge Browser updates - - Configuration Manager Express updates - - Dynamic updates - - MDM Agent - - Xbox Game Pass (PC) - - Windows Package Manager - - MSIX +- **How do the results from the Delivery Optimization PowerShell cmdlets compare to the results in the report?** +[Delivery Optimization PowerShell cmdlets](waas-delivery-optimization-setup.md#monitor-delivery-optimization) can be a powerful tool used to monitor Delivery Optimization data on the device. These cmdlets use the cache on the device. The data calculated in the report is taken from the Delivery Optimization telemetry events. + +- **The report represents the last 28 days of data, why do some queries include >= 7 days?** +The data in the report does represent the last 28 days of data. The query for last 7 days is just to get the data for the latest snapshot from past 7 days. It is possible that data is delayed for sometime and not available for current day, so we look for past 7 day snapshot in log analytics ans show the latest snapshot. From 8bcdf1a9b37f167bd05d41038d0fe656d0f07e6b Mon Sep 17 00:00:00 2001 From: Carmen Date: Thu, 25 May 2023 09:23:36 -0600 Subject: [PATCH 11/80] Added more topics --- .../do/waas-delivery-optimization-faq.yml | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index edc90c17df..b9eb742bb4 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -118,10 +118,15 @@ sections: - question: How do I turn off Delivery Optimization? answer: | Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default) it will do so in conjunction with the HTTP downloader capabilities to optimize bandwidth usage. - If you'd like to prevent the peering capabilities of Delivery Optimization, you have two options, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to either '0' or '99'. Both modes prevent any peering for the downloaded content while still using the HTTP downloader. + If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and does not have internet access. + + > [!NOTE] + > Disabling Delivery Optimization will not prevent content from downloading to your devices. If you are looking to pause updates you will need to set policies for the relevant components such as Windows Update, Windows Store or Edge browser. If you are looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization. - question: Delivery Optimization is using device resources and I can't tell why? answer: | - Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often times customers don't realize the vast application of Delivery Optimization and how it is used across different apps. - Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app don't necessarily stop the download. - There are different Delivery Optimization [settings](waas-delivery-optimization-reference.md) that can help manage the amount of bandwidth, time of day, etc. + Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often times customers may not realize the vast application of Delivery Optimization and how it is used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download. + + - question: What Delivery Optimization settings are available? + answer: | + There are many different Delivery Optimization [settings](waas-delivery-optimization-reference.md) available. These settings allow you to effectively manage how Delivery Optimization is used within your environment with control s on bandwidth, time of day, etc. \ No newline at end of file From 565ac819ba31801266119115fc6feabc93248571 Mon Sep 17 00:00:00 2001 From: Carmen Date: Thu, 25 May 2023 09:44:33 -0600 Subject: [PATCH 12/80] spelling errors --- windows/deployment/do/whats-new-do.md | 13 ++++++++----- windows/deployment/update/wufb-reports-do.md | 1 + 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index 651373e7dc..fcbdfb959f 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -12,7 +12,7 @@ ms.date: 12/31/2017 ms.collection: tier3 --- -# What's new in Delivery Optimization +# What's new in Delivery Optimization **Applies to** @@ -23,11 +23,16 @@ ms.collection: tier3 Microsoft Connected Cache (MCC) is a software-only caching solution that delivers Microsoft content within Enterprise networks. MCC can be deployed to as many bare-metal servers or VMs as needed, and is managed from a cloud portal. Cache nodes are created in the cloud portal and are configured by applying the client policy using management tools such as Intune. -For more information about MCC, see [Microsoft Connected Cache overview](waas-microsoft-connected-cache.md) There are two different verions, [Microsoft Connected Cache for Enterprise and Education](mcc-ent-edu-overview.md) and [Microsoft Connected Cache for ISPs](mcc-isp-overview.md). +For more information about MCC, see [Microsoft Connected Cache overview](waas-microsoft-connected-cache.md). + +There are two different versions: + +- [Microsoft Connected Cache for Enterprise and Education](mcc-ent-edu-overview.md) +- [Microsoft Connected Cache for ISPs](mcc-isp-overview.md). ## New in Delivery Optimization for Windows -- Delivery Optimization introduced support for receiver side ledbat (rLedbat) in Windows 22H2. +- Delivery Optimization introduced support for receiver side ledbat (rLedbat) in Windows 11 22H2. - New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)." - Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization will connect to locally discovered peers that are also part of the same group, for those devices with the same Group ID). @@ -36,5 +41,3 @@ For more information about MCC, see [Microsoft Connected Cache overview](waas-mi > The Local Peer Discovery (DNS-SD, [RFC 6763](https://datatracker.ietf.org/doc/html/rfc6763)) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. For more information, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). - Starting with Windows 11, the Bypass option of [Download Mode](waas-delivery-optimization-reference.md#download-mode) is no longer used. - - diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index 1251a120d0..ca30f29188 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -11,6 +11,7 @@ ms.technology: itpro-updates --- # Delivery Optimization data in Windows Update for Business reports + ***(Applies to: Windows 11 & Windows 10)*** From c1f977845788318ba3d18037674ecfe91e4ca9a9 Mon Sep 17 00:00:00 2001 From: Carmen Date: Thu, 25 May 2023 09:58:19 -0600 Subject: [PATCH 13/80] Add 'prod' prefix to hostnames --- windows/deployment/do/waas-delivery-optimization-faq.yml | 4 ++-- windows/deployment/do/waas-delivery-optimization-setup.md | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index b9eb742bb4..4495cdcc35 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -40,7 +40,7 @@ sections: answer: | **For communication between clients and the Delivery Optimization cloud service**: - - `*.do.dsp.mp.microsoft.com` + - `*.prod.do.dsp.mp.microsoft.com` **For Delivery Optimization metadata**: @@ -111,7 +111,7 @@ sections: The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (e.g. Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy. At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service: - • *.do.dsp.mp.microsoft.com + • *.prod.do.dsp.mp.microsoft.com If allowing direct Internet access is not an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode. diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 04c0b9e893..49e1fd4447 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -140,7 +140,7 @@ Try these steps: 1. Start a download of an app that is larger than 50 MB from the Store (for example "Candy Crush Saga"). 2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and observe the [DODownloadMode](waas-delivery-optimization-reference.md#download-mode) setting. For peering to work, download mode should be 1, 2, or 3. -3. If the download mode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.do.dsp.mp.microsoft.com**. +3. If the download mode is 99, it could indicate your device is unable to reach the Delivery Optimization cloud services. Ensure that the Delivery Optimization host names are allowed access: most importantly **\*.prod.do.dsp.mp.microsoft.com**. ### The cloud service doesn't see other peers on the network From 54dc0de0539450cb7369baa2c14549111f26e135 Mon Sep 17 00:00:00 2001 From: Carmen Date: Tue, 30 May 2023 14:47:01 -0600 Subject: [PATCH 14/80] Addressed feedback --- windows/deployment/do/TOC.yml | 2 +- windows/deployment/do/waas-delivery-optimization.md | 4 ++-- windows/deployment/update/wufb-reports-do.md | 8 ++++---- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 4e9dc9cb0c..e03e08c2ec 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -65,7 +65,7 @@ href: mcc-isp-support.md - name: MCC for ISPs (early preview) href: mcc-isp.md -- name: Content endpoints for Delivery Optimization and Microsoft Connected Cache +- name: Microsoft Connected Cache content and services endpoints href: delivery-optimization-endpoints.md diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 94d89f77a1..f2f3b86a53 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -51,8 +51,8 @@ The following table lists the minimum Windows 10 version that supports Delivery | Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) |------------------|---------------|----------------|----------|----------------| | Windows Update (feature updates quality updates, language packs, drivers) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Windows 10 Store files | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | -| Windows 10 Store for Business files | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Windows 10 Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Windows 10 Store for Business apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Intune Win32 apps| Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Microsoft 365 Apps and updates | Windows 10 1709, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index ca30f29188..d505ce8a89 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -147,15 +147,15 @@ DeviceCount = count_distinct(GlobalDeviceId) by GroupID | top 10 by DeviceCount ### Delivery Optimization Supported Content Types -There are many Microsoft [content types](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization) that are supported by Delivery Optimization. All of these content types show up in the 'Content Distribution' section in the Delivery Optimization report. +There are many Microsoft [content types](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization) that are supported by Delivery Optimization. All of these content types show up in the 'Content Distribution' section in the Delivery Optimization report. See the [complete table](waas-delivery-optimization.md#windows-client) for P2P/MCC support types. | Content Category | Content Types Included | | --- | --- | -| Apps | Windows 10 Store files, Windows 10 Store for Business files, Windows 11 UWP Store apps | +| Apps | Windows 10 Store apps, Windows 10 Store for Business apps, Windows 11 UWP Store apps | | Driver Updates | Windows Update Driver updates | -| Feature and Flighting Updates | Windows Update Feature and Flighting updates, language packs | +| Feature and Flighting Updates | Windows Update Feature and Flighting updates | | Office | Microsoft 365 Apps and updates | -| Other | Windows Defender definition updates, Intune Win32 apps, Edge Browser updates, Configuration Manager Express updates, Dynamic updates, MDM Agent, Xbox Game Pass (PC), Windows Package Manager, MSIX Installer (includes Windows 11 Store Win32 apps, Windows 11 Teams updates) | +| Other | Windows Language Packs, Windows Defender definition updates, Intune Win32 apps, Edge Browser updates, Configuration Manager Express updates, Dynamic updates, MDM Agent, Xbox Game Pass (PC), Windows Package Manager, MSIX Installer (includes Windows 11 Store Win32 apps, Windows 11 Teams updates) | | Quality Updates | Windows Updates Quality updates | ## Frequency Asked Questions From 7bd4a090227472446520a53fbce3c6e16aa41b35 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 31 May 2023 15:46:31 -0400 Subject: [PATCH 15/80] Move smartscreen and refresh --- .../mdm/policy-csp-admx-windowsexplorer.md | 5 +- windows/security/apps.md | 2 +- windows/security/identity-protection/toc.yml | 2 +- windows/security/index.yml | 2 +- .../available-settings.md} | 2 +- .../enhanced-phishing-protection.md} | 6 +-- ...rosoft-Defender-Smartscreen-submission.png | Bin .../images/icons/group-policy.svg | 0 .../images/icons/intune.svg | 0 .../images/icons/windows-os.svg | 0 .../microsoft-defender-smartscreen/index.md} | 5 +- .../virus-and-threat-protection/toc.yml | 45 ++++++++++-------- windows/security/threat-protection/index.md | 15 ++---- ...iew-of-threat-mitigations-in-windows-10.md | 12 ++--- .../whats-new-windows-11-version-22H2.md | 2 +- 15 files changed, 48 insertions(+), 50 deletions(-) rename windows/security/{threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md => operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md} (99%) rename windows/security/{threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md => operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md} (99%) rename windows/security/{threat-protection => operating-system-security/virus-and-threat-protection}/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png (100%) rename windows/security/{threat-protection => operating-system-security/virus-and-threat-protection}/microsoft-defender-smartscreen/images/icons/group-policy.svg (100%) rename windows/security/{threat-protection => operating-system-security/virus-and-threat-protection}/microsoft-defender-smartscreen/images/icons/intune.svg (100%) rename windows/security/{threat-protection => operating-system-security/virus-and-threat-protection}/microsoft-defender-smartscreen/images/icons/windows-os.svg (100%) rename windows/security/{threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md => operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md} (95%) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 4a8727e522..a6a0c31774 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -622,8 +622,7 @@ Some information is sent to Microsoft about files and programs run on PCs with t - -For more information, see [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview). +For more information, see [Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen). @@ -3174,7 +3173,7 @@ If you enable this setting, the system removes the Map Network Drive and Disconn This setting doesn't prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box. > [!NOTE] -> +> This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. diff --git a/windows/security/apps.md b/windows/security/apps.md index a2e62786ce..b69ebc2103 100644 --- a/windows/security/apps.md +++ b/windows/security/apps.md @@ -23,4 +23,4 @@ The following table summarizes the Windows security features and capabilities fo | Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). | | Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md) | | Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](identity-protection/configure-s-mime.md) | -| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) | +| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen) | diff --git a/windows/security/identity-protection/toc.yml b/windows/security/identity-protection/toc.yml index c90f5b2316..fcd058a974 100644 --- a/windows/security/identity-protection/toc.yml +++ b/windows/security/identity-protection/toc.yml @@ -32,7 +32,7 @@ items: displayName: LAPS href: /windows-server/identity/laps/laps-overview - name: Enhanced Phishing Protection in Microsoft Defender SmartScreen - href: ../threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md + href: ../operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md displayName: EPP - name: Access Control items: diff --git a/windows/security/index.yml b/windows/security/index.yml index 535f5f269a..8cd670d32e 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -92,7 +92,7 @@ landingContent: - text: Windows Sandbox url: application-security\application-isolation\windows-sandbox\windows-sandbox-overview.md - text: Microsoft Defender SmartScreen - url: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + url: operating-system-security\virus-and-threat-protection\microsoft-defender-smartscreen\index.md - text: S/MIME for Windows url: identity-protection/configure-s-mime.md # Cards and links should be based on top customer tasks or top subjects diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md similarity index 99% rename from windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md index 3c1ed6dcea..18f1795945 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings.md @@ -4,7 +4,7 @@ description: A list of all available settings for Microsoft Defender SmartScreen ms.prod: windows-client author: vinaypamnani-msft ms.localizationpriority: medium -ms.date: 09/28/2020 +ms.date: 05/31/2023 ms.reviewer: manager: aaroncz ms.author: vinpa diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md similarity index 99% rename from windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index aebf090b15..1abefbf7f4 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -8,7 +8,7 @@ ms.author: vinpa ms.reviewer: paoloma manager: aaroncz ms.localizationpriority: medium -ms.date: 10/07/2022 +ms.date: 05/31/2023 adobe-target: true appliesto: - ✅ Windows 11, version 22H2 @@ -73,7 +73,7 @@ Enhanced Phishing Protection can be configured using the following Administrativ #### [:::image type="icon" source="images/icons/windows-os.svg"::: **CSP**](#tab/csp) Enhanced Phishing Protection can be configured using the [WebThreatDefense CSP][WIN-1]. - + | Setting | OMA-URI | Data type | |-------------------------|---------------------------------------------------------------------------|-----------| | **ServiceEnabled** | `./Device/Vendor/MSFT/Policy/Config/WebThreatDefense/ServiceEnabled` | Integer | @@ -90,7 +90,7 @@ By default, Enhanced Phishing Protection is deployed in audit mode, preventing n To better help you protect your organization, we recommend turning on and using these specific Microsoft Defender SmartScreen settings. #### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune) - + |Settings catalog element|Recommendation| |---------|---------| |Service Enabled|**Enable**: Turns on Enhanced Phishing Protection in audit mode, which captures work or school password entry events and sends diagnostic data but doesn't show any notifications to your users.| diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png similarity index 100% rename from windows/security/threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/Microsoft-Defender-Smartscreen-submission.png diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg similarity index 100% rename from windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/group-policy.svg diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg similarity index 100% rename from windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/intune.svg diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg similarity index 100% rename from windows/security/threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/images/icons/windows-os.svg diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md similarity index 95% rename from windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md rename to windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md index b58a2be3ac..569457defe 100644 --- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md @@ -12,7 +12,7 @@ adobe-target: true ms.collection: - tier2 - highpri -ms.date: 03/20/2023 +ms.date: 05/31/2023 ms.topic: article appliesto: - ✅ Windows 11 @@ -42,7 +42,7 @@ Microsoft Defender SmartScreen provide an early warning system against websites - **Reputation-based URL and app protection:** Microsoft Defender SmartScreen evaluates a website's URLs to determine if they're known to distribute or host unsafe content. It also provides reputation checks for apps, checking downloaded programs and the digital signature used to sign a file. If a URL, a file, an app, or a certificate has an established reputation, users don't see any warnings. If there's no reputation, the item is marked as a higher risk and presents a warning to the user. - **Operating system integration:** Microsoft Defender SmartScreen is integrated into the Windows 10 operating system. It checks any files an app (including 3rd-party browsers and email clients) that attempts to download and run. - **Improved heuristics and diagnostic data:** Microsoft Defender SmartScreen is constantly learning and endeavoring to stay up to date, so it can help to protect you against potentially malicious sites and files. -- **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md). +- **Management through group policy and Microsoft Intune:** Microsoft Defender SmartScreen supports using both group policy and Microsoft Intune settings. For more info about all available settings, see [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](available-settings.md). - **Blocking URLs associated with potentially unwanted applications:** In Microsoft Edge (based on Chromium), SmartScreen blocks URLs associated with potentially unwanted applications, or PUAs. For more information on blocking URLs associated with PUAs, see [Detect and block potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus). > [!IMPORTANT] @@ -61,5 +61,4 @@ When submitting a file for Microsoft Defender SmartScreen, make sure to select * ## Related articles - [SmartScreen frequently asked questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx) -- [Available Microsoft Defender SmartScreen group policy and mobile device management (MDM) settings](microsoft-defender-smartscreen-available-settings.md) - [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml index a8c5cdf1e5..639a85c09c 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml +++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml @@ -1,21 +1,26 @@ items: -- name: Overview - href: ../../threat-protection/index.md -- name: Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows -- name: Configuring LSA Protection - href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json -- name: Attack surface reduction (ASR) - href: /microsoft-365/security/defender-endpoint/attack-surface-reduction -- name: Tamper protection for MDE - href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection -- name: Microsoft Vulnerable Driver Blocklist - href: ../../threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md -- name: Controlled folder access - href: /microsoft-365/security/defender-endpoint/controlled-folders -- name: Exploit protection - href: /microsoft-365/security/defender-endpoint/exploit-protection -- name: Microsoft Defender SmartScreen - href: ../../threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md -- name: Microsoft Defender for Endpoint - href: /microsoft-365/security/defender-endpoint \ No newline at end of file + - name: Overview + href: index.md + - name: Microsoft Defender Antivirus 🔗 + href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows + - name: Configuring LSA Protection 🔗 + href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json + - name: Attack surface reduction (ASR) 🔗 + href: /microsoft-365/security/defender-endpoint/attack-surface-reduction + - name: Tamper protection for MDE 🔗 + href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection + - name: Microsoft Vulnerable Driver Blocklist + href: ../../threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md + - name: Controlled folder access 🔗 + href: /microsoft-365/security/defender-endpoint/controlled-folders + - name: Exploit protection 🔗 + href: /microsoft-365/security/defender-endpoint/exploit-protection + - name: Microsoft Defender SmartScreen + href: microsoft-defender-smartscreen/index.md + items: + - name: Available settings + href: microsoft-defender-smartscreen/available-settings.md + - name: Enhanced Phishing Protection + href: microsoft-defender-smartscreen/enhanced-phishing-protection.md + - name: Microsoft Defender for Endpoint 🔗 + href: /microsoft-365/security/defender-endpoint diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index dfaa642ba7..83cd0757b5 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -12,13 +12,7 @@ ms.date: 12/31/2017 # Windows threat protection -**Applies to:** -- Windows 10 -- Windows 11 - -In Windows client, hardware and software work together to help protect you from new and emerging threats. Expanded security protections in Windows 11 help boost security from the chip, to the cloud. - -## Windows threat protection +In Windows client, hardware and software work together to help protect you from new and emerging threats. Expanded security protections in Windows 11 help boost security from the chip, to the cloud. See the following articles to learn more about the different areas of Windows threat protection: @@ -28,15 +22,16 @@ See the following articles to learn more about the different areas of Windows th - [Exploit Protection](/microsoft-365/security/defender-endpoint/exploit-protection) - [Microsoft Defender Application Guard](/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview) - [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) -- [Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview) +- [Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/) - [Network Protection](/microsoft-365/security/defender-endpoint/network-protection) - [Virtualization-Based Protection of Code Integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity) - [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview) - [Windows Firewall](windows-firewall/windows-firewall-with-advanced-security.md) - [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) -### Next-generation protection -Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. +## Next-generation protection + +Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. - [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) - [Behavior monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus) diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index c72345df1e..5c41c76d73 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -1,5 +1,5 @@ --- -title: Mitigate threats by using Windows 10 security features +title: Mitigate threats by using Windows 10 security features description: An overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. ms.prod: windows-client ms.localizationpriority: medium @@ -84,7 +84,7 @@ Windows Defender SmartScreen notifies users if they click on reported phishing a For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they're about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. -For more information, see [Microsoft Defender SmartScreen overview](microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md). +For more information, see [Microsoft Defender SmartScreen overview](). ### Microsoft Defender Antivirus @@ -124,7 +124,7 @@ Data Execution Prevention (DEP) does exactly that, by substantially reducing the 5. Click **OK**. -You can now see which processes have DEP enabled. +You can now see which processes have DEP enabled. @@ -296,7 +296,7 @@ Some of the protections available in Windows 10 are provided through functions t | Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | | Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](/windows/win32/api/processthreadsapi/nf-processthreadsapi-updateprocthreadattribute)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | -## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit +## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/topic/emet-mitigations-guidelines-b529d543-2a81-7b5a-d529-84b30e1ecee0), which has since 2009 offered various exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those mitigations in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with extra improvements. However, some EMET mitigations carry high-performance cost, or appear to be relatively ineffective against modern threats, and therefore haven't been brought into Windows 10. @@ -322,7 +322,7 @@ One of EMET's strengths is that it allows you to import and export configuration Install-Module -Name ProcessMitigations ``` -The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process, or it can save all settings to an XML file. +The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process, or it can save all settings to an XML file. To get the current settings on all running instances of notepad.exe: @@ -377,7 +377,7 @@ ConvertTo-ProcessMitigationPolicy -EMETFilePath -OutputFilePath **Enhanced Phishing Protection** in **Microsoft Defender SmartScreen** helps protect Microsoft school or work passwords against phishing and unsafe usage on websites and in applications. Enhanced Phishing Protection works alongside Windows security protections to help protect Windows 11 work or school sign-in passwords. -For more information, see [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen) and [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog. +For more information, see [Enhanced Phishing Protection in Microsoft Defender SmartScreen](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection) and [Protect passwords with enhanced phishing protection](https://aka.ms/EnhancedPhishingProtectionBlog) in the Windows IT Pro blog. ## Smart App Control From 6e44a626e6aed3a1e3f9004ed9ddde7ea210c4c0 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 31 May 2023 16:00:41 -0400 Subject: [PATCH 16/80] Fix links --- .../enhanced-phishing-protection.md | 4 ++-- .../microsoft-defender-smartscreen/index.md | 2 +- .../virus-and-threat-protection/toc.yml | 2 -- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index 1abefbf7f4..d4eafd6dd1 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -40,7 +40,7 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc - **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature is in audit mode if the other settings, which correspond to notification policies, aren't enabled. -[!INCLUDE [enhanced-phishing-protection-with-smartscreen](../../../../includes/licensing/enhanced-phishing-protection-with-smartscreen.md)] +[!INCLUDE [enhanced-phishing-protection-with-smartscreen](/includes/licensing/enhanced-phishing-protection-with-smartscreen.md)] ## Configure Enhanced Phishing Protection for your organization @@ -122,7 +122,7 @@ To better help you protect your organization, we recommend turning on and using - [SmartScreen Frequently Asked Questions](https://fb.smartscreen.microsoft.com/smartscreenfaq.aspx) - [WebThreatDefense CSP][WIN-1] -- [Threat protection](../index.md) +- [Threat protection](index.md) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md index 569457defe..5128f46efc 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md @@ -48,7 +48,7 @@ Microsoft Defender SmartScreen provide an early warning system against websites > [!IMPORTANT] > SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares. -[!INCLUDE [microsoft-defender-smartscreen](../../../../includes/licensing/microsoft-defender-smartscreen.md)] +[!INCLUDE [microsoft-defender-smartscreen](/includes/licensing/microsoft-defender-smartscreen.md)] ## Submit files to Microsoft Defender SmartScreen for review diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml index 639a85c09c..077e6d1c55 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml +++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml @@ -1,6 +1,4 @@ items: - - name: Overview - href: index.md - name: Microsoft Defender Antivirus 🔗 href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows - name: Configuring LSA Protection 🔗 From 8c690c98571df145f8074a4a2cfec00259d4a43d Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 31 May 2023 16:05:44 -0400 Subject: [PATCH 17/80] test includes link --- .../enhanced-phishing-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index d4eafd6dd1..bdd0f93906 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -40,7 +40,7 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc - **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature is in audit mode if the other settings, which correspond to notification policies, aren't enabled. -[!INCLUDE [enhanced-phishing-protection-with-smartscreen](/includes/licensing/enhanced-phishing-protection-with-smartscreen.md)] +[!INCLUDE [enhanced-phishing-protection-with-smartscreen](/includes/licensing/enhanced-phishing-protection-with-smartscreen)] ## Configure Enhanced Phishing Protection for your organization From 5f0eed413fcb6f47a662b6ce015f17f8e11ca386 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 31 May 2023 16:13:19 -0400 Subject: [PATCH 18/80] fix links again --- .../enhanced-phishing-protection.md | 2 +- .../microsoft-defender-smartscreen/index.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md index bdd0f93906..74a3cd15d9 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection.md @@ -40,7 +40,7 @@ Enhanced Phishing Protection provides robust phishing protections for work or sc - **Easy management through Group Policy and Microsoft Intune:** Enhanced Phishing Protection works with Group Policy and mobile device management (MDM) settings to help you manage your organization's computer settings. Based on how you set up Enhanced Phishing Protection, you can customize which phishing protection scenarios show users warning dialogs. For example, the Service Enabled setting determines whether the Enhanced Phishing Protection service is on or off. The feature is in audit mode if the other settings, which correspond to notification policies, aren't enabled. -[!INCLUDE [enhanced-phishing-protection-with-smartscreen](/includes/licensing/enhanced-phishing-protection-with-smartscreen)] +[!INCLUDE [enhanced-phishing-protection-with-smartscreen](../../../../../includes/licensing/enhanced-phishing-protection-with-smartscreen.md)] ## Configure Enhanced Phishing Protection for your organization diff --git a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md index 5128f46efc..8b326614fd 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md +++ b/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/index.md @@ -48,7 +48,7 @@ Microsoft Defender SmartScreen provide an early warning system against websites > [!IMPORTANT] > SmartScreen protects against malicious files from the internet. It does not protect against malicious files on internal locations or network shares, such as shared folders with UNC paths or SMB/CIFS shares. -[!INCLUDE [microsoft-defender-smartscreen](/includes/licensing/microsoft-defender-smartscreen.md)] +[!INCLUDE [microsoft-defender-smartscreen](../../../../../includes/licensing/microsoft-defender-smartscreen.md)] ## Submit files to Microsoft Defender SmartScreen for review From 896f9627ecd4fe34953dc0cf8f1873fad04e9ba2 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 31 May 2023 16:27:58 -0400 Subject: [PATCH 19/80] add redirects --- .openpublishing.redirection.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 2e4f6df9c5..022f0bc238 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -20825,6 +20825,21 @@ "redirect_url": "/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview", "redirect_document_id": false }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md", + "redirect_url": "/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/available-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-smartscreen/phishing-protection-microsoft-defender-smartscreen.md", + "redirect_url": "/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/enhanced-phishing-protection", + "redirect_document_id": false + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md", + "redirect_url": "/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen", + "redirect_document_id": false + }, { "source_path": "windows/security/information-protection/index.md", "redirect_url": "/windows/security/encryption-data-protection", From 8bb63f59cc27e1d2251ada8002cffaf5ee3f60a8 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 31 May 2023 16:35:41 -0400 Subject: [PATCH 20/80] Update TOC --- .../virus-and-threat-protection/toc.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml index 077e6d1c55..ed1ff2ce5d 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml +++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml @@ -14,8 +14,9 @@ items: - name: Exploit protection 🔗 href: /microsoft-365/security/defender-endpoint/exploit-protection - name: Microsoft Defender SmartScreen - href: microsoft-defender-smartscreen/index.md items: + - name: Overview + href: microsoft-defender-smartscreen/index.md - name: Available settings href: microsoft-defender-smartscreen/available-settings.md - name: Enhanced Phishing Protection From 1843aed3af813701eb7d7fdd7920ca938a499c76 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 31 May 2023 17:16:31 -0400 Subject: [PATCH 21/80] Minor updates --- .../virus-and-threat-protection/toc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml index ed1ff2ce5d..9f7c2d6f2f 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml +++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml @@ -1,13 +1,13 @@ items: - name: Microsoft Defender Antivirus 🔗 href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows - - name: Configuring LSA Protection 🔗 + - name: Configuring LSA Protection href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json - name: Attack surface reduction (ASR) 🔗 href: /microsoft-365/security/defender-endpoint/attack-surface-reduction - name: Tamper protection for MDE 🔗 href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection - - name: Microsoft Vulnerable Driver Blocklist + - name: Microsoft Vulnerable Driver Blocklist 🔗 href: ../../threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md - name: Controlled folder access 🔗 href: /microsoft-365/security/defender-endpoint/controlled-folders From e56bb71afb5bb9988a004a921873eda2eb50b70a Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Wed, 31 May 2023 17:56:47 -0500 Subject: [PATCH 22/80] Update policy-csp-admx-windowsexplorer.md --- .../client-management/mdm/policy-csp-admx-windowsexplorer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index a6a0c31774..0b0bcc91c9 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -105,7 +105,7 @@ This setting allows an administrator to revert specific Windows Shell behavior t - If you enable this setting, users can't configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users can't restore the new features. -Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options. +Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the user's ability to change these options. - If you disable or not configure this policy, the default File Explorer behavior is applied to the user. From 5fb61d00537a44b72c1276b24ca40e22985fda8a Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Wed, 31 May 2023 17:57:59 -0500 Subject: [PATCH 23/80] Update policy-csp-admx-windowsexplorer.md --- .../client-management/mdm/policy-csp-admx-windowsexplorer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 0b0bcc91c9..3228cd240a 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -3967,7 +3967,7 @@ To remove network computers from lists of network resources, use the "No Entire -Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar. +Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If this setting is enabled, you can specify from 1 to 5 items to be displayed in the Places Bar. The valid items you may display in the Places Bar are: From 9bd5540deeda02a8cc91a9c40a2295789187f057 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Wed, 31 May 2023 17:58:40 -0500 Subject: [PATCH 24/80] Update policy-csp-admx-windowsexplorer.md --- .../client-management/mdm/policy-csp-admx-windowsexplorer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 3228cd240a..31a46e1227 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -3971,7 +3971,7 @@ Configures the list of items displayed in the Places Bar in the Windows File/Ope The valid items you may display in the Places Bar are: -1) Shortcuts to a local folders -- (ex. C:\Windows) +1) Shortcuts to a local folder -- (ex. C:\Windows) 2) Shortcuts to remote folders -- (\\server\share) From 4c0e3e21cd573d842aae0479b55a985059a419cf Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Wed, 31 May 2023 15:59:41 -0700 Subject: [PATCH 25/80] wn broken link 7962488 --- windows/whats-new/temporary-enterprise-feature-control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md index 4db66dd6c4..b20be1c0ab 100644 --- a/windows/whats-new/temporary-enterprise-feature-control.md +++ b/windows/whats-new/temporary-enterprise-feature-control.md @@ -45,4 +45,4 @@ You can use a policy to enable features that are behind temporary enterprise fea - **Group Policy:** Computer Configuration\Administrative Templates\Windows Components\Windows Update\Manage end user experience\\**Enable features introduced via servicing that are off by default** - **CSP**: ./Device/Vendor/MSFT/Policy/Config/Update/[AllowTemporaryEnterpriseFeatureControl](/windows/client-management/mdm/policy-csp-update?toc=/windows/deployment/toc.json&bc=/windows/deployment/breadcrumb/toc.json#allowtemporaryenterprisefeaturecontrol) - - In the Intune [settings catalog](/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. + - In the Intune [settings catalog](/mem/intune/configuration/settings-catalog), this setting is named **Allow Temporary Enterprise Feature Control** under the **Windows Update for Business** category. From 985269e3aee8e57e74947c2918ffb49ee7db395b Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Wed, 31 May 2023 18:03:52 -0500 Subject: [PATCH 26/80] Update policy-csp-admx-windowsexplorer.md --- .../client-management/mdm/policy-csp-admx-windowsexplorer.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 31a46e1227..d93f4952bf 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -3173,9 +3173,7 @@ If you enable this setting, the system removes the Map Network Drive and Disconn This setting doesn't prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box. > [!NOTE] -> - -This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. +> This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. > [!NOTE] > It's a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. From 665c066ad0a0dbb0cba042d9652e9e342c95713d Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Wed, 31 May 2023 18:39:59 -0500 Subject: [PATCH 27/80] Adding .md to TOC entries --- .../virus-and-threat-protection/toc.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml index 9f7c2d6f2f..36969190cd 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml +++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml @@ -1,18 +1,18 @@ items: - name: Microsoft Defender Antivirus 🔗 - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows + href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md - name: Configuring LSA Protection href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json - name: Attack surface reduction (ASR) 🔗 - href: /microsoft-365/security/defender-endpoint/attack-surface-reduction + href: /microsoft-365/security/defender-endpoint/attack-surface-reduction.md - name: Tamper protection for MDE 🔗 - href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection + href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md - name: Microsoft Vulnerable Driver Blocklist 🔗 href: ../../threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md - name: Controlled folder access 🔗 - href: /microsoft-365/security/defender-endpoint/controlled-folders + href: /microsoft-365/security/defender-endpoint/controlled-folders.md - name: Exploit protection 🔗 - href: /microsoft-365/security/defender-endpoint/exploit-protection + href: /microsoft-365/security/defender-endpoint/exploit-protection.md - name: Microsoft Defender SmartScreen items: - name: Overview @@ -22,4 +22,4 @@ items: - name: Enhanced Phishing Protection href: microsoft-defender-smartscreen/enhanced-phishing-protection.md - name: Microsoft Defender for Endpoint 🔗 - href: /microsoft-365/security/defender-endpoint + href: /microsoft-365/security/defender-endpoint.md From 6a490322789fc309b1a2c0005a9210fa97765b3c Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 07:44:12 -0400 Subject: [PATCH 28/80] PDE content move --- windows/security/docfx.json | 19 ++- .../hello-for-business/toc.yml | 1 + .../data-protection/configure-s-mime.md | 2 - .../data-protection}/encrypted-hard-drive.md | 16 +-- .../configure-pde-in-intune.md | 23 +--- .../personal-data-encryption/faq-pde.yml | 7 -- .../includes/pde-description.md | 14 +-- .../personal-data-encryption/index.md} | 32 ++--- .../intune-disable-arso.md | 97 +++++---------- .../intune-disable-hibernation.md | 92 +++++---------- .../intune-disable-memory-dumps.md | 87 +++++--------- ...tune-disable-password-connected-standby.md | 110 ++++++------------ .../intune-disable-wer.md | 98 +++++----------- .../intune-enable-pde.md | 102 +++++----------- .../personal-data-encryption/toc.yml | 19 +++ .../data-protection/toc.yml | 24 +--- 16 files changed, 237 insertions(+), 506 deletions(-) rename windows/security/{information-protection => operating-system-security/data-protection}/encrypted-hard-drive.md (96%) rename windows/security/{information-protection => operating-system-security/data-protection}/personal-data-encryption/configure-pde-in-intune.md (58%) rename windows/security/{information-protection => operating-system-security/data-protection}/personal-data-encryption/faq-pde.yml (95%) rename windows/security/{information-protection => operating-system-security/data-protection}/personal-data-encryption/includes/pde-description.md (70%) rename windows/security/{information-protection/personal-data-encryption/overview-pde.md => operating-system-security/data-protection/personal-data-encryption/index.md} (90%) rename windows/security/{information-protection/personal-data-encryption/pde-in-intune => operating-system-security/data-protection/personal-data-encryption}/intune-disable-arso.md (65%) rename windows/security/{information-protection/personal-data-encryption/pde-in-intune => operating-system-security/data-protection/personal-data-encryption}/intune-disable-hibernation.md (60%) rename windows/security/{information-protection/personal-data-encryption/pde-in-intune => operating-system-security/data-protection/personal-data-encryption}/intune-disable-memory-dumps.md (67%) rename windows/security/{information-protection/personal-data-encryption/pde-in-intune => operating-system-security/data-protection/personal-data-encryption}/intune-disable-password-connected-standby.md (68%) rename windows/security/{information-protection/personal-data-encryption/pde-in-intune => operating-system-security/data-protection/personal-data-encryption}/intune-disable-wer.md (64%) rename windows/security/{information-protection/personal-data-encryption/pde-in-intune => operating-system-security/data-protection/personal-data-encryption}/intune-enable-pde.md (62%) create mode 100644 windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 1222b0620c..cb0fe65e5e 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -76,6 +76,7 @@ "application-security/application-control/user-account-control/*.md": "paolomatarazzo", "application-security/application-isolation/windows-sandbox/**/*.md": "vinaypamnani-msft", "identity-protection/**/*.md": "paolomatarazzo", + "operating-system-security/data-protection/**/*.md": "paolomatarazzo", "operating-system-security/network-security/**/*.md": "paolomatarazzo", "operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms" }, @@ -83,6 +84,7 @@ "application-security/application-control/user-account-control/*.md": "paoloma", "application-security/application-isolation/windows-sandbox/**/*.md": "vinpa", "identity-protection/**/*.md": "paoloma", + "operating-system-security/data-protection/**/*.md": "paoloma", "operating-system-security/network-security/**/*.md": "paoloma", "operating-system-security/network-security/windows-firewall/*.md": "nganguly" }, @@ -123,6 +125,16 @@ "✅ Windows Server 2019", "✅ Windows Server 2016" ], + "operating-system-security/data-protection/**/*.md": [ + "✅ Windows 11", + "✅ Windows 10", + "✅ Windows Server 2022", + "✅ Windows Server 2019", + "✅ Windows Server 2016" + ], + "operating-system-security/data-protection/personal-data-encryption/*.md": [ + "✅ Windows 11" + ], "operating-system-security/network-security/windows-firewall/**/*.md": [ "✅ Windows 11", "✅ Windows 10", @@ -136,16 +148,17 @@ "identity-protection/credential-guard/*.md": "zwhittington", "identity-protection/access-control/*.md": "sulahiri", "operating-system-security/network-security/windows-firewall/*.md": "paoloma", - "operating-system-security/network-security/vpn/*.md": "pesmith" + "operating-system-security/network-security/vpn/*.md": "pesmith", + "operating-system-security/data-protection/personal-data-encryption/*.md":"rhonnegowda" }, "ms.collection": { "identity-protection/hello-for-business/*.md": "tier1", - "information-protection/bitlocker/*.md": "tier1", - "information-protection/personal-data-encryption/*.md": "tier1", "information-protection/pluton/*.md": "tier1", "information-protection/tpm/*.md": "tier1", "threat-protection/auditing/*.md": "tier3", "threat-protection/windows-defender-application-control/*.md": "tier3", + "operating-system-security/data-protection/bitlocker/*.md": "tier1", + "operating-system-security/data-protection/personal-data-encryption/*.md": "tier1", "operating-system-security/network-security/windows-firewall/*.md": "tier3" } }, diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 77c3a38b65..bce50d6cb5 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -1,3 +1,4 @@ +items: - name: Windows Hello for Business documentation href: index.yml - name: Concepts diff --git a/windows/security/operating-system-security/data-protection/configure-s-mime.md b/windows/security/operating-system-security/data-protection/configure-s-mime.md index 578fd09c36..4d5e976fde 100644 --- a/windows/security/operating-system-security/data-protection/configure-s-mime.md +++ b/windows/security/operating-system-security/data-protection/configure-s-mime.md @@ -3,8 +3,6 @@ title: Configure S/MIME for Windows description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. Learn how to configure S/MIME for Windows. ms.topic: how-to ms.date: 05/31/2023 -author: paolomatarazzo -ms.author: paoloma --- diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md similarity index 96% rename from windows/security/information-protection/encrypted-hard-drive.md rename to windows/security/operating-system-security/data-protection/encrypted-hard-drive.md index bb2fc98a8e..ba8ba460e0 100644 --- a/windows/security/information-protection/encrypted-hard-drive.md +++ b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md @@ -1,11 +1,6 @@ --- title: Encrypted Hard Drive description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. -ms.reviewer: -manager: aaroncz -ms.author: frankroj -ms.prod: windows-client -author: frankroj ms.date: 11/08/2022 ms.technology: itpro-security ms.topic: conceptual @@ -13,15 +8,6 @@ ms.topic: conceptual # Encrypted Hard Drive -*Applies to:* - -- Windows 10 -- Windows 11 -- Windows Server 2022 -- Windows Server 2019 -- Windows Server 2016 -- Azure Stack HCI - Encrypted hard drive uses the rapid encryption that is provided by BitLocker drive encryption to enhance data security and management. By offloading the cryptographic operations to hardware, Encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. @@ -48,7 +34,7 @@ Encrypted hard drives are supported natively in the operating system through the If you're a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](/previous-versions/windows/hardware/design/dn653989(v=vs.85)). -[!INCLUDE [encrypted-hard-drive](../../../includes/licensing/encrypted-hard-drive.md)] +[!INCLUDE [encrypted-hard-drive](../../../../includes/licensing/encrypted-hard-drive.md)] ## System Requirements diff --git a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md similarity index 58% rename from windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md rename to windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md index 3aa684f0c2..3fad2c30be 100644 --- a/windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md @@ -1,14 +1,7 @@ --- title: Configure Personal Data Encryption (PDE) in Intune description: Configuring and enabling Personal Data Encryption (PDE) required and recommended policies in Intune -author: frankroj -ms.author: frankroj -ms.reviewer: rhonnegowda -manager: aaroncz ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-security -ms.localizationpriority: medium ms.date: 03/13/2023 --- @@ -21,19 +14,15 @@ The various required and recommended policies needed for Personal Data Encryptio ## Required prerequisites -1. [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md) - -1. [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md) +1. [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) +1. [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) ## Security hardening recommendations -1. [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md) - -1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md) - -1. [Disable hibernation](pde-in-intune/intune-disable-hibernation.md) - -1. [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md) +1. [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) +1. [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) +1. [Disable hibernation](intune-disable-hibernation.md) +1. [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) ## See also diff --git a/windows/security/information-protection/personal-data-encryption/faq-pde.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml similarity index 95% rename from windows/security/information-protection/personal-data-encryption/faq-pde.yml rename to windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml index 01ba4b7b8e..b29c488276 100644 --- a/windows/security/information-protection/personal-data-encryption/faq-pde.yml +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml @@ -3,14 +3,7 @@ metadata: title: Frequently asked questions for Personal Data Encryption (PDE) description: Answers to common questions regarding Personal Data Encryption (PDE). - author: frankroj - ms.author: frankroj - ms.reviewer: rhonnegowda - manager: aaroncz ms.topic: faq - ms.prod: windows-client - ms.technology: itpro-security - ms.localizationpriority: medium ms.date: 03/13/2023 # Max 5963468 OS 32516487 diff --git a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md similarity index 70% rename from windows/security/information-protection/personal-data-encryption/includes/pde-description.md rename to windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md index 1d6d83ff6c..6eaa4e1f87 100644 --- a/windows/security/information-protection/personal-data-encryption/includes/pde-description.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md @@ -1,22 +1,14 @@ --- -title: Personal Data Encryption (PDE) description -description: Personal Data Encryption (PDE) description include file - -author: frankroj -ms.author: frankroj -ms.reviewer: rhonnegowda -manager: aaroncz ms.topic: include -ms.prod: windows-client -ms.technology: itpro-security -ms.localizationpriority: medium ms.date: 03/13/2023 --- -Personal data encryption (PDE) is a security feature introduced in Windows 11, version 22H2 that provides additional encryption features to Windows. PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. +Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows. + +PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. PDE utilizes Windows Hello for Business to link data encryption keys with user credentials. This feature can minimize the number of credentials the user has to remember to gain access to content. For example, when using BitLocker with PIN, a user would need to authenticate twice - once with the BitLocker PIN and a second time with Windows credentials. This requirement requires users to remember two different credentials. With PDE, users only need to enter one set of credentials via Windows Hello for Business. diff --git a/windows/security/information-protection/personal-data-encryption/overview-pde.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md similarity index 90% rename from windows/security/information-protection/personal-data-encryption/overview-pde.md rename to windows/security/operating-system-security/data-protection/personal-data-encryption/index.md index c7efa3d342..a4eadd4ef4 100644 --- a/windows/security/information-protection/personal-data-encryption/overview-pde.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md @@ -1,14 +1,8 @@ --- title: Personal Data Encryption (PDE) description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot. -author: frankroj -ms.author: frankroj -ms.reviewer: rhonnegowda manager: aaroncz ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-security -ms.localizationpriority: medium ms.date: 03/13/2023 --- @@ -17,28 +11,24 @@ ms.date: 03/13/2023 # Personal Data Encryption (PDE) -**Applies to:** - -- Windows 11, version 22H2 and later Enterprise and Education editions - [!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)] -[!INCLUDE [personal-data-encryption-pde](../../../../includes/licensing/personal-data-encryption-pde.md)] +[!INCLUDE [personal-data-encryption-pde](../../../../../includes/licensing/personal-data-encryption-pde.md)] ## Prerequisites ### Required - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join) -- [Windows Hello for Business](../../identity-protection/hello-for-business/hello-overview.md) +- [Windows Hello for Business](identity-protection/hello-for-business/hello-overview.md) - Windows 11, version 22H2 and later Enterprise and Education editions ### Not supported with PDE - [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) - - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](pde-in-intune/intune-disable-arso.md). -- [Windows Information Protection (WIP)](../windows-information-protection/protect-enterprise-data-using-wip.md) + - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md). +- [Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md) - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - Remote Desktop connections @@ -46,15 +36,15 @@ ms.date: 03/13/2023 - [Kernel-mode crash dumps and live dumps disabled](/windows/client-management/mdm/policy-csp-memorydump#memorydump-policies) - Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](pde-in-intune/intune-disable-memory-dumps.md). + Kernel-mode crash dumps and live dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable kernel-mode crash dumps and live dumps. For information on disabling crash dumps and live dumps via Intune, see [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md). - [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting) - Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](pde-in-intune/intune-disable-wer.md). + Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md). - [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate) - Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](pde-in-intune/intune-disable-hibernation.md). + Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](intune-disable-hibernation.md). - [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock) @@ -76,11 +66,11 @@ ms.date: 03/13/2023 Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. - For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](pde-in-intune/intune-disable-password-connected-standby.md). + For information on disabling this policy via Intune, see [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md). ### Highly recommended -- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled +- [BitLocker Drive Encryption](bitlocker/bitlocker-overview.md) enabled Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker. @@ -88,7 +78,7 @@ ms.date: 03/13/2023 In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup. -- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md) +- [Windows Hello for Business PIN reset service](identity-protection/hello-for-business/hello-feature-pin-reset.md) Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. @@ -137,7 +127,7 @@ There's also a [PDE CSP](/windows/client-management/mdm/personaldataencryption-c > [!NOTE] > Enabling the PDE policy on devices only enables the PDE feature. It does not protect any content. To protect content via PDE, use the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager). The PDE APIs can be used to create custom applications and scripts to specify which content to protect and at what level to protect the content. Additionally, the PDE APIs can't be used to protect content until the PDE policy has been enabled. -For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](pde-in-intune/intune-enable-pde.md). +For information on enabling PDE via Intune, see [Enable Personal Data Encryption (PDE)](intune-enable-pde.md). ## Differences between PDE and BitLocker diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md similarity index 65% rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md index 9781fb82d7..6a1a815925 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md @@ -1,15 +1,8 @@ --- title: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune description: Disable Winlogon automatic restart sign-on (ARSO) for PDE in Intune -author: frankroj -ms.author: frankroj -ms.reviewer: rhonnegowda -manager: aaroncz ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-security -ms.localizationpriority: medium -ms.date: 03/13/2023 +ms.date: 06/01/2023 --- # Disable Winlogon automatic restart sign-on (ARSO) for PDE @@ -20,81 +13,51 @@ Winlogon automatic restart sign-on (ARSO) isn't supported for use with Personal To disable ARSO using Intune, follow the below steps: -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices** in the left pane. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**. - +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +1. In the **Home** screen, select **Devices** in the left pane +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** 1. In the **Create profile** window that opens: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Templates**. - - 1. When the templates appear, under **Template name**, select **Administrative templates**. - + 1. Under **Platform**, select **Windows 10 and later** + 1. Under **Profile type**, select **Templates** + 1. When the templates appear, under **Template name**, select **Administrative templates** 1. Select **Create** to close the **Create profile** window. - 1. The **Create profile** screen will open. In the **Basics** page: - - 1. Next to **Name**, enter **Disable ARSO**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - + 1. Next to **Name**, enter **Disable ARSO** + 1. Next to **Description**, enter a description + 1. Select **Next** 1. In the **Configuration settings** page: - - 1. On the left pane of the page, make sure **Computer Configuration** is selected. - - 1. Under **Setting name**, scroll down and select **Windows Components**. - - 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option. - - 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart**. - - 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK**. - - 1. Select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - + 1. On the left pane of the page, make sure **Computer Configuration** is selected + 1. Under **Setting name**, scroll down and select **Windows Components** + 1. Under **Setting name**, scroll down and select **Windows Logon Options**. You may need to navigate between pages on the bottom right corner before finding the **Windows Logon Options** option + 1. Under **Setting name** of the **Windows Logon Options** pane, select **Sign-in and lock last interactive user automatically after a restart** + 1. In the **Sign-in and lock last interactive user automatically after a restart** window that opens, select **Disabled**, and then select **OK** + 1. Select **Next** +1. In the **Scope tags** page, configure if necessary and then select **Next** 1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - + 1. Under **Included groups**, select **Add groups** > [!NOTE] - > > Make sure to select **Add groups** under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window. - - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** ## Additional PDE configurations in Intune The following PDE configurations can also be configured using Intune: -### Required prerequisites +### Prerequisites -- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) +- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) ### Security hardening recommendations -- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) - -- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) - -- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) - -- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md) +- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) +- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) +- [Disable hibernation](intune-disable-hibernation.md) +- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) ## More information -- [Personal Data Encryption (PDE)](../overview-pde.md) -- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml) +- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md similarity index 60% rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md index 19a5b9498e..f43c7e4299 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md @@ -1,14 +1,7 @@ --- title: Disable hibernation for PDE in Intune description: Disable hibernation for PDE in Intune -author: frankroj -ms.author: frankroj -ms.reviewer: rhonnegowda -manager: aaroncz ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-security -ms.localizationpriority: medium ms.date: 03/13/2023 --- @@ -20,79 +13,50 @@ Hibernation files can potentially cause the keys used by Personal Data Encryptio To disable hibernation using Intune, follow the below steps: -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices** in the left pane. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**. - +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +1. In the **Home** screen, select **Devices** in the left pane +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** 1. In the **Create profile** window that opens: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Settings catalog**. - - 1. Select **Create** to close the **Create profile** window. - + 1. Under **Platform**, select **Windows 10 and later** + 1. Under **Profile type**, select **Settings catalog** + 1. Select **Create** to close the **Create profile** window 1. The **Create profile** screen will open. In the **Basics** page: - - 1. Next to **Name**, enter **Disable Hibernation**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - + 1. Next to **Name**, enter **Disable Hibernation** + 1. Next to **Description**, enter a description + 1. Select **Next** 1. In the **Configuration settings** page: - - 1. select **Add settings**. - + 1. select **Add settings** 1. In the **Settings picker** window that opens: - - 1. Under **Browse by category**, scroll down and select **Power**. - - 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - - 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option. - - 1. Select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - + 1. Under **Browse by category**, scroll down and select **Power** + 1. When the settings for the **Power** category appear under **Setting name** in the lower pane, select **Allow Hibernate**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 1. Change **Allow Hibernate** from **Allow** to **Block** by selecting the slider next to the option + 1. Select **Next** +1. In the **Scope tags** page, configure if necessary and then select **Next** 1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - + 1. Under **Included groups**, select **Add groups** > [!NOTE] - > > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window. - - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** ## Additional PDE configurations in Intune The following PDE configurations can also be configured using Intune: -### Required prerequisites +### Prerequisites -- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) - -- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md) +- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) +- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) ### Security hardening recommendations -- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) - -- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) - -- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md) +- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) +- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) +- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) ## More information -- [Personal Data Encryption (PDE)](../overview-pde.md) -- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml) +- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md similarity index 67% rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md index b9ab18802e..9eb85c99fa 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md @@ -1,14 +1,7 @@ --- title: Disable kernel-mode crash dumps and live dumps for PDE in Intune description: Disable kernel-mode crash dumps and live dumps for PDE in Intune -author: frankroj -ms.author: frankroj -ms.reviewer: rhonnegowda -manager: aaroncz ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-security -ms.localizationpriority: medium ms.date: 03/13/2023 --- @@ -20,77 +13,49 @@ Kernel-mode crash dumps and live dumps can potentially cause the keys used by Pe To disable kernel-mode crash dumps and live dumps using Intune, follow the below steps: -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices** in the left pane. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**. - +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +1. In the **Home** screen, select **Devices** in the left pane +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** 1. In the **Create profile** window that opens: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Settings catalog**. - - 1. Select **Create** to close the **Create profile** window. - + 1. Under **Platform**, select **Windows 10 and later** + 1. Under **Profile type**, select **Settings catalog** + 1. Select **Create** to close the **Create profile** window 1. The **Create profile** screen will open. In the **Basics** page: - - 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps**. - + 1. Next to **Name**, enter **Disable Kernel-Mode Crash Dumps** 1. Next to **Description**, enter a description. - - 1. Select **Next**. - + 1. Select **Next** 1. In the **Configuration settings** page: - - 1. Select **Add settings**. - + 1. Select **Add settings** 1. In the **Settings picker** window that opens: - - 1. Under **Browse by category**, scroll down and select **Memory Dump**. - - 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - - 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - + 1. Under **Browse by category**, scroll down and select **Memory Dump** + 1. When the settings for the **Memory Dump** category appear under **Setting name** in the lower pane, select both **Allow Crash Dump** and **Allow Live Dump**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 1. Change both **Allow Live Dump** and **Allow Crash Dump** from **Allow** to **Block** by selecting the slider next to each option, and then select **Next** +1. In the **Scope tags** page, configure if necessary and then select **Next** 1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - + 1. Under **Included groups**, select **Add groups** > [!NOTE] - > > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window. - - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** ## Additional PDE configurations in Intune The following PDE configurations can also be configured using Intune: -### Required prerequisites +### Prerequisites -- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) - -- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md) +- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) +- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) ### Security hardening recommendations -- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) - -- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) - -- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md) +- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) +- [Disable hibernation](intune-disable-hibernation.md) +- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) ## More information -- [Personal Data Encryption (PDE)](../overview-pde.md) -- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml) +- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md similarity index 68% rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md index d61d11a19c..6e6c98db57 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md @@ -1,14 +1,7 @@ --- title: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune description: Disable allowing users to select when a password is required when resuming from connected standby for PDE in Intune -author: frankroj -ms.author: frankroj -ms.reviewer: rhonnegowda -manager: aaroncz ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-security -ms.localizationpriority: medium ms.date: 03/13/2023 --- @@ -17,18 +10,12 @@ ms.date: 03/13/2023 When the **Disable allowing users to select when a password is required when resuming from connected standby** policy isn't configured, the outcome between on-premises Active Directory joined devices and workgroup devices, including Azure Active Directory joined devices, is different: - On-premises Active Directory joined devices: - - - A user can't change the amount of time after the device´s screen turns off before a password is required when waking the device. - - - A password is required immediately after the screen turns off. - - The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices. - + - A user can't change the amount of time after the device's screen turns off before a password is required when waking the device + - A password is required immediately after the screen turns off + The above is the desired outcome, but PDE isn't supported with on-premises Active Directory joined devices - Workgroup devices, including Azure AD joined devices: - - - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device. - - - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome. + - A user on a Connected Standby device can change the amount of time after the device´s screen turns off before a password is required to wake the device + - During the time when the screen turns off but a password isn't required, the keys used by PDE to protect content could potentially be exposed. This outcome isn't a desired outcome Because of this undesired outcome, it's recommended to explicitly disable this policy on Azure AD joined devices instead of leaving it at the default of **Not configured**. @@ -36,83 +23,54 @@ Because of this undesired outcome, it's recommended to explicitly disable this p To disable the policy **Disable allowing users to select when a password is required when resuming from connected standby** using Intune, follow the below steps: -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices** in the left pane. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**. - +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +1. In the **Home** screen, select **Devices** in the left pane +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** 1. In the **Create profile** window that opens: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Settings catalog**. - - 1. Select **Create** to close the **Create profile** window. - + 1. Under **Platform**, select **Windows 10 and later** + 1. Under **Profile type**, select **Settings catalog** + 1. Select **Create** to close the **Create profile** window 1. The **Create profile** screen will open. In the **Basics** page: - - 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby**. - - 1. Next to **Description**, enter a description. - + 1. Next to **Name**, enter **Disable allowing users to select when a password is required when resuming from connected standby** + 1. Next to **Description**, enter a description 1. Select **Next**. 1. In the **Configuration settings** page: - - 1. Select **Add settings**. - + 1. Select **Add settings** 1. In the **Settings picker** window that opens: + 1. Under **Browse by category**, expand **Administrative Templates** + 1. Under **Administrative Templates**, scroll down and expand **System** + 1. Under **System**, scroll down and select **Logon** + 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled** + 1. select **Next** - 1. Under **Browse by category**, expand **Administrative Templates**. - - 1. Under **Administrative Templates**, scroll down and expand **System**. - - 1. Under **System**, scroll down and select **Logon**. - - 1. When the settings for the **Logon** subcategory appear under **Setting name** in the lower pane, select **Allow users to select when a password is required when resuming from connected standby**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - - 1. Leave the slider for **Allow users to select when a password is required when resuming from connected standby** at the default of **Disabled**. - - 1. select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - +1. In the **Scope tags** page, configure if necessary and then select **Next** 1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - + 1. Under **Included groups**, select **Add groups** > [!NOTE] - > > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window. - - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** ## Additional PDE configurations in Intune The following PDE configurations can also be configured using Intune: -### Required prerequisites +### Prerequisites -- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) - -- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md) +- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) +- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) ### Security hardening recommendations -- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) - -- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) - -- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) +- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) +- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) +- [Disable hibernation](intune-disable-hibernation.md) ## More information -- [Personal Data Encryption (PDE)](../overview-pde.md) -- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml) +- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md similarity index 64% rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md index f4a795887a..390141bbb6 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md @@ -1,14 +1,7 @@ --- title: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune description: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE in Intune -author: frankroj -ms.author: frankroj -ms.reviewer: rhonnegowda -manager: aaroncz ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-security -ms.localizationpriority: medium ms.date: 03/13/2023 --- @@ -20,83 +13,52 @@ Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode cras To disable Windows Error Reporting (WER) and user-mode crash dumps using Intune, follow the below steps: -1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices** in the left pane. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**. - +1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431) +1. In the **Home** screen, select **Devices** in the left pane +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** 1. In the **Create profile** window that opens: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Settings catalog**. - - 1. Select **Create** to close the **Create profile** window. - + 1. Under **Platform**, select **Windows 10 and later** + 1. Under **Profile type**, select **Settings catalog** + 1. Select **Create** to close the **Create profile** window 1. The **Create profile** screen will open. In the **Basics** page: - - 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - + 1. Next to **Name**, enter **Disable Windows Error Reporting (WER)** + 1. Next to **Description**, enter a description + 1. Select **Next** 1. In the **Configuration settings** page: - - 1. Select **Add settings**. - + 1. Select **Add settings** 1. In the **Settings picker** window that opens: - - 1. Under **Browse by category**, expand **Administrative Templates**. - - 1. Under **Administrative Templates**, scroll down and expand **Windows Components**. - - 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it. - - 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window. - - 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option. - - 1. Select **Next**. - -1. In the **Scope tags** page, configure if necessary and then select **Next**. - + 1. Under **Browse by category**, expand **Administrative Templates** + 1. Under **Administrative Templates**, scroll down and expand **Windows Components** + 1. Under **Windows Components**, scroll down and select **Windows Error Reporting**. Make sure to only select **Windows Error Reporting** and not to expand it + 1. When the settings for the **Windows Error Reporting** subcategory appear under **Setting name** in the lower pane, select **Disable Windows Error Reporting**, and then select the **X** in the top right corner of the **Settings picker** window to close the window + 1. Change **Disable Windows Error Reporting** from **Disabled** to **Enabled** by selecting the slider next to the option + 1. Select **Next** +1. In the **Scope tags** page, configure if necessary and then select **Next** 1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - + 1. Under **Included groups**, select **Add groups** > [!NOTE] - > > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window. - - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** ## Additional PDE configurations in Intune The following PDE configurations can also be configured using Intune: -### Required prerequisites +### Prerequisites -- [Enable Personal Data Encryption (PDE)](../pde-in-intune/intune-enable-pde.md) - -- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md) +- [Enable Personal Data Encryption (PDE)](intune-enable-pde.md) +- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) ### Security hardening recommendations -- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) - -- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) - -- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md) +- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) +- [Disable hibernation](intune-disable-hibernation.md) +- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) ## More information -- [Personal Data Encryption (PDE)](../overview-pde.md) -- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml) +- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md similarity index 62% rename from windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md rename to windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md index ac064684ca..d8eae30ca5 100644 --- a/windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md @@ -1,14 +1,7 @@ --- title: Enable Personal Data Encryption (PDE) in Intune description: Enable Personal Data Encryption (PDE) in Intune -author: frankroj -ms.author: frankroj -ms.reviewer: rhonnegowda -manager: aaroncz ms.topic: how-to -ms.prod: windows-client -ms.technology: itpro-security -ms.localizationpriority: medium ms.date: 03/13/2023 --- @@ -24,89 +17,54 @@ By default, Personal Data Encryption (PDE) is not enabled on devices. Before PDE To enable Personal Data Encryption (PDE) using Intune, follow the below steps: 1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). - -1. In the **Home** screen, select **Devices** in the left pane. - -1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles**. - -1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile**. - +1. In the **Home** screen, select **Devices** in the left pane +1. In the **Devices | Overview** screen, under **Policy**, select **Configuration Profiles** +1. In the **Devices | Configuration profiles** screen, make sure **Profiles** is selected at the top, and then select **Create profile** 1. In the **Create profile** window that opens: - - 1. Under **Platform**, select **Windows 10 and later**. - - 1. Under **Profile type**, select **Templates**. - - 1. When the templates appears, under **Template name**, select **Custom**. - - 1. Select **Create** to close the **Create profile** window. - + 1. Under **Platform**, select **Windows 10 and later** + 1. Under **Profile type**, select **Templates** + 1. When the templates appears, under **Template name**, select **Custom** + 1. Select **Create** to close the **Create profile** window 1. The **Custom** screen will open. In the **Basics** page: - - 1. Next to **Name**, enter **Personal Data Encryption**. - - 1. Next to **Description**, enter a description. - - 1. Select **Next**. - + 1. Next to **Name**, enter **Personal Data Encryption** + 1. Next to **Description**, enter a description + 1. Select **Next** 1. In **Configuration settings** page: - - 1. Next to **OMA-URI Settings**, select **Add**. - + 1. Next to **OMA-URI Settings**, select **Add** 1. In the **Add Row** window that opens: - - 1. Next to **Name**, enter **Personal Data Encryption**. - - 1. Next to **Description**, enter a description. - + 1. Next to **Name**, enter **Personal Data Encryption** + 1. Next to **Description**, enter a description 1. Next to **OMA-URI**, enter in: - **`./User/Vendor/MSFT/PDE/EnablePersonalDataEncryption`** - - 1. Next to **Data type**, select **Integer**. - - 1. Next to **Value**, enter in **1**. - - 1. Select **Save** to close the **Add Row** window. - - 1. Select **Next**. - + 1. Next to **Data type**, select **Integer** + 1. Next to **Value**, enter in **1** + 1. Select **Save** to close the **Add Row** window + 1. Select **Next** 1. In the **Assignments** page: - - 1. Under **Included groups**, select **Add groups**. - + 1. Under **Included groups**, select **Add groups** > [!NOTE] - > > Make sure to add the correct groups under **Included groups** and not under **Excluded groups**. Accidentally adding the desired device groups under **Excluded groups** will result in those devices being excluded and they won't receive the configuration profile. - - 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window. - - 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next**. - -1. In **Applicability Rules**, configure if necessary and then select **Next**. - -1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create**. + 1. In the **Select groups to include** window that opens, select the groups that the configuration profile should be assigned to, and then select **Select** to close the **Select groups to include** window + 1. Under **Included groups** > **Groups**, ensure the correct group(s) are selected, and then select **Next** +1. In **Applicability Rules**, configure if necessary and then select **Next** +1. In **Review + create** page, review the configuration to make sure everything is configured correctly, and then select **Create** ## Additional PDE configurations in Intune The following PDE configurations can also be configured using Intune: -### Required prerequisites +### Prerequisites -- [Disable Winlogon automatic restart sign-on (ARSO)](../pde-in-intune/intune-disable-arso.md) +- [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md) ### Security hardening recommendations -- [Disable kernel-mode crash dumps and live dumps](../pde-in-intune/intune-disable-memory-dumps.md) - -- [Disable Windows Error Reporting (WER)/user-mode crash dumps](../pde-in-intune/intune-disable-wer.md) - -- [Disable hibernation](../pde-in-intune/intune-disable-hibernation.md) - -- [Disable allowing users to select when a password is required when resuming from connected standby](../pde-in-intune/intune-disable-password-connected-standby.md) +- [Disable kernel-mode crash dumps and live dumps](intune-disable-memory-dumps.md) +- [Disable Windows Error Reporting (WER)/user-mode crash dumps](intune-disable-wer.md) +- [Disable hibernation](intune-disable-hibernation.md) +- [Disable allowing users to select when a password is required when resuming from connected standby](intune-disable-password-connected-standby.md) ## More information -- [Personal Data Encryption (PDE)](../overview-pde.md) -- [Personal Data Encryption (PDE) FAQ](../faq-pde.yml) - +- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml new file mode 100644 index 0000000000..0bb7c66820 --- /dev/null +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/toc.yml @@ -0,0 +1,19 @@ +items: +- name: Overview + href: index.md +- name: Configure PDE with Intune + href: configure-pde-in-intune.md +- name: Enable Personal Data Encryption (PDE) + href: intune-enable-pde.md +- name: Disable Winlogon automatic restart sign-on (ARSO) for PDE + href: intune-disable-arso.md +- name: Disable kernel-mode crash dumps and live dumps for PDE + href: intune-disable-memory-dumps.md +- name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE + href: intune-disable-wer.md +- name: Disable hibernation for PDE + href: intune-disable-hibernation.md +- name: Disable allowing users to select when a password is required when resuming from connected standby for PDE + href: intune-disable-password-connected-standby.md +- name: PDE frequently asked questions (FAQ) + href: faq-pde.yml \ No newline at end of file diff --git a/windows/security/operating-system-security/data-protection/toc.yml b/windows/security/operating-system-security/data-protection/toc.yml index c85fb02887..368281a748 100644 --- a/windows/security/operating-system-security/data-protection/toc.yml +++ b/windows/security/operating-system-security/data-protection/toc.yml @@ -76,29 +76,9 @@ items: - name: Decode Measured Boot logs to track PCR changes href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes - name: Encrypted Hard Drive - href: ../../information-protection/encrypted-hard-drive.md + href: encrypted-hard-drive.md - name: Personal Data Encryption (PDE) - items: - - name: Personal Data Encryption (PDE) overview - href: ../../information-protection/personal-data-encryption/overview-pde.md - - name: Personal Data Encryption (PDE) frequently asked questions (FAQ) - href: ../../information-protection/personal-data-encryption/faq-pde.yml - - name: Configure Personal Data Encryption (PDE) in Intune - items: - - name: Configure Personal Data Encryption (PDE) in Intune - href: ../../information-protection/personal-data-encryption/configure-pde-in-intune.md - - name: Enable Personal Data Encryption (PDE) - href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md - - name: Disable Winlogon automatic restart sign-on (ARSO) for PDE - href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md - - name: Disable kernel-mode crash dumps and live dumps for PDE - href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md - - name: Disable Windows Error Reporting (WER)/user-mode crash dumps for PDE - href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md - - name: Disable hibernation for PDE - href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md - - name: Disable allowing users to select when a password is required when resuming from connected standby for PDE - href: ../../information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md + href: personal-data-encryption/toc.yml - name: Configure S/MIME for Windows href: configure-s-mime.md - name: Windows Information Protection (WIP) From 7d2719375b708bb350fd4aa661f5ded1de433cb0 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 08:04:00 -0400 Subject: [PATCH 29/80] PDE updates --- .../data-protection/encrypted-hard-drive.md | 1 - .../data-protection/index.md} | 13 ++++--------- .../configure-pde-in-intune.md | 2 +- .../personal-data-encryption/faq-pde.yml | 4 ++-- .../personal-data-encryption/index.md | 1 - .../personal-data-encryption/intune-disable-arso.md | 2 +- .../intune-disable-hibernation.md | 2 +- .../intune-disable-memory-dumps.md | 2 +- .../intune-disable-password-connected-standby.md | 2 +- .../personal-data-encryption/intune-disable-wer.md | 2 +- .../personal-data-encryption/intune-enable-pde.md | 2 +- .../data-protection/toc.yml | 2 +- 12 files changed, 14 insertions(+), 21 deletions(-) rename windows/security/{encryption-data-protection.md => operating-system-security/data-protection/index.md} (85%) diff --git a/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md index ba8ba460e0..42e381d999 100644 --- a/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md +++ b/windows/security/operating-system-security/data-protection/encrypted-hard-drive.md @@ -2,7 +2,6 @@ title: Encrypted Hard Drive description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. ms.date: 11/08/2022 -ms.technology: itpro-security ms.topic: conceptual --- diff --git a/windows/security/encryption-data-protection.md b/windows/security/operating-system-security/data-protection/index.md similarity index 85% rename from windows/security/encryption-data-protection.md rename to windows/security/operating-system-security/data-protection/index.md index 781c1f164d..f93a280b15 100644 --- a/windows/security/encryption-data-protection.md +++ b/windows/security/operating-system-security/data-protection/index.md @@ -1,13 +1,8 @@ --- title: Encryption and data protection in Windows description: Get an overview encryption and data protection in Windows 11 and Windows 10 -author: frankroj -ms.author: frankroj -manager: aaroncz ms.topic: overview ms.date: 09/22/2022 -ms.prod: windows-client -ms.technology: itpro-security ms.reviewer: rafals --- @@ -45,10 +40,10 @@ Windows consistently improves data protection by improving existing options and (*Applies to: Windows 11, version 22H2 and later*) -[!INCLUDE [Personal Data Encryption (PDE) description](information-protection/personal-data-encryption/includes/pde-description.md)] +[!INCLUDE [Personal Data Encryption (PDE) description](personal-data-encryption/includes/pde-description.md)] ## See also -- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md) -- [BitLocker](information-protection/bitlocker/bitlocker-overview.md) -- [Personal Data Encryption (PDE)](information-protection/personal-data-encryption/overview-pde.md) +- [Encrypted Hard Drive](encrypted-hard-drive.md) +- [BitLocker](bitlocker/bitlocker-overview.md) +- [Personal Data Encryption (PDE)](personal-data-encryption/index.md) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md index 3fad2c30be..fe2fb5b3e9 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune.md @@ -26,5 +26,5 @@ The various required and recommended policies needed for Personal Data Encryptio ## See also -- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE)](index.md) - [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml index b29c488276..99fecea4eb 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml @@ -58,7 +58,7 @@ sections: - question: Can users manually encrypt and decrypt files with PDE? answer: | - Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](overview-pde.md). + Currently users can decrypt files manually but they can't encrypt files manually. For information on how a user can manually decrypt a file, see the section **Disable PDE and decrypt files** in [Personal Data Encryption (PDE)](index.md). - question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE protected content? answer: | @@ -70,6 +70,6 @@ sections: additionalContent: | ## See also - - [Personal Data Encryption (PDE)](overview-pde.md) + - [Personal Data Encryption (PDE)](index.md) - [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md index a4eadd4ef4..534c3bc52d 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md @@ -1,7 +1,6 @@ --- title: Personal Data Encryption (PDE) description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot. -manager: aaroncz ms.topic: how-to ms.date: 03/13/2023 --- diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md index 6a1a815925..9fda445c43 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso.md @@ -59,5 +59,5 @@ The following PDE configurations can also be configured using Intune: ## More information -- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE)](index.md) - [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md index f43c7e4299..ef18936b1b 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation.md @@ -58,5 +58,5 @@ The following PDE configurations can also be configured using Intune: ## More information -- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE)](index.md) - [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md index 9eb85c99fa..66a238e3c9 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps.md @@ -57,5 +57,5 @@ The following PDE configurations can also be configured using Intune: ## More information -- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE)](index.md) - [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md index 6e6c98db57..4cf442e308 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby.md @@ -72,5 +72,5 @@ The following PDE configurations can also be configured using Intune: ## More information -- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE)](index.md) - [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md index 390141bbb6..39fe957317 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer.md @@ -60,5 +60,5 @@ The following PDE configurations can also be configured using Intune: ## More information -- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE)](index.md) - [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md index d8eae30ca5..795504237c 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde.md @@ -66,5 +66,5 @@ The following PDE configurations can also be configured using Intune: ## More information -- [Personal Data Encryption (PDE)](overview-pde.md) +- [Personal Data Encryption (PDE)](index.md) - [Personal Data Encryption (PDE) FAQ](faq-pde.yml) diff --git a/windows/security/operating-system-security/data-protection/toc.yml b/windows/security/operating-system-security/data-protection/toc.yml index 368281a748..51df43c135 100644 --- a/windows/security/operating-system-security/data-protection/toc.yml +++ b/windows/security/operating-system-security/data-protection/toc.yml @@ -1,6 +1,6 @@ items: - name: Overview - href: ../../encryption-data-protection.md + href: index.md - name: BitLocker href: ../../information-protection/bitlocker/bitlocker-overview.md items: From 3931a89cbc5660a4c6d8952c354453151b04a7d4 Mon Sep 17 00:00:00 2001 From: Kevin Sheehan <116211220+kbsheehan@users.noreply.github.com> Date: Thu, 1 Jun 2023 09:27:33 -0400 Subject: [PATCH 30/80] Update esim-enterprise-management.md Added Nokia solution --- windows/client-management/esim-enterprise-management.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md index 48902df441..1d585aaf8e 100644 --- a/windows/client-management/esim-enterprise-management.md +++ b/windows/client-management/esim-enterprise-management.md @@ -30,6 +30,7 @@ If you're a Mobile Device Management (MDM) Provider and want to support eSIM Man - [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) - [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) + - [Nokia IMPACT Mobile Device Manager](https://www.nokia.com/networks/internet-of-things/impact-mobile-device-manager/) - Assess solution type that you would like to provide your customers - Batch/offline solution From d3c0671866621f8ee103c2bfa7cdfbad8ae147fd Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 1 Jun 2023 10:38:19 -0400 Subject: [PATCH 31/80] Remove .md again and fix empty link --- .../virus-and-threat-protection/toc.yml | 12 ++++++------ .../overview-of-threat-mitigations-in-windows-10.md | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml index 36969190cd..9f7c2d6f2f 100644 --- a/windows/security/operating-system-security/virus-and-threat-protection/toc.yml +++ b/windows/security/operating-system-security/virus-and-threat-protection/toc.yml @@ -1,18 +1,18 @@ items: - name: Microsoft Defender Antivirus 🔗 - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows.md + href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows - name: Configuring LSA Protection href: /windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection?toc=/windows/security/toc.json&bc=/windows/security/breadcrumb/toc.json - name: Attack surface reduction (ASR) 🔗 - href: /microsoft-365/security/defender-endpoint/attack-surface-reduction.md + href: /microsoft-365/security/defender-endpoint/attack-surface-reduction - name: Tamper protection for MDE 🔗 - href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection.md + href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection - name: Microsoft Vulnerable Driver Blocklist 🔗 href: ../../threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md - name: Controlled folder access 🔗 - href: /microsoft-365/security/defender-endpoint/controlled-folders.md + href: /microsoft-365/security/defender-endpoint/controlled-folders - name: Exploit protection 🔗 - href: /microsoft-365/security/defender-endpoint/exploit-protection.md + href: /microsoft-365/security/defender-endpoint/exploit-protection - name: Microsoft Defender SmartScreen items: - name: Overview @@ -22,4 +22,4 @@ items: - name: Enhanced Phishing Protection href: microsoft-defender-smartscreen/enhanced-phishing-protection.md - name: Microsoft Defender for Endpoint 🔗 - href: /microsoft-365/security/defender-endpoint.md + href: /microsoft-365/security/defender-endpoint diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 5c41c76d73..29afee340a 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -84,7 +84,7 @@ Windows Defender SmartScreen notifies users if they click on reported phishing a For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows Windows Defender SmartScreen to check the reputation of files downloaded from the Internet and warn users when they're about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, Windows Defender SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, Windows Defender SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. -For more information, see [Microsoft Defender SmartScreen overview](). +For more information, see [Microsoft Defender SmartScreen overview](/windows/security/operating-system-security/virus-and-threat-protection/microsoft-defender-smartscreen/). ### Microsoft Defender Antivirus From 3e200656d715beb70bfa8f3563dfd085432f29e2 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 10:46:25 -0400 Subject: [PATCH 32/80] BitLocker content move --- .../bitlocker/bcd-settings-and-bitlocker.md | 8 -- .../bitlocker/bitlocker-and-adds-faq.yml | 19 +++-- .../bitlocker/bitlocker-basic-deployment.md | 14 ---- .../bitlocker/bitlocker-countermeasures.md | 14 ---- ...cker-deployment-and-administration-faq.yml | 5 -- .../bitlocker-deployment-comparison.md | 13 --- ...r-device-encryption-overview-windows-10.md | 16 +--- .../bitlocker-frequently-asked-questions.yml | 22 +++--- .../bitlocker-group-policy-settings.md | 8 -- ...tlocker-how-to-deploy-on-windows-server.md | 8 -- .../bitlocker-how-to-enable-network-unlock.md | 8 -- .../bitlocker-key-management-faq.yml | 8 +- .../bitlocker-management-for-enterprises.md | 9 +-- .../bitlocker-network-unlock-faq.yml | 6 -- ...itlocker-overview-and-requirements-faq.yml | 8 +- .../bitlocker/bitlocker-overview.md | 21 +---- .../bitlocker-recovery-guide-plan.md | 14 ---- .../bitlocker/bitlocker-security-faq.yml | 6 -- .../bitlocker/bitlocker-to-go-faq.yml | 7 +- .../bitlocker/bitlocker-upgrading-faq.yml | 6 +- ...ve-encryption-tools-to-manage-bitlocker.md | 14 ---- ...-use-bitlocker-recovery-password-viewer.md | 8 -- ...itlocker-using-with-other-programs-faq.yml | 0 .../images/bitlockernetworkunlocksequence.png | Bin .../bitlocker/images/bl-intune-custom-url.png | Bin .../bitlocker/images/bl-narrator.png | Bin .../bitlocker/images/bl-password-hint1.png | Bin .../bitlocker/images/bl-password-hint2.png | Bin .../images/kernel-dma-protection.png | Bin .../bitlocker/images/manage-bde-status.png | Bin .../pre-boot-authentication-group-policy.png | Bin .../bitlocker/images/rp-example1.png | Bin .../bitlocker/images/rp-example2.png | Bin .../bitlocker/images/rp-example3.png | Bin .../bitlocker/images/rp-example4.png | Bin .../bitlocker/images/rp-example5.png | Bin .../bitlocker/images/yes-icon.png | Bin ...ion-for-bitlocker-planning-and-policies.md | 14 ---- ...nd-storage-area-networks-with-bitlocker.md | 0 .../data-protection/bitlocker/toc.yml | 74 ++++++++++++++++++ .../data-protection/toc.yml | 74 +----------------- 41 files changed, 103 insertions(+), 301 deletions(-) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bcd-settings-and-bitlocker.md (98%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-and-adds-faq.yml (90%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-basic-deployment.md (99%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-countermeasures.md (98%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-deployment-and-administration-faq.yml (99%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-deployment-comparison.md (97%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-device-encryption-overview-windows-10.md (98%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-frequently-asked-questions.yml (63%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-group-policy-settings.md (99%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-how-to-deploy-on-windows-server.md (97%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-how-to-enable-network-unlock.md (99%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-key-management-faq.yml (98%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-management-for-enterprises.md (97%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-network-unlock-faq.yml (94%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-overview-and-requirements-faq.yml (98%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-overview.md (96%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-recovery-guide-plan.md (99%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-security-faq.yml (97%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-to-go-faq.yml (95%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-upgrading-faq.yml (97%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md (98%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md (95%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/bitlocker-using-with-other-programs-faq.yml (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/bitlockernetworkunlocksequence.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/bl-intune-custom-url.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/bl-narrator.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/bl-password-hint1.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/bl-password-hint2.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/kernel-dma-protection.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/manage-bde-status.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/pre-boot-authentication-group-policy.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/rp-example1.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/rp-example2.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/rp-example3.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/rp-example4.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/rp-example5.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/images/yes-icon.png (100%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md (98%) rename windows/security/{information-protection => operating-system-security/data-protection}/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md (100%) create mode 100644 windows/security/operating-system-security/data-protection/bitlocker/toc.yml diff --git a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md similarity index 98% rename from windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md rename to windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md index 9ed2b2769e..423a4e624a 100644 --- a/windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker.md @@ -1,16 +1,8 @@ --- title: BCD settings and BitLocker description: This article for IT professionals describes the BCD settings that are used by BitLocker. -ms.reviewer: -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- # Boot Configuration Data settings and BitLocker diff --git a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml similarity index 90% rename from windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml index daa9cba013..b5e7a38ade 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml @@ -2,25 +2,24 @@ metadata: title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10) description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure. - ms.prod: windows-client - ms.technology: itpro-security - author: frankroj - ms.author: frankroj - manager: aaroncz - audience: ITPro ms.collection: - highpri - tier1 ms.topic: faq ms.date: 11/08/2022 - ms.custom: bitlocker + author: paolomatarazzo + ms.author: paoloma + appliesto: + - ✅ Windows 11 + - ✅ Windows 10 + - ✅ Windows Server 2022 + - ✅ Windows Server 2019 + - ✅ Windows Server 2016 title: BitLocker and Active Directory Domain Services (AD DS) FAQ summary: | **Applies to:** - Windows 10 and later - Windows Server 2016 and later - - sections: - name: Ignored @@ -53,7 +52,7 @@ sections: > [!IMPORTANT] > Joining a computer to the domain should be the first step for new computers within an organization. After computers are joined to a domain, storing the BitLocker recovery key to AD DS is automatic (when enabled in Group Policy). - + - question: | Is there an event log entry recorded on the client computer to indicate the success or failure of the Active Directory backup? answer: | diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md similarity index 99% rename from windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md index 3518062515..6c7f50dd20 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md @@ -1,26 +1,12 @@ --- title: BitLocker basic deployment description: This article for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. -ms.reviewer: -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- # BitLocker basic deployment -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - This article for the IT professional explains how BitLocker features can be used to protect data through drive encryption. ## Using BitLocker to encrypt volumes diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md similarity index 98% rename from windows/security/information-protection/bitlocker/bitlocker-countermeasures.md rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md index df0af1d002..ed357fdb9c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md @@ -1,26 +1,12 @@ --- title: BitLocker Countermeasures description: Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Anti-malware (ELAM) to protect against attacks on the BitLocker encryption key. -ms.reviewer: -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- # BitLocker Countermeasures -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - Windows uses technologies including trusted platform module (TPM), secure boot, and measured boot to help protect BitLocker encryption keys against attacks. BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology. Data on a lost or stolen computer is vulnerable. For example, there could be unauthorized access, either by running a software attack tool against the computer or by transferring the computer's hard disk to a different computer. BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started. This mitigation is done by: diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml similarity index 99% rename from windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml index dbea4c718a..952215cc8c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml @@ -12,11 +12,6 @@ metadata: ms.custom: bitlocker title: BitLocker frequently asked questions (FAQ) summary: | - **Applies to:** - - Windows 10 and later - - Windows Server 2016 and later - - sections: - name: Ignored questions: diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md similarity index 97% rename from windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md index 99d7101e23..3521e9e447 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison.md @@ -1,25 +1,12 @@ --- title: BitLocker deployment comparison description: This article shows the BitLocker deployment comparison chart. -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- # BitLocker deployment comparison -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - This article depicts the BitLocker deployment comparison chart. ## BitLocker deployment comparison chart diff --git a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md similarity index 98% rename from windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index c0f495b8a6..5500794376 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -1,27 +1,14 @@ --- title: Overview of BitLocker Device Encryption in Windows description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows. -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.collection: - highpri - tier1 ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- -# Overview of BitLocker Device Encryption in Windows - -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +# Overview of BitLocker device encryption This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](bitlocker-overview.md) for a general overview and list of articles. @@ -31,7 +18,6 @@ When users travel, their organization's confidential data goes with them. Wherev The below table lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7. - | Windows 7 | Windows 11 and Windows 10 | |---|---| | When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.

Network Unlock allows PCs to start automatically when connected to the internal network. | diff --git a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml similarity index 63% rename from windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml index 4f7256eadb..043d028531 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml @@ -2,25 +2,21 @@ metadata: title: BitLocker FAQ (Windows 10) description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker. - ms.prod: windows-client - ms.technology: itpro-security - author: frankroj - ms.author: frankroj - manager: aaroncz - audience: ITPro + author: paolomatarazzo + ms.author: paoloma ms.collection: - highpri - tier1 ms.topic: faq ms.date: 11/08/2022 - ms.custom: bitlocker + appliesto: + - ✅ Windows 11 + - ✅ Windows 10 + - ✅ Windows Server 2022 + - ✅ Windows Server 2019 + - ✅ Windows Server 2016 title: BitLocker frequently asked questions (FAQ) resources -summary: | - **Applies to:** - - Windows 10 and later - - Windows Server 2016 and later - - This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. +summary: This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. - [Overview and requirements](bitlocker-overview-and-requirements-faq.yml) - [Upgrading](bitlocker-upgrading-faq.yml) diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md similarity index 99% rename from windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md index b14f859b9a..14bce76790 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md @@ -1,19 +1,11 @@ --- title: BitLocker Group Policy settings description: This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. -ms.reviewer: -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.collection: - highpri - tier1 ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- # BitLocker group policy settings diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md similarity index 97% rename from windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 9d743637c9..cb8483bfec 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -1,16 +1,8 @@ --- title: BitLocker How to deploy on Windows Server 2012 and later description: This article for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later -ms.reviewer: -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- # BitLocker: How to deploy on Windows Server 2012 and later diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md similarity index 99% rename from windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 442be0541b..8172296f2b 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -1,16 +1,8 @@ --- title: BitLocker - How to enable Network Unlock description: This article for the IT professional describes how BitLocker Network Unlock works and how to configure it. -ms.reviewer: -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- # BitLocker: How to enable Network Unlock diff --git a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml similarity index 98% rename from windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml index ad23cc6714..7eb8cf70ac 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml @@ -7,16 +7,10 @@ metadata: author: frankroj ms.author: frankroj manager: aaroncz - audience: ITPro ms.topic: faq ms.date: 11/08/2022 - ms.custom: bitlocker title: BitLocker Key Management FAQ -summary: | - **Applies to:** - - Windows 10 and later - - Windows Server 2016 and later - +summary: | sections: - name: Ignored diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md similarity index 97% rename from windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md index 8f46db3e99..4da9ac39c0 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -1,15 +1,8 @@ --- title: BitLocker management description: Refer to relevant documentation, products, and services to learn about managing BitLocker and see recommendations for different computers. -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- # BitLocker management @@ -18,7 +11,7 @@ The ideal solution for BitLocker management is to eliminate the need for IT admi Though much Windows [BitLocker documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers. -[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker-management.md)] +[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-management.md)] ## Managing domain-joined computers and moving to cloud diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml similarity index 94% rename from windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml index 9683743787..b871ab6fb7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml @@ -10,14 +10,8 @@ metadata: audience: ITPro ms.topic: faq ms.date: 11/08/2022 - ms.reviewer: - ms.custom: bitlocker title: BitLocker Network Unlock FAQ summary: | - **Applies to:** - - Windows 10 - - Windows 11 - - Windows Server 2016 and above sections: - name: Ignored diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml similarity index 98% rename from windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml index 3243fdb178..8ad8a1bf0d 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml @@ -7,19 +7,13 @@ metadata: author: frankroj ms.author: frankroj manager: aaroncz - audience: ITPro ms.collection: - highpri - tier1 ms.topic: faq ms.date: 11/08/2022 - ms.custom: bitlocker title: BitLocker Overview and Requirements FAQ -summary: | - **Applies to:** - - Windows 10 and later - - Windows Server 2016 and later - +summary: | sections: - name: Ignored diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview.md similarity index 96% rename from windows/security/information-protection/bitlocker/bitlocker-overview.md rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview.md index 9f04e173a3..31b4e00f59 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview.md @@ -1,32 +1,17 @@ --- -title: BitLocker +title: BitLocker overview description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. -ms.author: frankroj -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -manager: aaroncz ms.collection: - highpri - tier1 ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- -# BitLocker - -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +# BitLocker overview This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features. -## BitLocker overview - BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many newer computers by the computer manufacturers. It works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system was offline. @@ -48,7 +33,7 @@ There are two additional tools in the Remote Server Administration Tools that ca - **BitLocker Drive Encryption Tools**. BitLocker Drive Encryption Tools include the command-line tools, manage-bde and repair-bde, and the BitLocker cmdlets for Windows PowerShell. Both manage-bde and the BitLocker cmdlets can be used to perform any task that can be accomplished through the BitLocker control panel, and they're appropriate to be used for automated deployments and other scripting scenarios. Repair-bde is provided for disaster recovery scenarios in which a BitLocker-protected drive can't be unlocked normally or by using the recovery console. -[!INCLUDE [bitlocker](../../../../includes/licensing/bitlocker-enablement.md)] +[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)] ## System requirements diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md similarity index 99% rename from windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md index 39eb80e0aa..8c1558f7a1 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -1,29 +1,15 @@ --- title: BitLocker recovery guide description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS). -ms.prod: windows-client -ms.technology: itpro-security -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -ms.reviewer: rafals -manager: aaroncz ms.collection: - highpri - tier1 ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker --- # BitLocker recovery guide -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - This article describes how to recover BitLocker keys from AD DS. Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. It's recommended to create a recovery model for BitLocker while planning for BitLocker deployment. diff --git a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml similarity index 97% rename from windows/security/information-protection/bitlocker/bitlocker-security-faq.yml rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml index 8b53e2e639..f03a8c4f8e 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-security-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml @@ -13,12 +13,6 @@ metadata: ms.custom: bitlocker title: BitLocker Security FAQ summary: | - **Applies to:** - - Windows 10 and later - - Windows Server 2016 and later - - - sections: - name: Ignored questions: diff --git a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml similarity index 95% rename from windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml index c780b6ee5a..1cbb45da5a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml @@ -12,10 +12,7 @@ metadata: ms.date: 11/08/2022 ms.custom: bitlocker title: BitLocker To Go FAQ -summary: | - **Applies to:** - - Windows 10 - +summary: | sections: - name: Ignored @@ -28,7 +25,7 @@ sections: - SD cards - External hard disk drives - Other drives that are formatted by using the NTFS, FAT16, FAT32, or exFAT file system. - + Drive partitioning must meet the [BitLocker Drive Encryption Partitioning Requirements](/windows-hardware/manufacture/desktop/bitlocker-drive-encryption#bitlocker-drive-encryption-partitioning-requirements). As with BitLocker, drives that are encrypted by BitLocker To Go can be opened by using a password or smart card on another computer. In Control Panel, use **BitLocker Drive Encryption**. diff --git a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml similarity index 97% rename from windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml index 13441d1f58..1282a1f1aa 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml @@ -12,11 +12,7 @@ metadata: ms.reviewer: ms.custom: bitlocker title: BitLocker Upgrading FAQ -summary: | - **Applies to:** - - Windows 10 and later - - Windows Server 2016 and later - +summary: | sections: - name: Ignored diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md similarity index 98% rename from windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index 9e538c4fef..8f5990f813 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -1,29 +1,15 @@ --- title: BitLocker Use BitLocker Drive Encryption Tools to manage BitLocker description: This article for the IT professional describes how to use tools to manage BitLocker. -ms.reviewer: -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.collection: - highpri - tier1 ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- # BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - This article for the IT professional describes how to use tools to manage BitLocker. BitLocker Drive Encryption Tools include the command-line tools manage-bde and repair-bde and the BitLocker cmdlets for Windows PowerShell. diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md similarity index 95% rename from windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index e96cf15557..711626dbbb 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -1,19 +1,11 @@ --- title: BitLocker Use BitLocker Recovery Password Viewer description: This article for the IT professional describes how to use the BitLocker Recovery Password Viewer. -ms.reviewer: -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.collection: - highpri - tier1 ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- # BitLocker: Use BitLocker Recovery Password Viewer diff --git a/windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml similarity index 100% rename from windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml rename to windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml diff --git a/windows/security/information-protection/bitlocker/images/bitlockernetworkunlocksequence.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bitlockernetworkunlocksequence.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/bitlockernetworkunlocksequence.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/bitlockernetworkunlocksequence.png diff --git a/windows/security/information-protection/bitlocker/images/bl-intune-custom-url.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-intune-custom-url.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/bl-intune-custom-url.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/bl-intune-custom-url.png diff --git a/windows/security/information-protection/bitlocker/images/bl-narrator.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/bl-narrator.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/bl-narrator.png diff --git a/windows/security/information-protection/bitlocker/images/bl-password-hint1.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint1.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/bl-password-hint1.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint1.png diff --git a/windows/security/information-protection/bitlocker/images/bl-password-hint2.png b/windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/bl-password-hint2.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/bl-password-hint2.png diff --git a/windows/security/information-protection/bitlocker/images/kernel-dma-protection.png b/windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/kernel-dma-protection.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/kernel-dma-protection.png diff --git a/windows/security/information-protection/bitlocker/images/manage-bde-status.png b/windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/manage-bde-status.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/manage-bde-status.png diff --git a/windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png b/windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/pre-boot-authentication-group-policy.png diff --git a/windows/security/information-protection/bitlocker/images/rp-example1.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example1.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/rp-example1.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example1.png diff --git a/windows/security/information-protection/bitlocker/images/rp-example2.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example2.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/rp-example2.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example2.png diff --git a/windows/security/information-protection/bitlocker/images/rp-example3.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example3.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/rp-example3.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example3.png diff --git a/windows/security/information-protection/bitlocker/images/rp-example4.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example4.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/rp-example4.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example4.png diff --git a/windows/security/information-protection/bitlocker/images/rp-example5.png b/windows/security/operating-system-security/data-protection/bitlocker/images/rp-example5.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/rp-example5.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/rp-example5.png diff --git a/windows/security/information-protection/bitlocker/images/yes-icon.png b/windows/security/operating-system-security/data-protection/bitlocker/images/yes-icon.png similarity index 100% rename from windows/security/information-protection/bitlocker/images/yes-icon.png rename to windows/security/operating-system-security/data-protection/bitlocker/images/yes-icon.png diff --git a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md similarity index 98% rename from windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md rename to windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index 415ebdab44..e1b617b2b7 100644 --- a/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -1,26 +1,12 @@ --- title: Prepare the organization for BitLocker Planning and policies description: This article for the IT professional explains how can to plan for a BitLocker deployment. -ms.reviewer: -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- # Prepare an organization for BitLocker: Planning and policies -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - This article for the IT professional explains how to plan BitLocker deployment. When BitLocker deployment strategy is defined, define the appropriate policies and configuration requirements based on the business requirements of the organization. The following sections will help with collecting information. Use this information to help with the decision-making process about deploying and managing BitLocker systems. diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md similarity index 100% rename from windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md rename to windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md diff --git a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml new file mode 100644 index 0000000000..4e36b6b533 --- /dev/null +++ b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml @@ -0,0 +1,74 @@ +items: +- name: Overview + href: bitlocker-overview.md +- name: BitLocker device encryption + href: bitlocker-device-encryption-overview-windows-10.md +- name: BitLocker frequently asked questions (FAQ) + href: bitlocker-frequently-asked-questions.yml + items: + - name: Overview and requirements + href: bitlocker-overview-and-requirements-faq.yml + - name: Upgrading + href: bitlocker-upgrading-faq.yml + - name: Deployment and administration + href: bitlocker-deployment-and-administration-faq.yml + - name: Key management + href: bitlocker-key-management-faq.yml + - name: BitLocker To Go + href: bitlocker-to-go-faq.yml + - name: Active Directory Domain Services + href: bitlocker-and-adds-faq.yml + - name: Security + href: bitlocker-security-faq.yml + - name: BitLocker Network Unlock + href: bitlocker-network-unlock-faq.yml + - name: General + href: bitlocker-using-with-other-programs-faq.yml +- name: "Prepare your organization for BitLocker: Planning and policies" + href: prepare-your-organization-for-bitlocker-planning-and-policies.md +- name: BitLocker deployment comparison + href: bitlocker-deployment-comparison.md +- name: BitLocker basic deployment + href: bitlocker-basic-deployment.md +- name: Deploy BitLocker on Windows Server 2012 and later + href: bitlocker-how-to-deploy-on-windows-server.md +- name: BitLocker management + href: bitlocker-management-for-enterprises.md +- name: Enable Network Unlock with BitLocker + href: bitlocker-how-to-enable-network-unlock.md +- name: Use BitLocker Drive Encryption Tools to manage BitLocker + href: bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +- name: Use BitLocker Recovery Password Viewer + href: bitlocker-use-bitlocker-recovery-password-viewer.md +- name: BitLocker Group Policy settings + href: bitlocker-group-policy-settings.md +- name: BCD settings and BitLocker + href: bcd-settings-and-bitlocker.md +- name: BitLocker Recovery Guide + href: bitlocker-recovery-guide-plan.md +- name: BitLocker Countermeasures + href: bitlocker-countermeasures.md +- name: Protecting cluster shared volumes and storage area networks with BitLocker + href: protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +- name: Troubleshoot BitLocker + items: + - name: Troubleshoot BitLocker + href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting + - name: "BitLocker cannot encrypt a drive: known issues" + href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues + - name: "Enforcing BitLocker policies by using Intune: known issues" + href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues + - name: "BitLocker Network Unlock: known issues" + href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues + - name: "BitLocker recovery: known issues" + href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues + - name: "BitLocker configuration: known issues" + href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues + - name: Troubleshoot BitLocker and TPM issues + items: + - name: "BitLocker cannot encrypt a drive: known TPM issues" + href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues + - name: "BitLocker and TPM: other known issues" + href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues + - name: Decode Measured Boot logs to track PCR changes + href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes \ No newline at end of file diff --git a/windows/security/operating-system-security/data-protection/toc.yml b/windows/security/operating-system-security/data-protection/toc.yml index 51df43c135..18c78e5665 100644 --- a/windows/security/operating-system-security/data-protection/toc.yml +++ b/windows/security/operating-system-security/data-protection/toc.yml @@ -2,79 +2,7 @@ items: - name: Overview href: index.md - name: BitLocker - href: ../../information-protection/bitlocker/bitlocker-overview.md - items: - - name: Overview of BitLocker Device Encryption in Windows - href: ../../information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md - - name: BitLocker frequently asked questions (FAQ) - href: ../../information-protection/bitlocker/bitlocker-frequently-asked-questions.yml - items: - - name: Overview and requirements - href: ../../information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml - - name: Upgrading - href: ../../information-protection/bitlocker/bitlocker-upgrading-faq.yml - - name: Deployment and administration - href: ../../information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml - - name: Key management - href: ../../information-protection/bitlocker/bitlocker-key-management-faq.yml - - name: BitLocker To Go - href: ../../information-protection/bitlocker/bitlocker-to-go-faq.yml - - name: Active Directory Domain Services - href: ../../information-protection/bitlocker/bitlocker-and-adds-faq.yml - - name: Security - href: ../../information-protection/bitlocker/bitlocker-security-faq.yml - - name: BitLocker Network Unlock - href: ../../information-protection/bitlocker/bitlocker-network-unlock-faq.yml - - name: General - href: ../../information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml - - name: "Prepare your organization for BitLocker: Planning and policies" - href: ../../information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md - - name: BitLocker deployment comparison - href: ../../information-protection/bitlocker/bitlocker-deployment-comparison.md - - name: BitLocker basic deployment - href: ../../information-protection/bitlocker/bitlocker-basic-deployment.md - - name: Deploy BitLocker on Windows Server 2012 and later - href: ../../information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md - - name: BitLocker management - href: ../../information-protection/bitlocker/bitlocker-management-for-enterprises.md - - name: Enable Network Unlock with BitLocker - href: ../../information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md - - name: Use BitLocker Drive Encryption Tools to manage BitLocker - href: ../../information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md - - name: Use BitLocker Recovery Password Viewer - href: ../../information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md - - name: BitLocker Group Policy settings - href: ../../information-protection/bitlocker/bitlocker-group-policy-settings.md - - name: BCD settings and BitLocker - href: ../../information-protection/bitlocker/bcd-settings-and-bitlocker.md - - name: BitLocker Recovery Guide - href: ../../information-protection/bitlocker/bitlocker-recovery-guide-plan.md - - name: BitLocker Countermeasures - href: ../../information-protection/bitlocker/bitlocker-countermeasures.md - - name: Protecting cluster shared volumes and storage area networks with BitLocker - href: ../../information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md - - name: Troubleshoot BitLocker - items: - - name: Troubleshoot BitLocker - href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting - - name: "BitLocker cannot encrypt a drive: known issues" - href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues - - name: "Enforcing BitLocker policies by using Intune: known issues" - href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues - - name: "BitLocker Network Unlock: known issues" - href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues - - name: "BitLocker recovery: known issues" - href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues - - name: "BitLocker configuration: known issues" - href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues - - name: Troubleshoot BitLocker and TPM issues - items: - - name: "BitLocker cannot encrypt a drive: known TPM issues" - href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues - - name: "BitLocker and TPM: other known issues" - href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues - - name: Decode Measured Boot logs to track PCR changes - href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes + href: bitlocker/toc.yml - name: Encrypted Hard Drive href: encrypted-hard-drive.md - name: Personal Data Encryption (PDE) From dbacb6502b214864757211b3dd1b4cbb5599ef4a Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 11:04:07 -0400 Subject: [PATCH 33/80] search/replace for renamed files --- .openpublishing.redirection.json | 4 ++-- .../data-protection/bitlocker/bitlocker-basic-deployment.md | 2 +- .../bitlocker-device-encryption-overview-windows-10.md | 2 +- .../bitlocker/bitlocker-group-policy-settings.md | 2 +- .../bitlocker/bitlocker-how-to-deploy-on-windows-server.md | 2 +- .../bitlocker/bitlocker-how-to-enable-network-unlock.md | 2 +- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- .../bitlocker/bitlocker-overview-and-requirements-faq.yml | 2 +- .../bitlocker/bitlocker-recovery-guide-plan.md | 2 +- ...se-bitlocker-drive-encryption-tools-to-manage-bitlocker.md | 2 +- .../bitlocker-use-bitlocker-recovery-password-viewer.md | 2 +- .../bitlocker/{bitlocker-overview.md => index.md} | 0 ...e-your-organization-for-bitlocker-planning-and-policies.md | 2 +- .../data-protection/bitlocker/toc.yml | 2 +- .../operating-system-security/data-protection/index.md | 2 +- .../data-protection/personal-data-encryption/index.md | 2 +- windows/security/operating-system.md | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) rename windows/security/operating-system-security/data-protection/bitlocker/{bitlocker-overview.md => index.md} (100%) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 631b40554c..cfe13668b9 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -5441,7 +5441,7 @@ "redirect_document_id": false }, { - "source_path": "windows/device-security/bitlocker/bitlocker-overview.md", + "source_path": "windows/device-security/bitlocker/index.md", "redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-overview", "redirect_document_id": false }, @@ -9836,7 +9836,7 @@ "redirect_document_id": false }, { - "source_path": "windows/keep-secure/bitlocker-overview.md", + "source_path": "windows/keep-secure/index.md", "redirect_url": "/windows/device-security/bitlocker/bitlocker-overview", "redirect_document_id": false }, diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md index 6c7f50dd20..52cc2816b8 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment.md @@ -452,4 +452,4 @@ Disable-BitLocker -MountPoint E:,F:,G: - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker recovery guide](bitlocker-recovery-guide-plan.md) - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) -- [BitLocker overview](bitlocker-overview.md) +- [BitLocker overview](index.md) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md index 5500794376..4b8a48c1a0 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md @@ -10,7 +10,7 @@ ms.date: 11/08/2022 # Overview of BitLocker device encryption -This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](bitlocker-overview.md) for a general overview and list of articles. +This article explains how BitLocker Device Encryption can help protect data on devices running Windows. See [BitLocker](index.md) for a general overview and list of articles. When users travel, their organization's confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and providing new strategies. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md index 14bce76790..80c953acf9 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md @@ -1330,5 +1330,5 @@ PCR 7 measurements are a mandatory logo requirement for systems that support Mod - [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview) - [TPM Group Policy settings](/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) -- [BitLocker overview](bitlocker-overview.md) +- [BitLocker overview](index.md) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index cb8483bfec..0adb109268 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -113,7 +113,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilitie ## Related articles -- [BitLocker overview](bitlocker-overview.md) +- [BitLocker overview](index.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 8172296f2b..672d9c1171 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -454,6 +454,6 @@ Follow these steps to configure Network Unlock on these older systems. ## Related articles -- [BitLocker overview](bitlocker-overview.md) +- [BitLocker overview](index.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md index 4da9ac39c0..491df0d342 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -9,7 +9,7 @@ ms.date: 11/08/2022 The ideal solution for BitLocker management is to eliminate the need for IT administrators to set management policies using tools or other mechanisms by having Windows perform tasks that are more practical to automate. This vision leverages modern hardware developments. The growth of TPM 2.0, secure boot, and other hardware improvements, for example, have helped to alleviate the support burden on help desks and a decrease in support-call volumes, yielding improved user satisfaction. Windows continues to be the focus for new features and improvements for built-in encryption management, such as automatically enabling encryption on devices that support Modern Standby beginning with Windows 8.1. -Though much Windows [BitLocker documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers. +Though much Windows [BitLocker documentation](index.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently asked questions, and also provides BitLocker recommendations for different types of computers. [!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-management.md)] diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml index 8ad8a1bf0d..b38729a75d 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml @@ -33,7 +33,7 @@ sections: - question: What are the BitLocker hardware and software requirements? answer: | - For requirements, see [System requirements](bitlocker-overview.md#system-requirements). + For requirements, see [System requirements](index.md#system-requirements). > [!NOTE] > Dynamic disks aren't supported by BitLocker. Dynamic data volumes won't be displayed in the Control Panel. Although the operating system volume will always be displayed in the Control Panel, regardless of whether it's a Dynamic disk, if it's a dynamic disk it can't be protected by BitLocker. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md index 8c1558f7a1..d5eb6c6c36 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -976,4 +976,4 @@ End Function ## Related articles -- [BitLocker overview](bitlocker-overview.md) +- [BitLocker overview](index.md) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index 8f5990f813..393549ec10 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -232,7 +232,7 @@ Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5- ## Related articles -- [BitLocker overview](bitlocker-overview.md) +- [BitLocker overview](index.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md index 711626dbbb..9698ad0735 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md @@ -58,7 +58,7 @@ By completing the procedures in this scenario, the recovery passwords for a comp ## Related articles -- [BitLocker Overview](bitlocker-overview.md) +- [BitLocker Overview](index.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md) - [BitLocker: How to deploy on Windows Server 2012](bitlocker-how-to-deploy-on-windows-server.md) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview.md b/windows/security/operating-system-security/data-protection/bitlocker/index.md similarity index 100% rename from windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview.md rename to windows/security/operating-system-security/data-protection/bitlocker/index.md diff --git a/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index e1b617b2b7..a925d629be 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -188,6 +188,6 @@ On Windows Server 2012 R2 and Windows 8.1 and older, recovery passwords generate - [Trusted Platform Module](../tpm/trusted-platform-module-top-node.md) - [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) -- [BitLocker](bitlocker-overview.md) +- [BitLocker](index.md) - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) - [BitLocker basic deployment](bitlocker-basic-deployment.md) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml index 4e36b6b533..502421f2da 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml @@ -1,6 +1,6 @@ items: - name: Overview - href: bitlocker-overview.md + href: index.md - name: BitLocker device encryption href: bitlocker-device-encryption-overview-windows-10.md - name: BitLocker frequently asked questions (FAQ) diff --git a/windows/security/operating-system-security/data-protection/index.md b/windows/security/operating-system-security/data-protection/index.md index f93a280b15..b180e2ff7a 100644 --- a/windows/security/operating-system-security/data-protection/index.md +++ b/windows/security/operating-system-security/data-protection/index.md @@ -45,5 +45,5 @@ Windows consistently improves data protection by improving existing options and ## See also - [Encrypted Hard Drive](encrypted-hard-drive.md) -- [BitLocker](bitlocker/bitlocker-overview.md) +- [BitLocker](bitlocker/index.md) - [Personal Data Encryption (PDE)](personal-data-encryption/index.md) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md index 534c3bc52d..d2c8105657 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md @@ -69,7 +69,7 @@ ms.date: 03/13/2023 ### Highly recommended -- [BitLocker Drive Encryption](bitlocker/bitlocker-overview.md) enabled +- [BitLocker Drive Encryption](../bitlocker/index.md) enabled Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to work alongside BitLocker for increased security. PDE isn't a replacement for BitLocker. diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index d5a1753a2a..895cc7d6e8 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -25,7 +25,7 @@ Use the links in the following table to learn more about the operating system se Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.

Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).

| Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.

Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).| | Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.

Learn more about [Encryption](encryption-data-protection.md). -| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). | +| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

Learn more about [BitLocker](information-protection/bitlocker/index.md). | | Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).| | S/MIME | S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.

Learn more about [S/MIME for Windows](operating-system-security/data-protection/configure-s-mime.md).| | Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.

Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). | From 0496f7b4f708834a217c90b8d13fe0154d6381a2 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 12:21:31 -0400 Subject: [PATCH 34/80] added redirects --- .openpublishing.redirection.json | 110 +++++++++++++++++++++++++++++++ 1 file changed, 110 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index cfe13668b9..c24c3da651 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -21489,6 +21489,116 @@ "source_path": "windows/security/apps.md", "redirect_url": "/windows/security/application-security", "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/encrypted-hard-drive.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/encrypted-hard-drive", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bcd-settings-and-bitlocker.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bcd-settings-and-bitlocker", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-basic-deployment", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-countermeasures.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-comparison", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-device-encryption-overview-windows-10", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-management-for-enterprises", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-recovery-guide-plan", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/personal-data-encryption/configure-pde-in-intune.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/configure-pde-in-intune", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-arso.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-arso", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-hibernation.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-hibernation", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-memory-dumps.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-memory-dumps", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-password-connected-standby.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-password-connected-standby", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-disable-wer.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-disable-wer", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde", + "redirect_document_id": false } ] } \ No newline at end of file From 812c999d186f38c2183fc3981a9a0a1c1bbe9199 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 12:37:41 -0400 Subject: [PATCH 35/80] changed docfx to *.* instead of *.md to test the behavior for yaml files --- windows/security/docfx.json | 4 +- ...tlocker-how-to-deploy-on-windows-server.md | 47 +++++++------------ 2 files changed, 19 insertions(+), 32 deletions(-) diff --git a/windows/security/docfx.json b/windows/security/docfx.json index cb0fe65e5e..66d226f414 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -76,14 +76,14 @@ "application-security/application-control/user-account-control/*.md": "paolomatarazzo", "application-security/application-isolation/windows-sandbox/**/*.md": "vinaypamnani-msft", "identity-protection/**/*.md": "paolomatarazzo", - "operating-system-security/data-protection/**/*.md": "paolomatarazzo", + "operating-system-security/data-protection/**/*.*": "paolomatarazzo", "operating-system-security/network-security/**/*.md": "paolomatarazzo", "operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms" }, "ms.author":{ "application-security/application-control/user-account-control/*.md": "paoloma", "application-security/application-isolation/windows-sandbox/**/*.md": "vinpa", - "identity-protection/**/*.md": "paoloma", + "identity-protection/**/*.*": "paoloma", "operating-system-security/data-protection/**/*.md": "paoloma", "operating-system-security/network-security/**/*.md": "paoloma", "operating-system-security/network-security/windows-firewall/*.md": "nganguly" diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 0adb109268..7f25367d8c 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -1,49 +1,36 @@ --- -title: BitLocker How to deploy on Windows Server 2012 and later -description: This article for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later +title: BitLocker How to deploy on Windows Server +description: This article for the IT professional explains how to deploy BitLocker and Windows Server ms.topic: conceptual ms.date: 11/08/2022 +appliesto: + - ✅ Windows Server 2022 + - ✅ Windows Server 2019 + - ✅ Windows Server 2016 --- -# BitLocker: How to deploy on Windows Server 2012 and later +# BitLocker: How to deploy on Windows Server -**Applies to:** - -- Windows Server 2012 -- Windows Server 2012 R2 -- Windows Server 2016 and above - -This article explains how to deploy BitLocker on Windows Server 2012 and later versions. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed. +This article explains how to deploy BitLocker on Windows Server. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server on which it's to be installed. ## Installing BitLocker ### To install BitLocker using server manager 1. Open server manager by selecting the server manager icon or running servermanager.exe. - -2. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.** - -3. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown). - -4. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue. - -5. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed. - -6. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane. - +1. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.** +1. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown). +1. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue. +1. Select the **Select a server from the server pool** option in the **Server Selection** pane and confirm the server on which the BitLocker feature is to be installed. +1. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane. > [!NOTE] > Server roles and features are installed by using the same wizard in Server Manager. - -7. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features are not needed and/or don't need to be installed, deselect the **Include management tools**. - +1. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features are not needed and/or don't need to be installed, deselect the **Include management tools**. > [!NOTE] > The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems. - -8. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard. - -9. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete. - -10. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text. +1. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard. +1. Select **Install** on the **Confirmation** pane of the **Add Roles and Features** wizard to begin BitLocker feature installation. The BitLocker feature requires a restart for its installation to be complete. Selecting the **Restart the destination server automatically if required** option in the **Confirmation** pane forces a restart of the computer after installation is complete. +1. If the **Restart the destination server automatically if required** check box isn't selected, the **Results** pane of the **Add Roles and Features** wizard displays the success or failure of the BitLocker feature installation. If necessary, a notification of other action necessary to complete the feature installation, such as the restart of the computer, will be displayed in the results text. ### To install BitLocker using Windows PowerShell From 84be0fb80e360efb30c73c6ac1f7075068fe8ba7 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 12:42:17 -0400 Subject: [PATCH 36/80] acrolinx --- .../bitlocker-how-to-deploy-on-windows-server.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 7f25367d8c..1610c9a49d 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -17,7 +17,7 @@ This article explains how to deploy BitLocker on Windows Server. For all Windows ### To install BitLocker using server manager -1. Open server manager by selecting the server manager icon or running servermanager.exe. +1. Open server manager by selecting the server manager icon or running `servermanager.exe`. 1. Select **Manage** from the **Server Manager Navigation** bar and select **Add Roles and Features** to start the **Add Roles and Features Wizard.** 1. With the **Add Roles and Features** wizard open, select **Next** at the **Before you begin** pane (if shown). 1. Select **Role-based or feature-based installation** on the **Installation type** pane of the **Add Roles and Features** wizard and select **Next** to continue. @@ -25,7 +25,7 @@ This article explains how to deploy BitLocker on Windows Server. For all Windows 1. Select **Next** on the **Server Roles** pane of the **Add Roles and Features** wizard to proceed to the **Features** pane. > [!NOTE] > Server roles and features are installed by using the same wizard in Server Manager. -1. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features are not needed and/or don't need to be installed, deselect the **Include management tools**. +1. Select the check box next to **BitLocker Drive Encryption** within the **Features** pane of the **Add Roles and Features** wizard. The wizard shows the extra management features available for BitLocker. If the extra management features aren't needed and/or don't need to be installed, deselect the **Include management tools**. > [!NOTE] > The **Enhanced Storage** feature is a required feature for enabling BitLocker. This feature enables support for encrypted hard drives on capable systems. 1. Select **Add Features**. Once optional features selection is complete, select **Next** to proceed in the wizard. @@ -43,7 +43,7 @@ Windows PowerShell offers administrators another option for BitLocker feature in The `servermanager` Windows PowerShell module can use either the `Install-WindowsFeature` or `Add-WindowsFeature` to install the BitLocker feature. The `Add-WindowsFeature` cmdlet is merely a stub to the `Install-WindowsFeature`. This example uses the `Install-WindowsFeature` cmdlet. The feature name for BitLocker in the `servermanager` module is `BitLocker`. -By default, installation of features in Windows PowerShell doesn't include optional sub-features or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell. +By default, installation of features in Windows PowerShell doesn't include optional subfeatures or management tools as part of the installation process. What is installed as part of the installation process can be seen using the `-WhatIf` option in Windows PowerShell. ```powershell Install-WindowsFeature BitLocker -WhatIf @@ -51,7 +51,7 @@ Install-WindowsFeature BitLocker -WhatIf The results of this command show that only the BitLocker Drive Encryption feature is installed using this command. -To see what would be installed with the BitLocker feature, including all available management tools and sub-features, use the following command: +To see what would be installed with the BitLocker feature, including all available management tools and subfeatures, use the following command: ```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl @@ -67,7 +67,7 @@ The result of this command displays the following list of all the administration - AD DS Tools - AD DS and AD LDS Tools -The command to complete a full installation of the BitLocker feature with all available sub-features and then to reboot the server at completion is: +The command to complete a full installation of the BitLocker feature with all available subfeatures and then to reboot the server at completion is: ```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart @@ -78,13 +78,13 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools - ### Using the dism module to install BitLocker -The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. +The `dism.exe` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism.exe` module doesn't support wildcards when searching for feature names. To list feature names for the `dism.exe` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command lists all of the optional features in an online (running) operating system. ```powershell Get-WindowsOptionalFeature -Online | ft ``` -From this output, it can be seen that there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items. +From this output, there are three BitLocker-related optional feature names: **BitLocker**, **BitLocker-Utilities** and **BitLocker-NetworkUnlock**. To install the BitLocker feature, the **BitLocker** and **BitLocker-Utilities** features are the only required items. To install BitLocker using the `dism.exe` module, use the following command: From 8a3978bfb2cc0c69cacfb2c131d2c7dd6f7155ef Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 13:09:16 -0400 Subject: [PATCH 37/80] redirect updates for yml files --- .openpublishing.redirection.json | 60 ++++++++++++++++++++++++++++++++ windows/security/index.yml | 2 +- 2 files changed, 61 insertions(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 799df55c69..95077f44ee 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -21614,6 +21614,66 @@ "source_path": "windows/security/information-protection/personal-data-encryption/pde-in-intune/intune-enable-pde.md", "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/intune-enable-pde", "redirect_document_id": false + }, + { + "source_path": "windows/security/encryption-data-protection.md", + "redirect_url": "/windows/security/operating-system-security/data-protection/index", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/personal-data-encryption/faq-pde.yml", + "redirect_url": "/windows/operating-system-security/data-protection/personal-data-encryption/faq-pde", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-frequently-asked-question.yml", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-question", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-security-faq.yml", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-security-faq", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlockerbitlocker-upgrading-faq.yml", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq", + "redirect_document_id": false } ] } \ No newline at end of file diff --git a/windows/security/index.yml b/windows/security/index.yml index 8cf4624659..ac185313ef 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -63,7 +63,7 @@ landingContent: - text: System security url: trusted-boot.md - text: Encryption and data protection - url: encryption-data-protection.md + url: operating-system-security/data-protection/index.md - text: Windows security baselines url: threat-protection/windows-security-configuration-framework/windows-security-baselines.md - text: Virtual private network guide From 4f89d2cae46264f3cf3c3c9d839c6796fec9099c Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 13:25:20 -0400 Subject: [PATCH 38/80] updates --- windows/security/docfx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 66d226f414..6695767322 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -132,7 +132,7 @@ "✅ Windows Server 2019", "✅ Windows Server 2016" ], - "operating-system-security/data-protection/personal-data-encryption/*.md": [ + "operating-system-security/data-protection/personal-data-encryption/*.*": [ "✅ Windows 11" ], "operating-system-security/network-security/windows-firewall/**/*.md": [ From 8764b35acceb926499c87bfb7dc187c5f803d3b8 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 13:41:57 -0400 Subject: [PATCH 39/80] test metadata updates for yml in docfx --- windows/security/docfx.json | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 6695767322..e079c36962 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -76,17 +76,26 @@ "application-security/application-control/user-account-control/*.md": "paolomatarazzo", "application-security/application-isolation/windows-sandbox/**/*.md": "vinaypamnani-msft", "identity-protection/**/*.md": "paolomatarazzo", - "operating-system-security/data-protection/**/*.*": "paolomatarazzo", + "identity-protection/**/*.yml": "paolomatarazzo", + "operating-system-security/data-protection/**/*.md": "paolomatarazzo", + "operating-system-security/data-protection/**/*.yml": "paolomatarazzo", "operating-system-security/network-security/**/*.md": "paolomatarazzo", - "operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms" + "operating-system-security/network-security/**/*.yml": "paolomatarazzo", + "operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms", + "operating-system-security/network-security/windows-firewall/**/*.yml": "ngangulyms" }, "ms.author":{ "application-security/application-control/user-account-control/*.md": "paoloma", + "application-security/application-control/user-account-control/*.yml": "paoloma", "application-security/application-isolation/windows-sandbox/**/*.md": "vinpa", - "identity-protection/**/*.*": "paoloma", + "identity-protection/**/*.md": "paoloma", + "identity-protection/**/*.yml": "paoloma", "operating-system-security/data-protection/**/*.md": "paoloma", + "operating-system-security/data-protection/**/*.yml": "paoloma", "operating-system-security/network-security/**/*.md": "paoloma", - "operating-system-security/network-security/windows-firewall/*.md": "nganguly" + "operating-system-security/network-security/**/*.yml": "paoloma", + "operating-system-security/network-security/windows-firewall/*.md": "nganguly", + "operating-system-security/network-security/windows-firewall/*.yml": "nganguly" }, "appliesto": { "application-security/application-isolation/windows-sandbox/**/*.md": [ @@ -132,7 +141,17 @@ "✅ Windows Server 2019", "✅ Windows Server 2016" ], - "operating-system-security/data-protection/personal-data-encryption/*.*": [ + "operating-system-security/data-protection/**/*.yml": [ + "✅ Windows 11", + "✅ Windows 10", + "✅ Windows Server 2022", + "✅ Windows Server 2019", + "✅ Windows Server 2016" + ], + "operating-system-security/data-protection/personal-data-encryption/*.md": [ + "✅ Windows 11" + ], + "operating-system-security/data-protection/personal-data-encryption/*.yml": [ "✅ Windows 11" ], "operating-system-security/network-security/windows-firewall/**/*.md": [ From 3e901581fe8c00c2c5e81a5c7c8814ecd2bec896 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 14:31:55 -0400 Subject: [PATCH 40/80] fix redirects --- .openpublishing.redirection.json | 24 +++++++++++++++++-- .../bitlocker/bitlocker-and-adds-faq.yml | 13 +--------- ...cker-deployment-and-administration-faq.yml | 8 +------ .../bitlocker-frequently-asked-questions.yml | 8 ------- .../bitlocker-group-policy-settings.md | 6 ----- ...tlocker-how-to-deploy-on-windows-server.md | 4 ---- .../bitlocker-how-to-enable-network-unlock.md | 6 ----- .../bitlocker-key-management-faq.yml | 5 ---- .../bitlocker-network-unlock-faq.yml | 6 ----- ...itlocker-overview-and-requirements-faq.yml | 5 ---- .../bitlocker/bitlocker-security-faq.yml | 7 ------ .../bitlocker/bitlocker-to-go-faq.yml | 7 ------ .../bitlocker/bitlocker-upgrading-faq.yml | 7 ------ ...itlocker-using-with-other-programs-faq.yml | 9 ------- ...nd-storage-area-networks-with-bitlocker.md | 8 ------- .../personal-data-encryption/faq-pde.yml | 3 --- .../personal-data-encryption/index.md | 3 --- 17 files changed, 24 insertions(+), 105 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 95077f44ee..1a2dcb78fd 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -21666,7 +21666,7 @@ "redirect_document_id": false }, { - "source_path": "windows/security/information-protection/bitlockerbitlocker-upgrading-faq.yml", + "source_path": "windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml", "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq", "redirect_document_id": false }, @@ -21674,6 +21674,26 @@ "source_path": "windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml", "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq", "redirect_document_id": false - } + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-overview.md", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/index", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/bitlocker/bitlocker-overview.md", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/index", + "redirect_document_id": false + }, + { + "source_path": "windows/security/information-protection/personal-data-encryption/overview-pde.md", + "redirect_url": "/windows/operating-system-security/data-protection/personal-data-encryption/index", + "redirect_document_id": false + } ] } \ No newline at end of file diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml index b5e7a38ade..cbaff88935 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq.yml @@ -1,25 +1,14 @@ ### YamlMime:FAQ metadata: - title: BitLocker and Active Directory Domain Services (AD DS) FAQ (Windows 10) + title: BitLocker and Active Directory Domain Services (AD DS) FAQ description: Learn more about how BitLocker and Active Directory Domain Services (AD DS) can work together to keep devices secure. ms.collection: - highpri - tier1 ms.topic: faq ms.date: 11/08/2022 - author: paolomatarazzo - ms.author: paoloma - appliesto: - - ✅ Windows 11 - - ✅ Windows 10 - - ✅ Windows Server 2022 - - ✅ Windows Server 2019 - - ✅ Windows Server 2016 title: BitLocker and Active Directory Domain Services (AD DS) FAQ summary: | - **Applies to:** - - Windows 10 and later - - Windows Server 2016 and later sections: - name: Ignored diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml index 952215cc8c..ccabad03a1 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml @@ -1,15 +1,9 @@ ### YamlMime:FAQ metadata: - title: BitLocker deployment and administration FAQ (Windows 10) + title: BitLocker deployment and administration FAQ description: Browse frequently asked questions about BitLocker deployment and administration, such as, "Can BitLocker deployment be automated in an enterprise environment?" - ms.prod: windows-client - ms.technology: itpro-security - author: frankroj - ms.author: frankroj - manager: aaroncz ms.topic: faq ms.date: 11/08/2022 - ms.custom: bitlocker title: BitLocker frequently asked questions (FAQ) summary: | sections: diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml index 043d028531..04759a9566 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions.yml @@ -2,19 +2,11 @@ metadata: title: BitLocker FAQ (Windows 10) description: Find the answers you need by exploring this brief hub page listing FAQ pages for various aspects of BitLocker. - author: paolomatarazzo - ms.author: paoloma ms.collection: - highpri - tier1 ms.topic: faq ms.date: 11/08/2022 - appliesto: - - ✅ Windows 11 - - ✅ Windows 10 - - ✅ Windows Server 2022 - - ✅ Windows Server 2019 - - ✅ Windows Server 2016 title: BitLocker frequently asked questions (FAQ) resources summary: This article links to frequently asked questions about BitLocker. BitLocker is a data protection feature that encrypts drives on computers to help prevent data theft or exposure. BitLocker-protected computers can also delete data more securely when they're decommissioned because it's much more difficult to recover deleted data from an encrypted drive than from a non-encrypted drive. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md index 80c953acf9..b90b65ce81 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md @@ -10,12 +10,6 @@ ms.date: 11/08/2022 # BitLocker group policy settings -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - This article for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption. Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 1610c9a49d..fd3c652f3a 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -3,10 +3,6 @@ title: BitLocker How to deploy on Windows Server description: This article for the IT professional explains how to deploy BitLocker and Windows Server ms.topic: conceptual ms.date: 11/08/2022 -appliesto: - - ✅ Windows Server 2022 - - ✅ Windows Server 2019 - - ✅ Windows Server 2016 --- # BitLocker: How to deploy on Windows Server diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 672d9c1171..921c5ebcfa 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -7,12 +7,6 @@ ms.date: 11/08/2022 # BitLocker: How to enable Network Unlock -**Applies to:** - -- Windows 10 -- Windows 11 -- Windows Server 2016 and above - This article describes how BitLocker Network Unlock works and how to configure it. Network Unlock is a BitLocker protector option for operating system volumes. Network Unlock enables easier management for BitLocker-enabled desktops and servers in a domain environment by providing automatic unlock of operating system volumes at system reboot when connected to a wired corporate network. This feature requires the client hardware to have a DHCP driver implemented in its UEFI firmware. Without Network Unlock, operating system volumes protected by TPM+PIN protectors require a PIN to be entered when a computer reboots or resumes from hibernation (for example, by Wake on LAN). Requiring a PIN after a reboot can make it difficult to enterprises to roll out software patches to unattended desktops and remotely administered servers. diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml index 7eb8cf70ac..848e842daf 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq.yml @@ -2,11 +2,6 @@ metadata: title: BitLocker Key Management FAQ (Windows 10) description: Browse frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker. - ms.prod: windows-client - ms.technology: itpro-security - author: frankroj - ms.author: frankroj - manager: aaroncz ms.topic: faq ms.date: 11/08/2022 title: BitLocker Key Management FAQ diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml index b871ab6fb7..5a67c2a310 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq.yml @@ -2,12 +2,6 @@ metadata: title: BitLocker Network Unlock FAQ (Windows 10) description: Familiarize yourself with BitLocker Network Unlock. Learn how it can make desktop and server management easier within domain environments. - ms.prod: windows-client - ms.technology: itpro-security - author: frankroj - ms.author: frankroj - manager: aaroncz - audience: ITPro ms.topic: faq ms.date: 11/08/2022 title: BitLocker Network Unlock FAQ diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml index b38729a75d..732e5e9c03 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml @@ -2,11 +2,6 @@ metadata: title: BitLocker overview and requirements FAQ (Windows 10) description: This article for IT professionals answers frequently asked questions concerning the requirements to use BitLocker. - ms.prod: windows-client - ms.technology: itpro-security - author: frankroj - ms.author: frankroj - manager: aaroncz ms.collection: - highpri - tier1 diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml index f03a8c4f8e..90f7723f1e 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq.yml @@ -2,15 +2,8 @@ metadata: title: BitLocker Security FAQ description: Learn more about how BitLocker security works. Browse frequently asked questions, such as, "What form of encryption does BitLocker use?" - ms.prod: windows-client - ms.technology: itpro-security - author: frankroj - ms.author: frankroj - manager: aaroncz - audience: ITPro ms.topic: faq ms.date: 11/08/2022 - ms.custom: bitlocker title: BitLocker Security FAQ summary: | sections: diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml index 1cbb45da5a..2b386d9937 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq.yml @@ -2,15 +2,8 @@ metadata: title: BitLocker To Go FAQ description: "Learn more about BitLocker To Go" - ms.prod: windows-client - ms.technology: itpro-security - ms.author: frankroj - author: frankroj - manager: aaroncz - audience: ITPro ms.topic: faq ms.date: 11/08/2022 - ms.custom: bitlocker title: BitLocker To Go FAQ summary: | diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml index 1282a1f1aa..fba3beff7f 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq.yml @@ -2,15 +2,8 @@ metadata: title: BitLocker Upgrading FAQ description: Learn more about upgrading systems that have BitLocker enabled. Find frequently asked questions, such as, "Can I upgrade to Windows 10 with BitLocker enabled?" - ms.prod: windows-client - ms.technology: itpro-security - author: frankroj - ms.author: frankroj - manager: aaroncz ms.topic: faq ms.date: 11/08/2022 - ms.reviewer: - ms.custom: bitlocker title: BitLocker Upgrading FAQ summary: | diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml index 4d0267a25a..92834f11e6 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml @@ -2,19 +2,10 @@ metadata: title: Using BitLocker with other programs FAQ description: Learn how to integrate BitLocker with other software on a device. - ms.prod: windows-client - ms.technology: itpro-security - author: frankroj - ms.author: frankroj - manager: aaroncz ms.topic: faq ms.date: 11/08/2022 title: Using BitLocker with other programs FAQ summary: | - **Applies to:** - - Windows 10 and later - - Windows Server 2016 and later - sections: - name: Ignored diff --git a/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index 14934b6ab3..fd2168f6bb 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -1,16 +1,8 @@ --- title: Protecting cluster shared volumes and storage area networks with BitLocker description: This article for IT pros describes how to protect CSVs and SANs with BitLocker. -ms.reviewer: -ms.prod: windows-client -ms.localizationpriority: medium -author: frankroj -ms.author: frankroj -manager: aaroncz ms.topic: conceptual ms.date: 11/08/2022 -ms.custom: bitlocker -ms.technology: itpro-security --- # Protecting cluster shared volumes and storage area networks with BitLocker diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml index 99fecea4eb..0429e74204 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde.yml @@ -6,9 +6,6 @@ metadata: ms.topic: faq ms.date: 03/13/2023 -# Max 5963468 OS 32516487 -# Max 6946251 - title: Frequently asked questions for Personal Data Encryption (PDE) summary: | Here are some answers to common questions regarding Personal Data Encryption (PDE) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md index d2c8105657..331501323f 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md @@ -5,9 +5,6 @@ ms.topic: how-to ms.date: 03/13/2023 --- - - - # Personal Data Encryption (PDE) [!INCLUDE [Personal Data Encryption (PDE) description](includes/pde-description.md)] From c53418e9e6208cc0b2a7ab28eb42e3939233d230 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 14:50:32 -0400 Subject: [PATCH 41/80] fix redirects --- .openpublishing.redirection.json | 5 ----- .../bitlocker/bitlocker-countermeasures.md | 6 +++--- .../bitlocker/bitlocker-group-policy-settings.md | 8 ++++---- ...ur-organization-for-bitlocker-planning-and-policies.md | 2 -- .../personal-data-encryption/includes/pde-description.md | 2 +- .../data-protection/personal-data-encryption/index.md | 6 +++--- windows/security/operating-system.md | 2 +- 7 files changed, 12 insertions(+), 19 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 1a2dcb78fd..37cc5cf505 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -21685,11 +21685,6 @@ "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/index", "redirect_document_id": false }, - { - "source_path": "windows/security/information-protection/bitlocker/bitlocker-overview.md", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/index", - "redirect_document_id": false - }, { "source_path": "windows/security/information-protection/personal-data-encryption/overview-pde.md", "redirect_url": "/windows/operating-system-security/data-protection/personal-data-encryption/index", diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md index ed357fdb9c..4f045118c0 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-countermeasures.md @@ -31,7 +31,7 @@ A trusted platform module (TPM) is a microchip designed to provide basic securit Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system's bootloader. -The UEFI specification defines a firmware execution authentication process called [Secure Boot](../secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. +The UEFI specification defines a firmware execution authentication process called [Secure Boot](../../../information-protection/secure-the-windows-10-boot-process.md). Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system. By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement. An unauthorized EFI firmware, EFI boot application, or bootloader can't run and acquire the BitLocker key. @@ -48,7 +48,7 @@ The next sections cover pre-boot authentication and DMA policies that can provid ### Pre-boot authentication -Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](./bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. +Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible. The Group Policy setting is [Require additional authentication at startup](bitlocker-group-policy-settings.md) and the corresponding setting in the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication. BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed. If Windows can't access the encryption keys, the device can't read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key. @@ -128,7 +128,7 @@ Enable secure boot and mandatorily prompt a password to change BIOS settings. Fo ### Tricking BitLocker to pass the key to a rogue operating system An attacker might modify the boot manager configuration database (BCD) which is stored on a non-encrypted partition and add an entry point to a rogue operating system on a different partition. During the boot process, BitLocker code will make sure that the operating system that the encryption key obtained from the TPM is given to, is cryptographically verified to be the intended recipient. Because this strong cryptographic verification already exists, we don't recommend storing a hash of a disk partition table in Platform Configuration Register (PCR) 5. - + An attacker might also replace the entire operating system disk while preserving the platform hardware and firmware and could then extract a protected BitLocker key blob from the metadata of the victim OS partition. The attacker could then attempt to unseal that BitLocker key blob by calling the TPM API from an operating system under their control. This will not succeed because when Windows seals the BitLocker key to the TPM, it does it with a PCR 11 value of 0, and to successfully unseal the blob, PCR 11 in the TPM must have a value of 0. However, when the boot manager passes the control to any boot loader (legitimate or rogue) it always changes PCR 11 to a value of 1. Since the PCR 11 value is guaranteed to be different after exiting the boot manager, the attacker can't unlock the BitLocker key. ## Attacker countermeasures diff --git a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md index b90b65ce81..6045481279 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-group-policy-settings.md @@ -15,7 +15,7 @@ This article for IT professionals describes the function, location, and effect o Group Policy administrative templates or local computer policy settings can be used to control what BitLocker drive encryption tasks and configurations can be performed by users, for example through the **BitLocker Drive Encryption** control panel. Which of these policies are configured and how they're configured depends on how BitLocker is implemented and what level of interaction is desired for end users. > [!NOTE] -> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [Trusted Platform Module Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md). +> A separate set of Group Policy settings supports the use of the Trusted Platform Module (TPM). For details about those settings, see [TPM Group Policy settings](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md). BitLocker Group Policy settings can be accessed using the Local Group Policy Editor and the Group Policy Management Console (GPMC) under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption**. @@ -219,7 +219,7 @@ This policy setting is applied when BitLocker is turned on. The startup PIN must Originally, BitLocker allowed a length from 4 to 20 characters for a PIN. Windows Hello has its own PIN for sign-in, length of which can be 4 to 127 characters. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. -The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../tpm/trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. +The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](../../../information-protection/tpm/trusted-platform-module-services-group-policy-settings.md) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This number of attempts totals to a maximum of about 4415 guesses per year. If the PIN is four digits, all 9999 possible PIN combinations could be attempted in a little over two years. @@ -438,7 +438,7 @@ When set to **Do not allow complexity**, no password complexity validation is do > [!NOTE] > Passwords can't be used if FIPS compliance is enabled. The **System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing** policy setting in **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** > **Security Options** specifies whether FIPS compliance is enabled. -For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md). +For information about this setting, see [System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md). ### Validate smart card certificate usage rule compliance @@ -1292,7 +1292,7 @@ The optional recovery key can be saved to a USB drive. Because recovery password The FIPS setting can be edited by using the Security Policy Editor (`Secpol.msc`) or by editing the Windows registry. Only administrators can perform these procedures. -For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md). +For more information about setting this policy, see [System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing](../../../threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md). ## Power management group policy settings: Sleep and Hibernate diff --git a/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md b/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md index a925d629be..49e91e44d0 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md +++ b/windows/security/operating-system-security/data-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md @@ -185,8 +185,6 @@ On Windows Server 2012 R2 and Windows 8.1 and older, recovery passwords generate ## Related articles -- [Trusted Platform Module](../tpm/trusted-platform-module-top-node.md) -- [TPM Group Policy settings](../tpm/trusted-platform-module-services-group-policy-settings.md) - [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) - [BitLocker](index.md) - [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md index 6eaa4e1f87..b34908147d 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/includes/pde-description.md @@ -6,7 +6,7 @@ ms.date: 03/13/2023 -Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows. +Starting in Windows 11, version 22H2, Personal Data Encryption (PDE) is a security feature that provides more encryption capabilities to Windows. PDE differs from BitLocker in that it encrypts individual files and content instead of whole volumes and disks. PDE occurs in addition to other encryption methods such as BitLocker. diff --git a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md index 331501323f..6538f524ec 100644 --- a/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md +++ b/windows/security/operating-system-security/data-protection/personal-data-encryption/index.md @@ -16,7 +16,7 @@ ms.date: 03/13/2023 ### Required - [Azure AD joined device](/azure/active-directory/devices/concept-azure-ad-join) -- [Windows Hello for Business](identity-protection/hello-for-business/hello-overview.md) +- [Windows Hello for Business Overview](../../../identity-protection/hello-for-business/hello-overview.md) - Windows 11, version 22H2 and later Enterprise and Education editions ### Not supported with PDE @@ -24,7 +24,7 @@ ms.date: 03/13/2023 - [FIDO/security key authentication](/azure/active-directory/authentication/howto-authentication-passwordless-security-key) - [Winlogon automatic restart sign-on (ARSO)](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-) - For information on disabling ARSO via Intune, see [Disable Winlogon automatic restart sign-on (ARSO)](intune-disable-arso.md). -- [Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md) +- [Protect your enterprise data using Windows Information Protection (WIP)](../../../information-protection/windows-information-protection/protect-enterprise-data-using-wip.md) - [Hybrid Azure AD joined devices](/azure/active-directory/devices/concept-azure-ad-join-hybrid) - Remote Desktop connections @@ -74,7 +74,7 @@ ms.date: 03/13/2023 In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to protect content will be lost. In such scenarios, any content protected with PDE will no longer be accessible. The only way to recover such content would be from backup. -- [Windows Hello for Business PIN reset service](identity-protection/hello-for-business/hello-feature-pin-reset.md) +- [Windows Hello for Business PIN reset service](../../../identity-protection/hello-for-business/hello-feature-pin-reset.md) Destructive PIN resets will cause keys used by PDE to protect content to be lost. A destructive PIN reset will make any content protected with PDE no longer accessible after the destructive PIN reset has occurred. Content protected with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets. diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md index 895cc7d6e8..d6ce81e4f6 100644 --- a/windows/security/operating-system.md +++ b/windows/security/operating-system.md @@ -25,7 +25,7 @@ Use the links in the following table to learn more about the operating system se Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.

Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).

| Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you're protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.

Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).| | Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.

Learn more about [Encryption](encryption-data-protection.md). -| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

Learn more about [BitLocker](information-protection/bitlocker/index.md). | +| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

Learn more about [BitLocker ](operating-system-security/data-protection/bitlocker/index.md). | | Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).| | S/MIME | S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with.

Learn more about [S/MIME for Windows](operating-system-security/data-protection/configure-s-mime.md).| | Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.

Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). | From 7b58cd3b93de23a1062d3e248292979ee64c8e1e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 14:54:13 -0400 Subject: [PATCH 42/80] fix redirects --- windows/security/hardware.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/hardware.md b/windows/security/hardware.md index 0baa5e3748..0c5081037f 100644 --- a/windows/security/hardware.md +++ b/windows/security/hardware.md @@ -22,4 +22,5 @@ These new threats call for computing hardware that is secure down to the very co | Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.

Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). | | Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.

Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). | Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.

Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). | -| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.

Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.

Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).| +| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.

Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.

Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).| + From 4520caaa2416e83b8863af5d728df5a3a23d741e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 14:58:43 -0400 Subject: [PATCH 43/80] fix TOC for external links --- .../data-protection/bitlocker/toc.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml index 502421f2da..5c6c556117 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml @@ -52,23 +52,23 @@ items: href: protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md - name: Troubleshoot BitLocker items: - - name: Troubleshoot BitLocker + - name: Troubleshoot BitLocker 🔗 href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting - - name: "BitLocker cannot encrypt a drive: known issues" + - name: "BitLocker cannot encrypt a drive: known issues" 🔗 href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues - - name: "Enforcing BitLocker policies by using Intune: known issues" + - name: "Enforcing BitLocker policies by using Intune: known issues" 🔗 href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues - - name: "BitLocker Network Unlock: known issues" + - name: "BitLocker Network Unlock: known issues" 🔗 href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues - - name: "BitLocker recovery: known issues" + - name: "BitLocker recovery: known issues" 🔗 href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues - - name: "BitLocker configuration: known issues" + - name: "BitLocker configuration: known issues" 🔗 href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues - name: Troubleshoot BitLocker and TPM issues items: - - name: "BitLocker cannot encrypt a drive: known TPM issues" + - name: "BitLocker cannot encrypt a drive: known TPM issues" 🔗 href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues - - name: "BitLocker and TPM: other known issues" + - name: "BitLocker and TPM: other known issues" 🔗 href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues - - name: Decode Measured Boot logs to track PCR changes + - name: Decode Measured Boot logs to track PCR changes 🔗 href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes \ No newline at end of file From c841e0dc5ea0c07c733aca2d0b212de5e83ed34e Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 1 Jun 2023 15:05:54 -0400 Subject: [PATCH 44/80] fix TOC --- .../data-protection/bitlocker/toc.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml index 5c6c556117..1e5a30d744 100644 --- a/windows/security/operating-system-security/data-protection/bitlocker/toc.yml +++ b/windows/security/operating-system-security/data-protection/bitlocker/toc.yml @@ -54,21 +54,21 @@ items: items: - name: Troubleshoot BitLocker 🔗 href: /troubleshoot/windows-client/windows-security/bitlocker-issues-troubleshooting - - name: "BitLocker cannot encrypt a drive: known issues" 🔗 + - name: "BitLocker cannot encrypt a drive: known issues 🔗" href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-issues - - name: "Enforcing BitLocker policies by using Intune: known issues" 🔗 + - name: "Enforcing BitLocker policies by using Intune: known issues 🔗" href: /troubleshoot/windows-client/windows-security/enforcing-bitlocker-policies-by-using-intune-known-issues - - name: "BitLocker Network Unlock: known issues" 🔗 + - name: "BitLocker Network Unlock: known issues 🔗" href: /troubleshoot/windows-client/windows-security/bitlocker-network-unlock-known-issues - - name: "BitLocker recovery: known issues" 🔗 + - name: "BitLocker recovery: known issues 🔗" href: /troubleshoot/windows-client/windows-security/bitlocker-recovery-known-issues - - name: "BitLocker configuration: known issues" 🔗 + - name: "BitLocker configuration: known issues 🔗" href: /troubleshoot/windows-client/windows-security/bitlocker-configuration-known-issues - name: Troubleshoot BitLocker and TPM issues items: - - name: "BitLocker cannot encrypt a drive: known TPM issues" 🔗 + - name: "BitLocker cannot encrypt a drive: known TPM issues 🔗" href: /troubleshoot/windows-client/windows-security/bitlocker-cannot-encrypt-a-drive-known-tpm-issues - - name: "BitLocker and TPM: other known issues" 🔗 + - name: "BitLocker and TPM: other known issues 🔗" href: /troubleshoot/windows-client/windows-security/bitlocker-and-tpm-other-known-issues - name: Decode Measured Boot logs to track PCR changes 🔗 href: /troubleshoot/windows-client/windows-security/decode-measured-boot-logs-to-track-pcr-changes \ No newline at end of file From 4ae8bcaae440d2f19c25760a538ba50a55aae1b2 Mon Sep 17 00:00:00 2001 From: Albert Cabello Serrano Date: Thu, 1 Jun 2023 15:24:13 -0700 Subject: [PATCH 45/80] Update configure-windows-diagnostic-data-in-your-organization.md --- .../configure-windows-diagnostic-data-in-your-organization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 247eab8256..96edcdddb8 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -84,7 +84,7 @@ The following table lists the endpoints related to how you can manage the collec | [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com

umwatsonc.events.data.microsoft.com

*-umwatsonc.events.data.microsoft.com

ceuswatcab01.blob.core.windows.net

ceuswatcab02.blob.core.windows.net

eaus2watcab01.blob.core.windows.net

eaus2watcab02.blob.core.windows.net

weus2watcab01.blob.core.windows.net

weus2watcab02.blob.core.windows.net | |Authentication | login.live.com



IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.| | [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com

oca.microsoft.com

kmwatsonc.events.data.microsoft.com

*-kmwatsonc.events.data.microsoft.com | -|Settings | settings-win.data.microsoft.com



IMPORTANT: This endpoint is used to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft. We do not recommend disabling this endpoint. This endpoint does not upload Windows diagnostic data. | +|Settings | settings-win.data.microsoft.com



IMPORTANT: This endpoint is required to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft, or to enroll a device in the Windows diagnostic data processor configuration. Do not block accessto this endpoint. This endpoint does not upload Windows diagnostic data. | ### Proxy server authentication From 706f9c6f1ebe8648d8a2f28ac3154b19e7223815 Mon Sep 17 00:00:00 2001 From: Dan Brown <32883970+DHB-MSFT@users.noreply.github.com> Date: Thu, 1 Jun 2023 15:31:02 -0700 Subject: [PATCH 46/80] Add missing space --- .../configure-windows-diagnostic-data-in-your-organization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index 96edcdddb8..c4756bf8de 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -84,7 +84,7 @@ The following table lists the endpoints related to how you can manage the collec | [Windows Error Reporting](/windows/win32/wer/windows-error-reporting) | watson.telemetry.microsoft.com

umwatsonc.events.data.microsoft.com

*-umwatsonc.events.data.microsoft.com

ceuswatcab01.blob.core.windows.net

ceuswatcab02.blob.core.windows.net

eaus2watcab01.blob.core.windows.net

eaus2watcab02.blob.core.windows.net

weus2watcab01.blob.core.windows.net

weus2watcab02.blob.core.windows.net | |Authentication | login.live.com



IMPORTANT: This endpoint is used for device authentication. We do not recommend disabling this endpoint.| | [Online Crash Analysis](/windows/win32/dxtecharts/crash-dump-analysis) | oca.telemetry.microsoft.com

oca.microsoft.com

kmwatsonc.events.data.microsoft.com

*-kmwatsonc.events.data.microsoft.com | -|Settings | settings-win.data.microsoft.com



IMPORTANT: This endpoint is required to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft, or to enroll a device in the Windows diagnostic data processor configuration. Do not block accessto this endpoint. This endpoint does not upload Windows diagnostic data. | +|Settings | settings-win.data.microsoft.com



IMPORTANT: This endpoint is required to remotely configure diagnostics-related settings and data collection. For example, we use the settings endpoint to remotely block an event from being sent back to Microsoft, or to enroll a device in the Windows diagnostic data processor configuration. Do not block access to this endpoint. This endpoint does not upload Windows diagnostic data. | ### Proxy server authentication From 8c91aacb5e600c43bfdecc2a71ae1a944b392b5b Mon Sep 17 00:00:00 2001 From: Carmen Date: Thu, 1 Jun 2023 17:09:45 -0600 Subject: [PATCH 47/80] Addressed more comments --- windows/deployment/do/waas-delivery-optimization.md | 2 +- windows/deployment/update/wufb-reports-do.md | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index f2f3b86a53..649958f159 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -50,7 +50,7 @@ The following table lists the minimum Windows 10 version that supports Delivery | Windows Client | Minimum Windows version | HTTP Downloader | Peer to Peer | Microsoft Connected Cache (MCC) |------------------|---------------|----------------|----------|----------------| -| Windows Update (feature updates quality updates, language packs, drivers) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | +| Windows Update ([feature updates quality updates, language packs, drivers](../update/get-started-updates-channels-tools.md#types-of-updates)) | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Windows 10 Store apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Windows 10 Store for Business apps | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | | Windows Defender definition updates | Windows 10 1511, Windows 11 | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index d505ce8a89..d907318375 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -152,11 +152,11 @@ There are many Microsoft [content types](waas-delivery-optimization.md#types-of- | Content Category | Content Types Included | | --- | --- | | Apps | Windows 10 Store apps, Windows 10 Store for Business apps, Windows 11 UWP Store apps | -| Driver Updates | Windows Update Driver updates | -| Feature and Flighting Updates | Windows Update Feature and Flighting updates | +| Driver Updates | Windows Update [Driver updates](get-started-updates-channels-tools.md#types-of-updates) | +| Feature Updates | Windows Update [Feature updates](get-started-updates-channels-tools.md#types-of-updates) | | Office | Microsoft 365 Apps and updates | | Other | Windows Language Packs, Windows Defender definition updates, Intune Win32 apps, Edge Browser updates, Configuration Manager Express updates, Dynamic updates, MDM Agent, Xbox Game Pass (PC), Windows Package Manager, MSIX Installer (includes Windows 11 Store Win32 apps, Windows 11 Teams updates) | -| Quality Updates | Windows Updates Quality updates | +| Quality Updates | Windows Updates [Quality updates](get-started-updates-channels-tools.md#types-of-updates)) | ## Frequency Asked Questions From 0f8c83d8c8112fcc5faf0bacdaafb58c157b9f2e Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 2 Jun 2023 11:30:05 -0400 Subject: [PATCH 48/80] May CSP Changes --- .../mdm/activesync-ddf-file.md | 4 +- .../mdm/applicationcontrol-csp-ddf.md | 4 +- .../mdm/applocker-ddf-file.md | 4 +- .../mdm/assignedaccess-ddf.md | 4 +- .../mdm/bitlocker-ddf-file.md | 4 +- .../mdm/certificatestore-ddf-file.md | 4 +- .../mdm/clientcertificateinstall-ddf-file.md | 6 +- windows/client-management/mdm/defender-ddf.md | 4 +- .../mdm/devdetail-ddf-file.md | 4 +- .../mdm/devicemanageability-ddf.md | 4 +- .../mdm/devicepreparation-ddf-file.md | 4 +- .../client-management/mdm/devicestatus-ddf.md | 4 +- .../client-management/mdm/devinfo-ddf-file.md | 4 +- .../mdm/diagnosticlog-ddf.md | 4 +- .../client-management/mdm/dmacc-ddf-file.md | 4 +- .../mdm/dmclient-ddf-file.md | 6 +- .../client-management/mdm/email2-ddf-file.md | 4 +- ...enterprisedesktopappmanagement-ddf-file.md | 6 +- .../mdm/enterprisemodernappmanagement-ddf.md | 6 +- .../client-management/mdm/euiccs-ddf-file.md | 4 +- .../mdm/firewall-ddf-file.md | 4 +- .../mdm/healthattestation-ddf.md | 4 +- .../mdm/language-pack-management-ddf-file.md | 4 +- .../client-management/mdm/networkproxy-ddf.md | 4 +- .../mdm/networkqospolicy-ddf.md | 4 +- .../mdm/nodecache-ddf-file.md | 6 +- windows/client-management/mdm/office-ddf.md | 6 +- .../mdm/passportforwork-ddf.md | 6 +- .../mdm/personaldataencryption-ddf-file.md | 4 +- .../mdm/personalization-ddf.md | 4 +- ...in-policy-csp-supported-by-group-policy.md | 4 +- .../mdm/policy-csp-admx-windowsexplorer.md | 12 ++-- .../mdm/policy-csp-connectivity.md | 3 +- .../mdm/policy-csp-defender.md | 4 +- .../mdm/policy-csp-experience.md | 64 ++++++++++++++++++- .../mdm/policy-csp-notifications.md | 62 +++++++++++++++++- .../mdm/printerprovisioning-ddf-file.md | 4 +- windows/client-management/mdm/reboot-csp.md | 6 +- .../client-management/mdm/reboot-ddf-file.md | 8 +-- .../mdm/rootcacertificates-ddf-file.md | 6 +- .../mdm/sharedpc-ddf-file.md | 4 +- .../client-management/mdm/supl-ddf-file.md | 4 +- .../client-management/mdm/vpnv2-ddf-file.md | 6 +- .../client-management/mdm/wifi-ddf-file.md | 6 +- ...indowsdefenderapplicationguard-ddf-file.md | 4 +- .../mdm/windowslicensing-ddf-file.md | 4 +- .../mdm/wirednetwork-ddf-file.md | 6 +- 47 files changed, 235 insertions(+), 106 deletions(-) diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md index 5128680488..0b6939811a 100644 --- a/windows/client-management/mdm/activesync-ddf-file.md +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/16/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the A 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/applicationcontrol-csp-ddf.md b/windows/client-management/mdm/applicationcontrol-csp-ddf.md index 27821afa03..199adf8620 100644 --- a/windows/client-management/mdm/applicationcontrol-csp-ddf.md +++ b/windows/client-management/mdm/applicationcontrol-csp-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/16/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the A 10.0.18362 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md index af3f58ccbe..9ffbf897b8 100644 --- a/windows/client-management/mdm/applocker-ddf-file.md +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/23/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the A 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md index f91d0c0381..5ef69490c0 100644 --- a/windows/client-management/mdm/assignedaccess-ddf.md +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/27/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the A 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md index a5b1dd75f5..c6d82985f8 100644 --- a/windows/client-management/mdm/bitlocker-ddf-file.md +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/01/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the B 10.0.15063 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md index 8cf58152f0..5c819f96bc 100644 --- a/windows/client-management/mdm/certificatestore-ddf-file.md +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/16/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -49,7 +49,7 @@ The following XML file contains the device description framework (DDF) for the C 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md index 08abb4da3e..c5b24365ff 100644 --- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/24/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the C 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -1129,7 +1129,7 @@ Valid values are: 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md index 09e0cb692e..01eaf11740 100644 --- a/windows/client-management/mdm/defender-ddf.md +++ b/windows/client-management/mdm/defender-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/01/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md index 143225fc55..542ddf9b2d 100644 --- a/windows/client-management/mdm/devdetail-ddf-file.md +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md index 3436c3b0bb..9c0d424446 100644 --- a/windows/client-management/mdm/devicemanageability-ddf.md +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -49,7 +49,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.14393 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/devicepreparation-ddf-file.md b/windows/client-management/mdm/devicepreparation-ddf-file.md index 9d1713e298..3174ac4dab 100644 --- a/windows/client-management/mdm/devicepreparation-ddf-file.md +++ b/windows/client-management/mdm/devicepreparation-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/01/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the D 99.9.99999 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md index 63dbac6ba7..231f3f5a26 100644 --- a/windows/client-management/mdm/devicestatus-ddf.md +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md index 633bc085bd..f28018452e 100644 --- a/windows/client-management/mdm/devinfo-ddf-file.md +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -48,7 +48,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md index e87402d67d..3308eaf8c9 100644 --- a/windows/client-management/mdm/diagnosticlog-ddf.md +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/21/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.2 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md index 57bfdbcc89..8f0a89e31b 100644 --- a/windows/client-management/mdm/dmacc-ddf-file.md +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/21/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md index 4de7f3bf11..8940dcd7f9 100644 --- a/windows/client-management/mdm/dmclient-ddf-file.md +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/01/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -484,7 +484,7 @@ The following XML file contains the device description framework (DDF) for the D 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md index 20e168d936..fd201ec09e 100644 --- a/windows/client-management/mdm/email2-ddf-file.md +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/21/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the E 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md index 788f6427ae..b20f68bf7f 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/27/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the E 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -407,7 +407,7 @@ The following XML file contains the device description framework (DDF) for the E 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md index 2e9e5509b9..9067ae0893 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/24/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the E 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -2594,7 +2594,7 @@ The following XML file contains the device description framework (DDF) for the E 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index 7e78256e0b..d1293442b4 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/21/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -50,7 +50,7 @@ The following XML file contains the device description framework (DDF) for the e 10.0.16299 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md index 6fd0b6982d..333baf09d9 100644 --- a/windows/client-management/mdm/firewall-ddf-file.md +++ b/windows/client-management/mdm/firewall-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/01/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the F 10.0.16299 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md index 3870db4bb5..7207f7cd68 100644 --- a/windows/client-management/mdm/healthattestation-ddf.md +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/27/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the H 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/language-pack-management-ddf-file.md b/windows/client-management/mdm/language-pack-management-ddf-file.md index 398f64ec81..5c5c679379 100644 --- a/windows/client-management/mdm/language-pack-management-ddf-file.md +++ b/windows/client-management/mdm/language-pack-management-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -49,7 +49,7 @@ The following XML file contains the device description framework (DDF) for the L 99.9.9999 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md index 06042fcea6..72d1c7936d 100644 --- a/windows/client-management/mdm/networkproxy-ddf.md +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the N 10.0.15063 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md index c2846f500d..170cfe0fae 100644 --- a/windows/client-management/mdm/networkqospolicy-ddf.md +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the N 10.0.19042 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md index 9b143a00d7..e2d509178e 100644 --- a/windows/client-management/mdm/nodecache-ddf-file.md +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/21/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the N 10.0.15063 1.1 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -301,7 +301,7 @@ The following XML file contains the device description framework (DDF) for the N 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md index 85276e8c25..e3301499dc 100644 --- a/windows/client-management/mdm/office-ddf.md +++ b/windows/client-management/mdm/office-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the O 10.0.15063 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -218,7 +218,7 @@ The following XML file contains the device description framework (DDF) for the O 10.0.15063 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md index 28991ea21c..3e17cfe42d 100644 --- a/windows/client-management/mdm/passportforwork-ddf.md +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the P 10.0.10586 1.2 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -572,7 +572,7 @@ If you do not configure this policy setting, Windows Hello for Business requires 10.0.10586 1.2 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/personaldataencryption-ddf-file.md b/windows/client-management/mdm/personaldataencryption-ddf-file.md index 1d5d233812..b2f9432892 100644 --- a/windows/client-management/mdm/personaldataencryption-ddf-file.md +++ b/windows/client-management/mdm/personaldataencryption-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/01/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the P 10.0.22621 1.0 - 0x4;0x1B;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0xAB;0xAC;0xB4;0xBC;0xBF;0xCD; + 0x4;0x1B;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0xAB;0xAC;0xBC;0xBF;0xCD; diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md index b2d5a5ded4..a57ddb1e63 100644 --- a/windows/client-management/mdm/personalization-ddf.md +++ b/windows/client-management/mdm/personalization-ddf.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -49,7 +49,7 @@ The following XML file contains the device description framework (DDF) for the P 10.0.16299 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md index f9aa11914a..9b79c99c4a 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md +++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md @@ -4,7 +4,7 @@ description: Learn about the policies in Policy CSP supported by Group Policy. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/01/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -362,6 +362,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. ## Experience +- [AllowScreenRecorder](policy-csp-experience.md) - [AllowSpotlightCollection](policy-csp-experience.md) - [AllowThirdPartySuggestionsInWindowsSpotlight](policy-csp-experience.md) - [AllowWindowsSpotlight](policy-csp-experience.md) @@ -517,6 +518,7 @@ This article lists the policies in Policy CSP that have a group policy mapping. - [DisallowNotificationMirroring](policy-csp-notifications.md) - [DisallowTileNotification](policy-csp-notifications.md) - [EnableExpandedToastNotifications](policy-csp-notifications.md) +- [DisableAccountNotifications](policy-csp-notifications.md) - [DisallowCloudNotification](policy-csp-notifications.md) - [WnsEndpoint](policy-csp-notifications.md) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index d93f4952bf..29e561a04d 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_WindowsExplorer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/11/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -105,7 +105,7 @@ This setting allows an administrator to revert specific Windows Shell behavior t - If you enable this setting, users can't configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users can't restore the new features. -Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the user's ability to change these options. +Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options. - If you disable or not configure this policy, the default File Explorer behavior is applied to the user. @@ -3173,7 +3173,9 @@ If you enable this setting, the system removes the Map Network Drive and Disconn This setting doesn't prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box. > [!NOTE] -> This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. +> + +This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. > [!NOTE] > It's a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. @@ -3965,11 +3967,11 @@ To remove network computers from lists of network resources, use the "No Entire -Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If this setting is enabled, you can specify from 1 to 5 items to be displayed in the Places Bar. +Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar. The valid items you may display in the Places Bar are: -1) Shortcuts to a local folder -- (ex. C:\Windows) +1) Shortcuts to a local folders -- (ex. C:\Windows) 2) Shortcuts to remote folders -- (\\server\share) diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 0ba1dc7cfe..3901124ada 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -4,7 +4,7 @@ description: Learn more about the Connectivity Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -65,7 +65,6 @@ Allows the user to enable Bluetooth or restrict access. | Value | Description | |:--|:--| | 0 | Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be grayed out and the user won't be able to turn Bluetooth on. | -| 1 | Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. | | 2 (Default) | Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. | diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 43cdc9a4ee..1eb23bfa94 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -4,7 +4,7 @@ description: Learn more about the Defender Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/11/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1764,6 +1764,8 @@ Same as Disabled. | 0 (Default) | Disabled. | | 1 | Enabled. | | 2 | Audit Mode. | +| 3 | Block disk modification only. | +| 4 | Audit disk modification only. | diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 98e5bc674b..71637d5849 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -4,7 +4,7 @@ description: Learn more about the Experience Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/11/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -485,6 +485,68 @@ Allow screen capture. + +## AllowScreenRecorder + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
✅ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE | ✅ Windows Insider Preview | + + + +```User +./User/Vendor/MSFT/Policy/Config/Experience/AllowScreenRecorder +``` + + + + +This policy setting allows you to control whether screen recording functionality is available in the Windows Snipping Tool app. + +- If you disable this policy setting, screen recording functionality won't be accessible in the Windows Snipping Tool app. + +- If you enable or don't configure this policy setting, users will be able to access screen recording functionality. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 1 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 | Disabled. | +| 1 (Default) | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | AllowScreenRecorder | +| Path | Programs > AT > WindowsComponents > SnippingTool | + + + + + + + + ## AllowSharingOfOfficeFiles diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 65ea9ad54a..5a9ba3c250 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -4,7 +4,7 @@ description: Learn more about the Notifications Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/11/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,10 +16,70 @@ ms.topic: reference # Policy CSP - Notifications +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + + +## DisableAccountNotifications + + +| Scope | Editions | Applicable OS | +|:--|:--|:--| +| ❌ Device
✅ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview | + + + +```User +./User/Vendor/MSFT/Policy/Config/Notifications/DisableAccountNotifications +``` + + + + +This policy allows you to prevent Windows from displaying notifications to Microsoft account (MSA) and local users in Start (user tile). Notifications include getting users to: reauthenticate; backup their device; manage cloud storage quotas as well as manage their Microsoft 365 or XBOX subscription. If you enable this policy setting, Windows won't send account related notifications for local and MSA users to the user tile in Start. + + + + + + + +**Description framework properties**: + +| Property name | Property value | +|:--|:--| +| Format | `int` | +| Access Type | Add, Delete, Get, Replace | +| Default Value | 0 | + + + +**Allowed values**: + +| Value | Description | +|:--|:--| +| 0 (Default) | Disabled. | +| 1 | Enabled. | + + + +**Group policy mapping**: + +| Name | Value | +|:--|:--| +| Name | DisableAccountNotifications | +| Path | AccountNotifications > AT > WindowsComponents > AccountNotifications | + + + + + + + + ## DisallowCloudNotification diff --git a/windows/client-management/mdm/printerprovisioning-ddf-file.md b/windows/client-management/mdm/printerprovisioning-ddf-file.md index 811b19bdc0..d7306bda75 100644 --- a/windows/client-management/mdm/printerprovisioning-ddf-file.md +++ b/windows/client-management/mdm/printerprovisioning-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the P 10.0.22000, 10.0.19044.1806, 10.0.19043.1806, 10.0.19042.1806 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index b2fdf60bb4..da2abd5e26 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -4,7 +4,7 @@ description: Learn more about the Reboot CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -16,6 +16,8 @@ ms.topic: reference # Reboot CSP +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + The Reboot configuration service provider is used to configure reboot settings. @@ -194,7 +196,7 @@ Value in ISO8601, both the date and time are required. A reboot will be schedule | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview | diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 7771d079d3..c7de504eb0 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/01/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the R 10.0.14393 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -171,8 +171,8 @@ The following XML file contains the device description framework (DDF) for the R - 10.0.22621 - 1.0 + 99.9.99999 + 9.9 diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md index 14712bc288..bf1c7db754 100644 --- a/windows/client-management/mdm/rootcacertificates-ddf-file.md +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the R 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -1074,7 +1074,7 @@ The following XML file contains the device description framework (DDF) for the R 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md index 0fc3249c8c..d04d885895 100644 --- a/windows/client-management/mdm/sharedpc-ddf-file.md +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/21/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the S 10.0.14393 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index af93e84137..6bb8f708d1 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 03/23/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -49,7 +49,7 @@ The following XML file contains the device description framework (DDF) for the S 10.0.10240 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md index 294b7c1f32..2bb3347699 100644 --- a/windows/client-management/mdm/vpnv2-ddf-file.md +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/27/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the V 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -3272,7 +3272,7 @@ The following XML file contains the device description framework (DDF) for the V 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md index c955abb2f5..eab3572b5b 100644 --- a/windows/client-management/mdm/wifi-ddf-file.md +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -330,7 +330,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x88;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index 67e900aa01..fd77cfe61d 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/17/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.16299 1.1 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xAF;0xBC;0xBF;0xCA;0xCB;0xCD; diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md index b5e14bb5ec..97d6ff5d83 100644 --- a/windows/client-management/mdm/windowslicensing-ddf-file.md +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/01/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -47,7 +47,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.10586 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x87;0x88*;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCD; diff --git a/windows/client-management/mdm/wirednetwork-ddf-file.md b/windows/client-management/mdm/wirednetwork-ddf-file.md index 42f5285262..bfe5dc35f3 100644 --- a/windows/client-management/mdm/wirednetwork-ddf-file.md +++ b/windows/client-management/mdm/wirednetwork-ddf-file.md @@ -4,7 +4,7 @@ description: View the XML file containing the device description framework (DDF) author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 02/16/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -46,7 +46,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.17763 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD; @@ -125,7 +125,7 @@ The following XML file contains the device description framework (DDF) for the W 10.0.17763 1.0 - 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x77;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xB4;0xBC;0xBF;0xCA;0xCB;0xCD; + 0x4;0x1B;0x30;0x31;0x48;0x54;0x62;0x63;0x64;0x65;0x79;0x7A;0x7D;0x7E;0x81;0x82;0x8A;0x8B;0xA1;0xA2;0xA4;0xA5;0xAB;0xAC;0xBC;0xBF;0xCA;0xCB;0xCD; From 9edbdffc839d626edb7412b36656e3e900ace862 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 2 Jun 2023 11:30:48 -0400 Subject: [PATCH 49/80] Add a note to PageVisibilityList --- windows/client-management/mdm/policy-csp-settings.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 8ed5d9c722..0580ff95fc 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -741,9 +741,11 @@ The availability of per-user support is documented here: - For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). +> [!WARNING] +> When you configure this policy to hide any pages that contain `quietmoments` in the URI (for example, `ms-settings:quietmomentsgame`), the Notifications page under System category is hidden. + To validate this policy, use the following steps: 1. In the Settings app, open **System** and verify that the **About** page is visible and accessible. From f9eb63459860e749fe70bf75ae8ab7039f9f0daa Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 2 Jun 2023 12:10:07 -0400 Subject: [PATCH 50/80] Fix some note blocks --- .../mdm/policy-csp-admx-dcom.md | 10 ++++----- .../mdm/policy-csp-admx-offlinefiles.md | 22 ++++++++----------- .../mdm/policy-csp-admx-terminalserver.md | 17 ++++++-------- .../mdm/policy-csp-admx-windowsexplorer.md | 4 +--- .../mdm/policy-csp-system.md | 12 +++++----- 5 files changed, 27 insertions(+), 38 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-dcom.md b/windows/client-management/mdm/policy-csp-admx-dcom.md index 7e0c8df5bb..020b0d5809 100644 --- a/windows/client-management/mdm/policy-csp-admx-dcom.md +++ b/windows/client-management/mdm/policy-csp-admx-dcom.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_DCOM Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/10/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -111,9 +111,8 @@ DCOM server appids added to this policy must be listed in curly-brace format. Fo - If you don't configure this policy setting, the appid exemption list defined by local computer administrators is used. -Note: - -The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. +> [!NOTE] +> The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process. This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would've previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead. The proper action in this situation is to re-configure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short-term as an application compatibility deployment aid. @@ -122,7 +121,8 @@ DCOM servers added to this exemption list are only exempted if their custom laun -**NOTE** This policy setting applies to all sites in Trusted zones. +> [!NOTE] +> This policy setting applies to all sites in Trusted zones. diff --git a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md index 56b4c9a621..fe3a7eb4ed 100644 --- a/windows/client-management/mdm/policy-csp-admx-offlinefiles.md +++ b/windows/client-management/mdm/policy-csp-admx-offlinefiles.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_OfflineFiles Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/11/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1347,9 +1347,8 @@ This policy setting prevents users from making network files and folders availab - If you disable or don't configure this policy setting, users can manually specify files and folders that they want to make available offline. -Note: - -This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. +> [!NOTE] +> This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. @@ -1412,9 +1411,8 @@ This policy setting prevents users from making network files and folders availab - If you disable or don't configure this policy setting, users can manually specify files and folders that they want to make available offline. -Note: - -This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. +> [!NOTE] +> This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence. The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. @@ -1479,9 +1477,8 @@ This policy setting allows you to manage a list of files and folders for which y - If you don't configure this policy setting, the "Make Available Offline" command is available for all files and folders. -Note: - -This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. +> [!NOTE] +> This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. @@ -1549,9 +1546,8 @@ This policy setting allows you to manage a list of files and folders for which y - If you don't configure this policy setting, the "Make Available Offline" command is available for all files and folders. -Note: - -This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. +> [!NOTE] +> This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy settings are combined, and the "Make Available Offline" command is unavailable for all specified files and folders. The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, or Windows Vista. diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index a372de4237..8708e659c5 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -4,7 +4,7 @@ description: Learn more about the ADMX_TerminalServer Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/11/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -1165,9 +1165,8 @@ This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA - If you disable or don't configure this policy setting, no publisher is treated as a trusted .rdp publisher. -Note: - -You can define this policy setting in the Computer Configuration node or in the User Configuration node. +> [!NOTE] +> You can define this policy setting in the Computer Configuration node or in the User Configuration node. - If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. @@ -1233,9 +1232,8 @@ This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA - If you disable or don't configure this policy setting, no publisher is treated as a trusted .rdp publisher. -Note: - -You can define this policy setting in the Computer Configuration node or in the User Configuration node. +> [!NOTE] +> You can define this policy setting in the Computer Configuration node or in the User Configuration node. - If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. @@ -5606,9 +5604,8 @@ This policy setting allows you to specify whether Remote Desktop Services uses a - If you disable or don't configure this policy setting, mandatory user profiles aren't used by users connecting remotely to the RD Session Host server. -Note: - -For this policy setting to take effect, you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting. +> [!NOTE] +> For this policy setting to take effect, you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting. diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 29e561a04d..1a58f66f9d 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -3173,9 +3173,7 @@ If you enable this setting, the system removes the Map Network Drive and Disconn This setting doesn't prevent users from connecting to another computer by typing the name of a shared folder in the Run dialog box. > [!NOTE] -> - -This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. +> This setting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting prevents users from connecting and disconnecting drives. > [!NOTE] > It's a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 3675d15cfb..37741ff804 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -4,7 +4,7 @@ description: Learn more about the System Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/11/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -687,9 +687,8 @@ By configuring this policy setting you can adjust what diagnostic data is collec If you disable or don't configure this policy setting, the device will send required diagnostic data and the end user can choose whether to send optional diagnostic data from the Settings app. -Note: - -The "Configure diagnostic data opt-in settings user interface" group policy can be used to prevent end users from changing their data collection settings. +> [!NOTE] +> The "Configure diagnostic data opt-in settings user interface" group policy can be used to prevent end users from changing their data collection settings. @@ -1150,9 +1149,8 @@ If you set this policy setting to "Disable diagnostic data opt-in settings", dia If you don't configure this policy setting, or you set it to "Enable diagnostic data opt-in settings", end users can change the device diagnostic settings in the Settings app. -Note: - -To set a limit on the amount of diagnostic data that's sent to Microsoft by your organization, use the "Allow Diagnostic Data" policy setting. +> [!NOTE] +> To set a limit on the amount of diagnostic data that's sent to Microsoft by your organization, use the "Allow Diagnostic Data" policy setting. From 5f82ab496104302162eb3d03346b696d52fabd81 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 2 Jun 2023 12:20:22 -0400 Subject: [PATCH 51/80] Update Reboot CSP --- windows/client-management/mdm/reboot-csp.md | 4 +--- windows/client-management/mdm/reboot-ddf-file.md | 4 ++-- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index da2abd5e26..0da663ff7d 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -16,8 +16,6 @@ ms.topic: reference # Reboot CSP -[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] - The Reboot configuration service provider is used to configure reboot settings. @@ -196,7 +194,7 @@ Value in ISO8601, both the date and time are required. A reboot will be schedule | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later | diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index c7de504eb0..80d03a6ce8 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -171,8 +171,8 @@ The following XML file contains the device description framework (DDF) for the R - 99.9.99999 - 9.9 + 10.0.22621 + 1.0 From 710fe6e0e84fbdbdb25bc1249e9d07441597b477 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 2 Jun 2023 12:28:31 -0400 Subject: [PATCH 52/80] Small change --- windows/client-management/mdm/policy-csp-settings.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index 0580ff95fc..f76987ba2d 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -4,7 +4,7 @@ description: Learn more about the Settings Area in Policy CSP. author: vinaypamnani-msft manager: aaroncz ms.author: vinpa -ms.date: 05/11/2023 +ms.date: 06/02/2023 ms.localizationpriority: medium ms.prod: windows-client ms.technology: itpro-manage @@ -735,8 +735,6 @@ showonly:about;bluetooth. Example: to specify that only the Bluetooth page (which has URI ms-settings:bluetooth) should be hidden: hide:bluetooth. - -The availability of per-user support is documented here: From 8033a748cdceccae8d1d79f4e99404b4d3dbc8f7 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 2 Jun 2023 13:20:25 -0400 Subject: [PATCH 53/80] Update Reboot CSP again --- windows/client-management/mdm/reboot-csp.md | 4 +++- windows/client-management/mdm/reboot-ddf-file.md | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md index 0da663ff7d..da2abd5e26 100644 --- a/windows/client-management/mdm/reboot-csp.md +++ b/windows/client-management/mdm/reboot-csp.md @@ -16,6 +16,8 @@ ms.topic: reference # Reboot CSP +[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)] + The Reboot configuration service provider is used to configure reboot settings. @@ -194,7 +196,7 @@ Value in ISO8601, both the date and time are required. A reboot will be schedule | Scope | Editions | Applicable OS | |:--|:--|:--| -| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows 11, version 22H2 [10.0.22621] and later | +| ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE | ✅ Windows Insider Preview | diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md index 80d03a6ce8..c7de504eb0 100644 --- a/windows/client-management/mdm/reboot-ddf-file.md +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -171,8 +171,8 @@ The following XML file contains the device description framework (DDF) for the R - 10.0.22621 - 1.0 + 99.9.99999 + 9.9 From ae3f5d3e41943ea95dae7a3367d141d9a235966f Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 2 Jun 2023 14:36:41 -0400 Subject: [PATCH 54/80] Fix low acrolinx scores --- .../set-up-school-pcs-provisioning-package.md | 185 +++++++++--------- .../hello-deployment-issues.md | 125 ++++++------ .../hello-for-business/toc.yml | 1 + .../smart-cards/smart-card-events.md | 95 ++++----- 4 files changed, 204 insertions(+), 202 deletions(-) diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 58b9ae8063..03d93a3056 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -1,7 +1,7 @@ --- title: What's in Set up School PCs provisioning package -description: List of the provisioning package settings that are configured in the Set up School PCs app. -ms.date: 08/10/2022 +description: Learn about the settings that are configured in the provisioning package created with the Set up School PCs app. +ms.date: 06/02/2023 ms.topic: reference appliesto: - ✅ Windows 10 @@ -11,115 +11,122 @@ appliesto: The Set up School PCs app builds a specialized provisioning package with school-optimized settings. -A key feature of the provisioning package is Shared PC mode. To view the technical framework of Shared PC mode, including the description of each setting, see the [Manage multi-user and guest Windows devices with Shared PC](/windows/configuration/shared-pc-technical) article. +A key feature of the provisioning package is SharedPC mode. To learn about the technical framework of SharedPC mode, including the description of each setting, see the [Manage multi-user and guest Windows devices with Shared PC](/windows/configuration/shared-pc-technical) article. ## Shared PC Mode policies -This table outlines the policies applied to devices in shared PC mode. If you select to optimize a device for use by a single student, you'll see differences in the following policies: -* Disk level deletion -* Inactive threshold -* Restrict local storage + +The following table outlines the policies applied to devices in SharedPC mode. If you select to optimize a device for use by a single student, you find differences in the policies applied: + +- Disk level deletion +- Inactive threshold +- Restrict local storage In the table, *True* means that the setting is enabled, allowed, or applied. Use the **Description** column to help you understand the context for each setting. For a more detailed look at the policies, see the Windows article [Set up shared or guest PC](/windows/configuration/set-up-shared-or-guest-pc#policies-set-by-shared-pc-mode). -|Policy name|Default value|Description| -|---------|---------|---------| -|Enable Shared PC mode|True| Configures the PCs so they're in shared PC mode.| -|Set education policies | True | School-optimized settings are applied to the PCs so that they're appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](./configure-windows-for-education.md). | -|Account Model| Only guest, Domain-joined only, or Domain-joined and guest |Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined will enable any user in the domain to sign in. Specifying the guest option will add the Guest option to the sign-in screen and enable anonymous guest access to the PC. | -|Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold will start deleting accounts when available disk space falls below the threshold you set for disk level deletion. It will stop deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they haven't signed in within the number of days specified by inactive threshold policy. | -|Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. | -|Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When your devices are optimized for shared use across multiple PCs, this policy sets 25% of total disk space to be used as the disk space threshold for account caching. When your devices are optimized for use by a single student, this policy sets the value to 0% and doesn't delete accounts. | -|Enable account manager | True | Enables automatic account management. | -|Inactive threshold| For shared device setup, 30 days; for single device-student setup, 180 days.| After 30 or 180 days, respectively, if an account hasn't signed in, it will be deleted. -|Kiosk Mode AMUID | Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. | -|Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. | -|Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy doesn't prevent students from saving on the PCs local hard drive. | -|Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. | -|Max page file size in MB| 1024| Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM.| -|Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. | -|Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. | -|Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. | +| Policy name | Default value | Description | +|--|--|--| +| Enable Shared PC mode | True | Configures the PCs so they're in shared PC mode. | +| Set education policies | True | School-optimized settings are applied to the PCs so that they're appropriate for an educational environment. To see all recommended and enabled policies, see [Windows 10 configuration recommendation for education customers](./configure-windows-for-education.md). | +| Account Model | Only guest, Domain-joined only, or Domain-joined and guest | Controls how users can sign in on the PC. Configurable from the Set up School PCs app. Choosing domain-joined enables any user in the domain to sign in. Specifying the guest option adds the Guest option to the sign-in screen and enable anonymous guest access to the PC. | +| Deletion policy | Delete at disk space threshold and inactive threshold | Delete at disk space threshold starts deleting accounts when available disk space falls below the threshold you set for disk level deletion. It stops deleting accounts when the available disk space reaches the threshold you set for disk level caching. Accounts are deleted in order of oldest accessed to most recently accessed. Also deletes accounts if they haven't signed in within the number of days specified by inactive threshold policy. | +| Disk level caching | 50% | Sets 50% of total disk space to be used as the disk space threshold for account caching. | +| Disk level deletion | For shared device setup, 25%; for single device-student setup, 0%. | When devices are optimized for shared use, the policy sets 25% of total disk space as the disk space threshold for account caching. When devices are optimized for use by a single student, the policy sets the value to 0% and doesn't delete accounts. | +| Enable account manager | True | Enables automatic account management. | +| Inactive threshold | For shared device setup, 30 days; for single device-student setup, 180 days. | After 30 or 180 days, respectively, if an account hasn't signed in, it will be deleted. | +| Kiosk Mode AMUID | `Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy!App` | Configures the kiosk account on student devices to only run the Take a Test secure assessment browser. | +| Kiosk Mode User Tile Display Text | Take a Test | Displays "Take a Test" as the name of the kiosk account on student devices. | +| Restrict local storage | For shared device setup, True; for single device-student setup, False. | When devices are optimized for shared use across multiple PCs, this policy forces students to save to the cloud to prevent data loss. When your devices are optimized for use by a single student, this policy doesn't prevent students from saving on the PCs local hard drive. | +| Maintenance start time | 0 - midnight | The maintenance start time when automatic maintenance tasks, such as Windows Update, run on student devices. | +| Max page file size in MB | 1024 | Sets the maximum size of the paging file to 1024 MB. Applies only to systems with less than 32-GB storage and at least 3 GB of RAM. | +| Set power policies | True | Prevents users from changing power settings and turns off hibernate. Also overrides all power state transitions to sleep, such as lid close. | +| Sign in on resume | True | Requires the device user to sign in with a password when the PC wakes from sleep. | +| Sleep timeout | 3600 seconds | Specifies the maximum idle time before the PC should sleep. If you don't set sleep timeout, the default time, 3600 seconds (1 hour), is applied. | -## MDM and local group policies -This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app. +## MDM and local group policies + +This section lists only the MDM and local group policies that are configured uniquely for the Set up School PCs app. For a more detailed look of each policy listed, see [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) in the Windows IT Pro Center documentation. +| Policy name | Default value | Description | +|--|--|--| +| Authority | User-defined | Authenticates the admin user. Value is set automatically when signed in to Azure AD. | +| BPRT | User-defined | Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. | +| WLAN Setting | XML is generated from the Wi-Fi profile in the Set up School PCs app. | Configures settings for wireless connectivity. | +| Hide OOBE for desktop | True | Hides the interactive OOBE flow for Windows 10. | +| Download Mode | 1 - HTTP blended with peering behind the same NAT | Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates | +| Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel | Specifies how frequently devices receive preview builds and feature updates. | +| Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user. | +| Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates. | +| Update power policy for cart restarts | 1 - Configured | Skips all restart checks to ensure that the reboot will happen at the scheduled install time. | +| Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days. | +| Allow all trusted apps | Disabled | Prevents untrusted apps from being installed to device | +| Allow developer unlock | Disabled | Students can't unlock the PC and use it in developer mode | +| Allow Cortana | Disabled | Cortana isn't allowed on the device. | +| Allow manual MDM unenrollment | Disabled | Students can't remove the mobile device manager from their device. | +| Settings page visibility | Enabled | Specific pages in the System Settings app aren't visible or accessible to students. | +| Allow add provisioning package | Disabled | Students can't add and upload new provisioning packages to their device. | +| Allow remove provisioning package | Disabled | Students can't remove packages that you've uploaded to their device, including the Set up School PCs app | +| Start Layout | Enabled | Lets you specify the Start layout for users and prevents them from changing the configuration. | +| Import Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. | +| Allow pinned folder downloads | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the Downloads shortcut on the Start menu visible to students. | +| Allow pinned folder File Explorer | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the File Explorer shortcut on the Start menu visible to students. | +| Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. | +| Personalization | Lock screen image URL | Image filename | +| Update | Active hours end | 5 PM | +| Update | Active hours start | 7 AM | +| Updates Windows | Nightly | Sets Windows to update on a nightly basis. | -| Policy name | Default value | Description | -|-------------------------------------------------------------|--------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Authority | User-defined | Authenticates the admin user. Value is set automatically when signed in to Azure AD. | -| BPRT | User-defined | Value is set automatically when signed in to Azure AD. Allows you to create the provisioning package. | -| WLAN Setting | XML is generated from the Wi-Fi profile in the Set up School PCs app. | Configures settings for wireless connectivity. | -| Hide OOBE for desktop | True | Hides the interactive OOBE flow for Windows 10. | -| Download Mode | 1 - HTTP blended with peering behind the same NAT | Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps, and App updates | -| Select when Preview Builds and Feature Updates are received | 32 - Semi-annual Channel. Device gets feature updates from Semi-annual Channel | Specifies how frequently devices receive preview builds and feature updates. | -| Allow auto update | 4 - Auto-installs and restarts without device-user control | When an auto update is available, it auto-installs and restarts the device without any input or action from the device user. | -| Configure automatic updates | 3 - Set to install at 3am | Scheduled time to install updates. | -| Update power policy for cart restarts | 1 - Configured | Skips all restart checks to ensure that the reboot will happen at the scheduled install time. | -| Select when Preview Builds and Feature Updates are received | 365 days | Defers Feature Updates for the specified number of days. When not specified, defaults to 365 days. | -| Allow all trusted apps | Disabled | Prevents untrusted apps from being installed to device | -| Allow developer unlock | Disabled | Students can't unlock the PC and use it in developer mode | -| Allow Cortana | Disabled | Cortana isn't allowed on the device. | -| Allow manual MDM unenrollment | Disabled | Students can't remove the mobile device manager from their device. | -| Settings page visibility | Enabled | Specific pages in the System Settings app aren't visible or accessible to students. | -| Allow add provisioning package | Disabled | Students can't add and upload new provisioning packages to their device. | -| Allow remove provisioning package | Disabled | Students can't remove packages that you've uploaded to their device, including the Set up School PCs app | -| Start Layout | Enabled | Lets you specify the Start layout for users and prevents them from changing the configuration. | -| Import Edge Assets | Enabled | Import Microsoft Edge assets, such as PNG and JPG files, for secondary tiles on the Start layout. Tiles will appear as weblinks and will be tied to the relevant image asset files. | -| Allow pinned folder downloads | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the Downloads shortcut on the Start menu visible to students. | -| Allow pinned folder File Explorer | 1 - The shortcut is visible and disables the setting in the Settings app | Makes the File Explorer shortcut on the Start menu visible to students. | -| Personalization | Deploy lock screen image | Set to the image you picked when you customized the lock screen during device setup. If you didn't customize the image, the computer will show the default. | -| Personalization | Lock screen image URL | Image filename | -| Update | Active hours end | 5 PM | -| Update | Active hours start | 7 AM | -| Updates Windows | Nightly | Sets Windows to update on a nightly basis. | +## Apps uninstalled from Windows devices -## Apps uninstalled from Windows 10 devices -Set up School PCs app uses the Universal app uninstall policy. This policy identifies default apps that aren't relevant to the classroom experience, and uninstalls them from each device. ALl apps uninstalled from Windows 10 devices include: +Set up School PCs app uses the Universal app uninstall policy. The policy identifies default apps that aren't relevant to the classroom experience, and uninstalls them from each device. The apps uninstalled from Windows devices are: +- Mixed Reality Viewer +- Weather +- Desktop App Installer +- Tips +- Messaging +- My Office +- Microsoft Solitaire Collection +- Mobile Plans +- Feedback Hub +- Xbox +- Mail/Calendar +- Skype -* Mixed Reality Viewer -* Weather -* Desktop App Installer -* Tips -* Messaging -* My Office -* Microsoft Solitaire Collection -* Mobile Plans -* Feedback Hub -* Xbox -* Mail/Calendar -* Skype +## Apps installed on Windows devices -## Apps installed on Windows 10 devices -Set up School PCs uses the Universal app install policy to install school-relevant apps on all Windows 10 devices. Apps that are installed include: -* OneDrive -* OneNote -* Sway +Set up School PCs uses the Universal app install policy to install school-relevant apps on all Windows 10 devices. The following apps are installed: + +- OneDrive +- OneNote +- Sway ## Provisioning time estimates + The time it takes to install a package on a device depends on the: -* Strength of network connection -* Number of policies and apps within the package -* Other configurations made to the device +- Strength of network connection +- Number of policies and apps within the package +- Other configurations made to the device -Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes pre-installed apps, through CleanPC, will take much longer to provision. +Review the table below to estimate your expected provisioning time. A package that only applies Set Up School PC's default configurations will provision the fastest. A package that removes preinstalled apps, through CleanPC, will take much longer to provision. -|Configurations |Connection type |Estimated provisioning time | -|---------|---------|---------| -|Default settings only | Wi-Fi | 3 to 5 minutes | -|Default settings + apps | Wi-Fi | 10 to 15 minutes | -|Default settings + remove pre-installed apps (CleanPC) | Wi-Fi | 60 minutes | -|Default settings + other settings (Not CleanPC) | Wi-Fi | 5 minutes | +| Configurations | Connection type | Estimated provisioning time | +|--|--|--| +| Default settings only | Wi-Fi | 3 to 5 minutes | +| Default settings + apps | Wi-Fi | 10 to 15 minutes | +| Default settings + remove preinstalled apps (CleanPC) | Wi-Fi | 60 minutes | +| Default settings + other settings (Not CleanPC) | Wi-Fi | 5 minutes | | -## Next steps -Learn more about setting up devices with the Set up School PCs app. -* [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) -* [Set up School PCs technical reference](set-up-school-pcs-technical.md) -* [Set up Windows 10 devices for education](set-up-windows-10.md) +## Next steps + +Learn more about setting up devices with the Set up School PCs app. + +- [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) +- [Set up School PCs technical reference](set-up-school-pcs-technical.md) +- [Set up Windows 10 devices for education](set-up-windows-10.md) When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 655c8961da..0d457c8992 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -1,30 +1,30 @@ --- -title: Windows Hello for Business Deployment Known Issues -description: A Troubleshooting Guide for Known Windows Hello for Business Deployment Issues -ms.date: 05/03/2021 -ms.topic: article +title: Windows Hello for Business known deployment issues +description: This article is a troubleshooting guide for known Windows Hello for Business deployment issues. +ms.date: 06/02/2023 +ms.topic: troubleshooting --- -# Windows Hello for Business Known Deployment Issues +# Windows Hello for Business known deployment issues -The content of this article is to help troubleshoot and workaround known deployment issues for Windows Hello for Business. Each issue below will describe the applicable deployment type Windows versions. +The content of this article is to help troubleshoot known deployment issues for Windows Hello for Business. -## PIN Reset on Azure AD Join Devices Fails with "We can't open that page right now" error +## PIN reset on Azure AD join devices fails with *We can't open that page right now* error -PIN reset on Azure AD-joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will show a page with the error message "We can't open that page right now". +PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authenticate the user above lock. Web sign in only allows navigation to specific domains. If web sign-in attempts to navigate to a domain that isn't allowed, it displays a page with the error message *We can't open that page right now*. -### Identifying Azure AD joined PIN Reset Allowed Domains Issue +### Identify PIN Reset allowed domains issue -The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multifactor authentication. +The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Azure AD Join devices. Typically, the UI displays an Azure authentication page, where the user authenticates using Azure AD credentials and completes MFA. -In federated environments authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list. +In federated environments, authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and display the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist. -If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allowlist. This results in "We can't open that page right now". +If you're a customer of *Azure US Government* cloud, PIN reset also attempts to navigate to a domain that isn't included in the default allowlist. The result is the *We can't open that page right now* page. -### Resolving Azure AD joined PIN Reset Allowed Domains Issue +### Resolve PIN Reset allowed domains issue -To resolve this error, a list of allowed domains for PIN reset can be configured using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure this policy, see [PIN Reset - Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices](hello-feature-pin-reset.md#configure-web-sign-in-allowed-urls-for-third-party-identity-providers-on-azure-ad-joined-devices). +To resolve the error, you can configure a list of allowed domains for PIN reset, using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [PIN Reset - Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices](hello-feature-pin-reset.md#configure-web-sign-in-allowed-urls-for-third-party-identity-providers-on-azure-ad-joined-devices). -## Hybrid Key Trust Logon Broken Due to User Public Key Deletion +## Hybrid key trust sign in broken due to user public key deletion Applies to: @@ -34,37 +34,36 @@ Applies to: In Hybrid key trust deployments with domain controllers running certain builds of Windows Server 2016 and Windows Server 2019, the user's Windows Hello for Business key is deleted after they sign-in. Subsequent sign-ins will fail until the user's key is synced during the next Azure AD Connect delta sync cycle. -### Identifying User Public Key Deletion Issue +### Identify user public key deletion issue -After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Azure AD to AD during an Azure AD Connect sync cycle. The user's public key will be written to the msDS-KeyCredentialLink attribute of the user object. +After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Azure AD to AD during an Azure AD Connect sync cycle. The user's public is written to the `msDS-KeyCredentialLink` attribute of the user object. -Before the user's Windows Hello for Business key is synced, sign-in's with Windows Hello for Business will fail with the error message, *"That option is temporarily unavailable. For now, please use a different method to sign in."* After the sync is successful, the user should be able to log in and unlock with their PIN or enrolled biometrics. +Before the user's Windows Hello for Business key is synced, sign-ins with Windows Hello for Business fails with the error message, *That option is temporarily unavailable. For now, please use a different method to sign in.*. After the sync is successful, the user should be able to sign in and unlock with their PIN or enrolled biometrics. -In environments impacted with this issue, after the first sign-in with Windows Hello for Business after provisioning is completed, the next sign-in attempt will fail. In environments where domain controllers are running a mix of builds, only some may be impacted by this issue and subsequent logon attempts may be sent different domain controllers. This may result in the sign-in failures appearing to be intermittent. +In environments with the issue, after the first sign-in with Windows Hello for Business and provisioning is complete, the next sign-in attempt fails. In environments where domain controllers are running a mix of builds, some users may be impacted by the issue, and subsequent sign in attempts may be sent to different domain controllers. The result is intermittent sign-in failures. -After the initial logon attempt, the user's Windows Hello for Business public key is being deleted from the msDS-KeyCredentialLink attribute. This can be verified by querying a user's msDS-KeyCredentialLink attribute before and after sign-in. The msDS-KeyCredentialLink can be queried in AD using [Get-ADUser](/powershell/module/activedirectory/get-aduser) and specifying *msds-keycredentiallink* for the *-Properties* parameter. +After the initial sign in attempt, the user's Windows Hello for Business public key is deleted from the `msDS-KeyCredentialLink attribute`. You can verify the deletion by querying a user's `msDS-KeyCredentialLink` attribute before and after sign-in. The `msDS-KeyCredentialLink` can be queried in AD using [Get-ADUser](/powershell/module/activedirectory/get-aduser) and specifying `msds-keycredentiallink` for the `-Properties` parameter. -### Resolving User Public Key Deletion Issue +### Resolve user public key deletion issue -To resolve this behavior, upgrade Windows Server 2016 and 2019 domain controllers to with the latest patches. For Windows Server 2016, this behavior is fixed in build 14393.4104 ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, this behavior is fixed in build 17763.1637 ([KB4592440](https://support.microsoft.com/help/4592440)). +To resolve the issue, update Windows Server 2016 and 2019 domain controllers with the latest patches. For Windows Server 2016, the behavior is fixed in build *14393.4104* ([KB4593226](https://support.microsoft.com/help/4593226)) and later. For Windows Server 2019, the behavior is fixed in build *17763.1637* ([KB4592440](https://support.microsoft.com/help/4592440)). -## Azure AD Joined Device Access to On-Premises Resources Using Key Trust and Third-Party Certificate Authority (CA) +## Azure AD joined device access to on-premises resources using key trust and third-party Certificate Authority (CA) Applies to: - Azure AD joined key trust deployments - Third-party certificate authority (CA) issuing domain controller certificates -Windows Hello for Business uses smart card based authentication for many operations. Smart card has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates. +Windows Hello for Business uses smart card-based authentication for many operations. Smart card has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates. -For more information, read [Guidelines for enabling smart card logon with third-party certification authorities]( -/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities). +For more information, read [Guidelines for enabling smart card sign in with third-party certification authorities](/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities). -### Identifying On-premises Resource Access Issues with Third-Party CAs +### Identify on-premises resource access issues with third party CAs -This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in the Kerberos operation event log under **Application and Services/Microsoft/Windows/Security-Kerberos/Operational**. These logs are default disabled. The failure event for this case will include the following information: +The issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client fails to place a `TGS_REQ` request when a user attempts to access a resource. On the client, it can be observed in the Kerberos operation event log under `Application and Services/Microsoft/Windows/Security-Kerberos/Operational`. The logs are disabled by default. The failure event for this case includes the following information: -```console +```cmd Log Name: Microsoft-Windows-Kerberos/Operational Source: Microsoft-Windows-Security-Kerberos Event ID: 107 @@ -80,18 +79,18 @@ Expected Domain Name: ad.contoso.com Error Code: 0xC000006D ``` -### Resolving On-premises Resource Access Issue with Third-Party CAs +### Resolve on-premises resource access issue with third party CAs -To resolve this issue, domain controller certificates need to be updated so the certificate subject contains directory path of the server object (distinguished name). -Example Subject: CN=DC1 OU=Domain Controller, DC=ad, DC=contoso, DC=com +To resolve the issue, domain controller certificates must be updated so that the certificate subject contains the directory path of the server object (distinguished name). +Example Subject: `CN=DC1,OU=Domain Controllers,DC=ad,DC=contoso,DC=com` Alternatively, you can set the subject alternative name (SAN) of the domain controller certificate to contain the server object's fully qualified domain name and the NETBIOS name of the domain. Example Subject Alternative Name: -dns=dc1.ad.contoso.com -dns=ad.contoso.com -dns=ad + > `dns=dc1.ad.contoso.com`\ + > `dns=ad.contoso.com`\ + > `dns=ad` -## Key Trust Authentication Broken for Windows Server 2019 +## Key trust authentication broken for Windows Server 2019 Applies to: @@ -99,21 +98,21 @@ Applies to: - Hybrid key trust deployments - On-premises key trust deployments -Domain controllers running early versions of Windows Server 2019 have an issue that prevents key trust authentication from working properly. Networks traces report KDC_ERR_CLIENT_NAME_MISMATCH. +Domain controllers running early versions of Windows Server 2019 have an issue that prevents key trust authentication from working properly. Networks traces report *KDC_ERR_CLIENT_NAME_MISMATCH*. -### Identifying Server 2019 Key Trust Authentication Issue +### Identify Windows Server 2019 key trust authentication issue -On the client, authentication with Windows Hello for Business will fail with the error message, *"That option is temporarily unavailable. For now, please use a different method to sign in."* +On the client, authentication with Windows Hello for Business fails with the error message, *"That option is temporarily unavailable. For now, please use a different method to sign in."* -This error is usually presented on hybrid Azure AD-joined devices in key trust deployments after Windows Hello for Business has been provisioned but before a user's key has synced from Azure AD to AD. If a user's key has been synced from Azure AD and the msDS-keycredentiallink attribute on the user object in AD has been populated for NGC, then it is possible that this error case is occurring. +The error is presented on hybrid Azure AD-joined devices in key trust deployments after Windows Hello for Business is provisioned, but before a user's key is synced from Azure AD to AD. If a user's key isn't synced from Azure AD and the `msDS-keycredentiallink` attribute on the user object in AD is populated for NGC, then it's possible that the error occurs. -The other indicator of this failure case can be identified using network traces. If network traces are captured for a key trust sign-in event, the traces will show kerberos failing with the error KDC_ERR_CLIENT_NAME_MISMATCH. +Another indicator of the failure can be identified using network traces. If you capture network traces for a key trust sign-in event, the traces show Kerberos failing with the error *KDC_ERR_CLIENT_NAME_MISMATCH*. -### Resolving Server 2019 Key Trust Authentication Issue +### Resolve Server 2019 key trust authentication issue -This issue was fixed in Windows Server 2019, build 17763.316 ([KB4487044](https://support.microsoft.com/help/4487044/windows-10-update-kb4487044)). Upgrade all Windows Server 2019 domain controllers to Windows Server 2019, build 17763.316 or newer to resolve this behavior. +The issue is resolved in Windows Server 2019, build *17763.316* ([KB4487044](https://support.microsoft.com/help/4487044/windows-10-update-kb4487044)). Upgrade all Windows Server 2019 domain controllers to the build *17763.316* or newer to resolve the issue. -## Certificate Trust Provisioning with AD FS Broken on Windows Server 2019 +## Certificate trust provisioning with AD FS broken on windows server 2019 Applies to: @@ -121,11 +120,11 @@ Applies to: - Hybrid certificate trust deployments - On-premises certificate trust deployments -AD FS running on Windows Server 2019 fails to complete device authentication properly due to an invalid check of incoming scopes in the request. Device authentication to AD FS is a requirement for Windows Hello for Business to enroll a certificate using AD FS. The client will block Windows Hello for Business provisioning until this authentication is successful. +AD FS running on Windows Server 2019 fails to complete device authentication due to an invalid check of incoming scopes in the request. Device authentication to AD FS is a requirement for Windows Hello for Business to enroll a certificate using AD FS. The client blocks Windows Hello for Business provisioning until the authentication is successful. -### Identifying Certificate Trust with AD FS 2019 Enrollment Issue +### Identify certificate trust with AD FS 2019 enrollment issue -The provisioning experience for Windows Hello for Business will launch if a set of prerequisite checks done by the client are successful. The result of the provisioningAdmin checks is available in event logs under Microsoft-Windows-User Device Registration. If provisioning is blocked because device authentication has not successfully occurred, there will be an event ID 362 in the logs that states that *User has successfully authenticated to the enterprise STS: No*. +The provisioning experience for Windows Hello for Business launches if the prerequisite checks are successful. The result of the provisioningAdmin checks is available in event logs under **Microsoft-Windows-User Device Registration**. If provisioning is blocked because device authentication doesn't succeed, event ID *362* is logged stating *User has successfully authenticated to the enterprise STS: No*. ```console Log Name: Microsoft-Windows-User Device Registration/Admin @@ -153,11 +152,11 @@ Certificate enrollment method: enrollment authority See https://go.microsoft.com/fwlink/?linkid=832647 for more details. ``` -If a device has recently been joined to a domain, then there may be a delay before the device authentication occurs. If the failing state of this prerequisite check persists, then it can indicate an issue with the AD FS configuration. +If a device recently joined a domain, there may be a delay before the device authentication occurs. If the failing state of this prerequisite check persists, then it can indicate an issue with the AD FS configuration. -If this AD FS scope issue is present, event logs on the AD FS server will indicate an authentication failure from the client. This error will be logged in event logs under AD FS/Admin as event ID 1021 and the event will specify that the client is forbidden access to resource `http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope` with scope 'ugs': +If the AD FS scope issue is present, event logs on the AD FS server indicate an authentication failure from the client. The error is logged in event logs under **AD FS/Admin** as event ID *1021* and the event specifies that the client is forbidden access to resource `http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope` with scope `ugs`: -```console +```cmd Log Name: AD FS/Admin Source: AD FS Date: @@ -176,26 +175,20 @@ Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientE at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateCore() ``` -### Resolving Certificate Trust with AD FS 2019 Enrollment Issue +### Resolve certificate trust with AD FS 2019 enrollment issue -This issue is fixed in Windows Server, version 1903 and later. For Windows Server 2019, this issue can be remediated by adding the ugs scope manually. +This issue is fixed in Windows Server, version 1903 and later. For Windows Server 2019, the issue can be remediated by adding the ugs scope manually. -1. Launch AD FS management console. Browse to **Services > Scope Descriptions**. - -2. Right click **Scope Descriptions** and select **Add Scope Description**. - -3. Under name type **ugs** and click **Apply > OK**. - -4. Launch PowerShell as an administrator. - -5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": +1. Launch AD FS management console. Browse to **Services > Scope Descriptions** +1. Right select **Scope Descriptions** and select **Add Scope Description** +1. Under name type *ugs*, and select **Apply > OK** +1. Launch PowerShell as an administrator +1. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": ```powershell (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier ``` -6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`. - -7. Restart the AD FS service. - -8. On the client: Restart the client. User should be prompted to provision Windows Hello for Business. +1. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'` +1. Restart the AD FS service +1. On the client: Restart the client. User should be prompted to provision Windows Hello for Business diff --git a/windows/security/identity-protection/hello-for-business/toc.yml b/windows/security/identity-protection/hello-for-business/toc.yml index 77c3a38b65..bce50d6cb5 100644 --- a/windows/security/identity-protection/hello-for-business/toc.yml +++ b/windows/security/identity-protection/hello-for-business/toc.yml @@ -1,3 +1,4 @@ +items: - name: Windows Hello for Business documentation href: index.yml - name: Concepts diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index 2d80036a23..d76f02b235 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -1,24 +1,24 @@ --- -title: Smart Card Events -description: This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. -ms.reviewer: ardenw -ms.topic: article -ms.date: 09/24/2021 +title: Smart card events +description: Learn about smart card deployment and development events. +ms.topic: troubleshooting +ms.date: 06/02/2023 --- -# Smart Card Events +# Smart card events -This topic for the IT professional and smart card developer describes events that are related to smart card deployment and development. +This article describes the events related to smart card deployment and development. -A number of events can be used to monitor smart card activities on a computer, including installation, use, and errors. The following sections describe the events and information that can be used to manage smart cards in an organization. +Many events can be used to monitor smart card activities on a device, including installation, use, and errors. The next sections describe the events and information that you can use to manage smart cards in an organization. - [Smart card reader name](#smart-card-reader-name) - [Smart card warning events](#smart-card-warning-events) - [Smart card error events](#smart-card-error-events) - [Smart card Plug and Play events](#smart-card-plug-and-play-events) + ## Smart card reader name -The Smart Card resource manager doesn't use the device name from Device Manager to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver. +The Smart Card Resource Manager doesn't use the device name from *Device Manager* to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver. The following three attributes are used to construct the smart card reader name: @@ -26,72 +26,73 @@ The following three attributes are used to construct the smart card reader name: - Interface device type - Device unit -The smart card reader device name is constructed in the form <*VendorName*> <*Type*> <*DeviceUnit*>. For example 'Contoso Smart Card Reader 0' is constructed from the following information: +The smart card reader device name is constructed in the form ``. For example *Contoso Smart Card Reader 0* is constructed from the following information: -- Vendor name: Contoso -- Interface device type: Smart Card Reader -- Device unit: 0 +- Vendor name: *Contoso* +- Interface device type: *Smart Card Reader* +- Device unit: *0* ## Smart card warning events -> **Note**  IOCTL in the following table refers to input and output control. +> [!NOTE] +> *IOCTL* in the following table refers to input and output control. | **Event ID** | **Warning Message** | **Description** | |--------------|---------|--------------------------------------------------------------------------------------------| -| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the resource manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command could not be canceled. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.

%1 = Windows error code
%2 = Smart card reader name
%3 = IOCTL being canceled
%4 = First 4 bytes of the command that was sent to the smart card | +| 620 | Smart Card Resource Manager was unable to cancel IOCTL %3 for reader '%2': %1. The reader may no longer be responding. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs if the Resource Manager attempts to cancel a command to the smart card reader when the smart card service is shutting down or after a smart card is removed from the smart card reader and the command couldn't be canceled. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.

%1 = Windows error code
%2 = Smart card reader name
%3 = IOCTL being canceled
%4 = First 4 bytes of the command that was sent to the smart card | | 619 | Smart Card Reader '%2' hasn't responded to IOCTL %3 in %1 seconds. If this error persists, your smart card or reader may not be functioning correctly. %n%nCommand Header: %4 | This occurs when a reader hasn't responded to an IOCTL after an unusually long period of time. Currently, this error is sent after a reader doesn't respond for 150 seconds. This can leave the smart card reader in an unusable state until it's removed from the computer or the computer is restarted.

%1 = Number of seconds the IOCTL has been waiting
%2 = Smart card reader name
%3 = IOCTL sent
%4 = First 4 bytes of the command that was sent to the smart card | ## Smart card error events | **Event ID** | **Error Message** | **Description** | |--------------|--------------------------------------------|-------------------------------------------------------------------------------| -| 202 | Failed to initialize Server Application | An error occurred, and the service cannot initialize properly. Restarting the computer may resolve the issue. | -| 203 | Server Control has no memory for reader reference object. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | -| 204 | Server Control failed to create shutdown event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | +| 202 | Failed to initialize Server Application | An error occurred, and the service can't initialize properly. Restarting the computer may resolve the issue. | +| 203 | Server Control has no memory for reader reference object. | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | +| 204 | Server Control failed to create shutdown event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | | 205 | Reader object has duplicate name: %1 | There are two smart card readers that have the same name. Remove the smart card reader that is causing this error message.
%1 = Name of the smart card reader that is duplicated | -| 206 | Failed to create global reader change event. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | -| 401 | Reader shutdown exception from eject smart card command | A smart card reader could not eject a smart card while the smart card reader was shutting down. | -| 406 | Reader object cannot Identify Device | A smart card reader did not properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader will not be recognized by the service until it's removed from the computer and reinserted or until the computer is restarted. | -| 502 | Initialization of Service Status Critical Section failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | -| 504 | Resource Manager cannot create shutdown event flag:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | -| 506 | Smart Card Resource Manager failed to register service:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | +| 206 | Failed to create global reader change event. | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | +| 401 | Reader shutdown exception from eject smart card command | A smart card reader couldn't eject a smart card while the smart card reader was shutting down. | +| 406 | Reader object can't Identify Device | A smart card reader didn't properly respond to a request for information about the device, which is required for constructing the smart card reader name. The smart card reader won't be recognized by the service until it's removed from the computer and reinserted or until the computer is restarted. | +| 502 | Initialization of Service Status Critical Section failed | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | +| 504 | Resource Manager can't create shutdown event flag: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | +| 506 | Smart Card Resource Manager failed to register service: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | | 506 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name | -| 507 | No memory available for Service Status Critical Section | There is not enough system memory available. This prevents the service from managing the status. Restarting the computer may resolve the issue. | +| 507 | No memory available for Service Status Critical Section | There isn't enough system memory available. This prevents the service from managing the status. Restarting the computer may resolve the issue. | | 508 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name | | 509 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name | | 510 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name | | 511 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name | | 512 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name | | 513 | Smart Card Resource Manager received unexpected exception from PnP event %1 | An attempt to add a Plug and Play reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name | -| 514 | Smart Card Resource Manager failed to add reader %2: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
%2 = Smart card reader name | -| 515 | Smart Card Resource Manager failed to declare state:  %1 | This is an internal unrecoverable error that indicates a failure in the smart card service. The smart card service may not operate properly. Restarting the service or computer may resolve this issue.
%1 = Windows error code | -| 516 | Smart Card Resource Manager Failed to declare shutdown:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not be able to stop. Restarting the computer may resolve this issue.
%1 = Windows error code | -| 517 | Smart Card Resource Manager received unexpected exception attempting to add reader %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Smart card reader name | +| 514 | Smart Card Resource Manager failed to add reader %2: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
%2 = Smart card reader name | +| 515 | Smart Card Resource Manager failed to declare state: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not operate properly. Restarting the service or computer may resolve this issue.
%1 = Windows error code | +| 516 | Smart Card Resource Manager Failed to declare shutdown: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The smart card service may not be able to stop. Restarting the computer may resolve this issue.
%1 = Windows error code | +| 517 | Smart Card Resource Manager received unexpected exception attempting to add reader %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Smart card reader name | | 521 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name | | 523 | Smart Card Resource Manager received NULL handle from PnP event %1 | An attempt to add a Plug and Play smart card reader failed. The device may already be in use or may be defective. To resolve this error message, try to add the device again or restart the computer.
%1 = The affected handle name | -| 602 | WDM Reader driver initialization cannot open reader device:  %1 | The service cannot open a communication channel with the smart card reader. You cannot use the smart card reader until the issue is resolved.
%1 = Windows error code | -| 603 | WDM Reader driver initialization has no memory available to control device %1 | There is not enough system memory available. This prevents the service from managing the smart card reader that was added. Restarting the computer may resolve the issue.
%1 = Name of affected reader | -| 604 | Server control cannot set reader removal event:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | -| 605 | Reader object failed to create overlapped event:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | -| 606 | Reader object failed to create removal event:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | -| 607 | Reader object failed to start monitor thread:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | -| 608 | Reader monitor failed to create power down timer: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | -| 609 | Reader monitor failed to create overlapped event:  %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | -| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1  If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader cannot successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.| -| 611 | Smart Card Reader initialization failed | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. | -| 612 | Reader insertion monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code | -| 615 | Reader removal monitor error retry threshold reached:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code | -| 616 | Reader monitor '%2' received uncaught error code:  %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name | -| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it is not recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name | -| 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | -| 621 | Server Control failed to access start event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
These events are caused by legacy functionality in the smart card stack. It can be ignored if there is no noticeable failure in the smart card usage scenarios. | -| 622 | Server Control failed to access stop event: %1 | This is an internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | +| 602 | WDM Reader driver initialization can't open reader device: %1 | The service can't open a communication channel with the smart card reader. You can't use the smart card reader until the issue is resolved.
%1 = Windows error code | +| 603 | WDM Reader driver initialization has no memory available to control device %1 | There isn't enough system memory available. This prevents the service from managing the smart card reader that was added. Restarting the computer may resolve the issue.
%1 = Name of affected reader | +| 604 | Server control can't set reader removal event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | +| 605 | Reader object failed to create overlapped event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | +| 606 | Reader object failed to create removal event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | +| 607 | Reader object failed to start monitor thread: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | +| 608 | Reader monitor failed to create power down timer: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | +| 609 | Reader monitor failed to create overlapped event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | +| 610 | Smart Card Reader '%2' rejected IOCTL %3: %1 If this error persists, your smart card or reader may not be functioning correctly.%n%nCommand Header: %4 | The reader can't successfully transmit the indicated IOCTL to the smart card. This can indicate hardware failure, but this error can also occur if a smart card or smart card reader is removed from the system while an operation is in progress.
%1 = Windows error code
%2 = Name of the smart card reader
%3 = IOCTL that was sent
%4 = First 4 bytes of the command sent to the smart card
These events are caused by legacy functionality in the smart card stack. It can be ignored if there's no noticeable failure in the smart card usage scenarios. You might also see this error if your eSIM is recognized as a smartcard controller.| +| 611 | Smart Card Reader initialization failed | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve this issue. | +| 612 | Reader insertion monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code | +| 615 | Reader removal monitor error retry threshold reached: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code | +| 616 | Reader monitor '%2' received uncaught error code: %1 | This occurs when a smart card reader fails several times to respond properly to the IOCTL, which indicates whether a smart card is present in the reader. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Windows error code
%2 = Reader name | +| 617 | Reader monitor '%1' exception -- exiting thread | An unknown error occurred while monitoring a smart card reader for smart card insertions and removals. The smart card reader is marked as defective, and it isn't recognized by the service until it's removed from the computer and reinserted or until the computer is restarted.
%1 = Smart card reader name | +| 618 | Smart Card Resource Manager encountered an unrecoverable internal error. | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue. | +| 621 | Server Control failed to access start event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code
These events are caused by legacy functionality in the smart card stack. It can be ignored if there's no noticeable failure in the smart card usage scenarios. | +| 622 | Server Control failed to access stop event: %1 | Internal, unrecoverable error that indicates a failure in the smart card service. The most common cause is limited computer resources. Restarting the computer may resolve the issue.
%1 = Windows error code | ## Smart card Plug and Play events | **Event ID** | **Event type** | **Event Message** | **Description** | |--------------|----------------|-----------------------------------------------------------------------------------------|----------------| -| 1000 | Error | Could not get device ID for smart card in reader %1. The return code is %2. | Smart card Plug and Play could not obtain the device ID for the smart card. This information is required to determine the correct driver. The smart card may be defective.
%1 = Smart card reader name
%2 = Windows error code | +| 1000 | Error | Couldn't get device ID for smart card in reader %1. The return code is %2. | Smart card Plug and Play couldn't obtain the device ID for the smart card. This information is required to determine the correct driver. The smart card may be defective.
%1 = Smart card reader name
%2 = Windows error code | | 1001 | Information | Software successfully installed for smart card in reader %1. The smart card name is %2. | Smart card Plug and Play successfully installed a minidriver for the inserted card.
%1 = Smart card reader name
%2 = Name of new smart card device | ## See also From 7b249357d52af18be75b78fc0d0d1bcbf3a8b158 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 2 Jun 2023 14:54:55 -0400 Subject: [PATCH 55/80] updates --- .../windows/set-up-school-pcs-provisioning-package.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/education/windows/set-up-school-pcs-provisioning-package.md b/education/windows/set-up-school-pcs-provisioning-package.md index 03d93a3056..12ea6880b4 100644 --- a/education/windows/set-up-school-pcs-provisioning-package.md +++ b/education/windows/set-up-school-pcs-provisioning-package.md @@ -108,7 +108,7 @@ Set up School PCs uses the Universal app install policy to install school-releva The time it takes to install a package on a device depends on the: -- Strength of network connection +- Strength of network connection - Number of policies and apps within the package - Other configurations made to the device @@ -119,7 +119,7 @@ Review the table below to estimate your expected provisioning time. A package th | Default settings only | Wi-Fi | 3 to 5 minutes | | Default settings + apps | Wi-Fi | 10 to 15 minutes | | Default settings + remove preinstalled apps (CleanPC) | Wi-Fi | 60 minutes | -| Default settings + other settings (Not CleanPC) | Wi-Fi | 5 minutes | | +| Default settings + other settings (Not CleanPC) | Wi-Fi | 5 minutes | ## Next steps @@ -127,6 +127,6 @@ Learn more about setting up devices with the Set up School PCs app. - [Azure AD Join with Set up School PCs](set-up-school-pcs-azure-ad-join.md) - [Set up School PCs technical reference](set-up-school-pcs-technical.md) -- [Set up Windows 10 devices for education](set-up-windows-10.md) +- [Set up Windows 10 devices for education](set-up-windows-10.md) -When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). \ No newline at end of file +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). From f3ca80e33d7e37c25c200f7c379d022bd745261f Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 2 Jun 2023 15:02:45 -0400 Subject: [PATCH 56/80] changed file case from TOC to toc --- education/windows/{TOC.yml => toc.yml} | 0 windows/deployment/{TOC.yml => toc.yml} | 0 windows/security/{TOC.yml => toc.yml} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename education/windows/{TOC.yml => toc.yml} (100%) rename windows/deployment/{TOC.yml => toc.yml} (100%) rename windows/security/{TOC.yml => toc.yml} (100%) diff --git a/education/windows/TOC.yml b/education/windows/toc.yml similarity index 100% rename from education/windows/TOC.yml rename to education/windows/toc.yml diff --git a/windows/deployment/TOC.yml b/windows/deployment/toc.yml similarity index 100% rename from windows/deployment/TOC.yml rename to windows/deployment/toc.yml diff --git a/windows/security/TOC.yml b/windows/security/toc.yml similarity index 100% rename from windows/security/TOC.yml rename to windows/security/toc.yml From dfd0445d3238290a4df4d45b3b000fb7af583548 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 2 Jun 2023 15:04:49 -0400 Subject: [PATCH 57/80] reverted file case of the deployment TOC --- windows/deployment/{toc.yml => TOC.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/deployment/{toc.yml => TOC.yml} (100%) diff --git a/windows/deployment/toc.yml b/windows/deployment/TOC.yml similarity index 100% rename from windows/deployment/toc.yml rename to windows/deployment/TOC.yml From ac20feac4359ae223a04f4a0643e0070a64034ef Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Fri, 2 Jun 2023 15:14:02 -0400 Subject: [PATCH 58/80] update --- .../hello-for-business/hello-deployment-issues.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 0d457c8992..f11314d587 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -63,7 +63,7 @@ For more information, read [Guidelines for enabling smart card sign in with thir The issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client fails to place a `TGS_REQ` request when a user attempts to access a resource. On the client, it can be observed in the Kerberos operation event log under `Application and Services/Microsoft/Windows/Security-Kerberos/Operational`. The logs are disabled by default. The failure event for this case includes the following information: -```cmd +```Console Log Name: Microsoft-Windows-Kerberos/Operational Source: Microsoft-Windows-Security-Kerberos Event ID: 107 @@ -126,7 +126,7 @@ AD FS running on Windows Server 2019 fails to complete device authentication due The provisioning experience for Windows Hello for Business launches if the prerequisite checks are successful. The result of the provisioningAdmin checks is available in event logs under **Microsoft-Windows-User Device Registration**. If provisioning is blocked because device authentication doesn't succeed, event ID *362* is logged stating *User has successfully authenticated to the enterprise STS: No*. -```console +```Console Log Name: Microsoft-Windows-User Device Registration/Admin Source: Microsoft-Windows-User Device Registration Date: @@ -156,7 +156,7 @@ If a device recently joined a domain, there may be a delay before the device aut If the AD FS scope issue is present, event logs on the AD FS server indicate an authentication failure from the client. The error is logged in event logs under **AD FS/Admin** as event ID *1021* and the event specifies that the client is forbidden access to resource `http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope` with scope `ugs`: -```cmd +```Console Log Name: AD FS/Admin Source: AD FS Date: From 98a76b64a19871a06f33bc5fbd18f728daef829e Mon Sep 17 00:00:00 2001 From: professorbike Date: Fri, 2 Jun 2023 14:18:44 -0500 Subject: [PATCH 59/80] Update audit-security-group-management.md Fix typo in description of 4755. Previously stated "4737 is the same" instead of 4755. --- .../auditing/audit-security-group-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md index eb76f1d581..14cccd81d4 100644 --- a/windows/security/threat-protection/auditing/audit-security-group-management.md +++ b/windows/security/threat-protection/auditing/audit-security-group-management.md @@ -83,7 +83,7 @@ This subcategory allows you to audit events generated by changes to security gro > [!IMPORTANT] > Event 4754(S) generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply. -- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. +- 4755(S): A security-enabled universal group was changed. See event _[4735](event-4735.md): A security-enabled local group was changed._ Event 4755 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference. > [!IMPORTANT] > Event 4755(S) generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply. From 0a7e59be3aec333d423148b1fbec1915045588a5 Mon Sep 17 00:00:00 2001 From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com> Date: Fri, 2 Jun 2023 13:13:41 -0700 Subject: [PATCH 60/80] Update windows-11-se-overview.md --- education/windows/windows-11-se-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 2464884671..d2a1f8c29b 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -138,8 +138,8 @@ The following applications can also run on Windows 11 SE, and can be deployed us | `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` | | `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` | | `NWEA Secure Testing Browser` | 5.4.356.0 | Win32 | `NWEA` | -| `PC Talker NEO` | 2209 | Win32 | `Kochi System Development` | -| `PC Talker NEO Plus` | 2209 | Win32 | `Kochi System Development` | +| `PC Talker Neo` | 2209 | Win32 | `Kochi System Development` | +| `PC Talker Neo Plus` | 2209 | Win32 | `Kochi System Development` | | `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` | | `Pearson TestNav` | 1.11.3 | `Store` | `Pearson` | | `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` | From b1a1f88d1eac7b37c6bb82bd46b013675061b99f Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 2 Jun 2023 14:45:58 -0600 Subject: [PATCH 61/80] Apply suggestions from code review Mostly minor copy edits to add missing words, letters, and punctuation, and to delete additional letters and punctuation. --- .../hello-deployment-issues.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index f11314d587..6ca2b50171 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -16,13 +16,13 @@ PIN reset on Azure AD-joined devices uses a flow called *web sign-in* to authent The user can launch the PIN reset flow from the lock screen using the *I forgot my PIN* link in the PIN credential provider. Selecting the link launches a full screen UI for the PIN experience on Azure AD Join devices. Typically, the UI displays an Azure authentication page, where the user authenticates using Azure AD credentials and completes MFA. -In federated environments, authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and display the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist. +In federated environments, authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it fails and displays the *We can't open that page right now* error, if the domain for the server page isn't included in an allowlist. -If you're a customer of *Azure US Government* cloud, PIN reset also attempts to navigate to a domain that isn't included in the default allowlist. The result is the *We can't open that page right now* page. +If you're a customer of *Azure US Government* cloud, PIN reset also attempts to navigate to a domain that isn't included in the default allowlist. The result is the message *We can't open that page right now*. ### Resolve PIN Reset allowed domains issue -To resolve the error, you can configure a list of allowed domains for PIN reset, using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [PIN Reset - Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices](hello-feature-pin-reset.md#configure-web-sign-in-allowed-urls-for-third-party-identity-providers-on-azure-ad-joined-devices). +To resolve the error, you can configure a list of allowed domains for PIN reset using the [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy. For information on how to configure the policy, see [PIN Reset - Configure Web Sign-in Allowed URLs for Third Party Identity Providers on Azure AD Joined Devices](hello-feature-pin-reset.md#configure-web-sign-in-allowed-urls-for-third-party-identity-providers-on-azure-ad-joined-devices). ## Hybrid key trust sign in broken due to user public key deletion @@ -36,13 +36,13 @@ In Hybrid key trust deployments with domain controllers running certain builds o ### Identify user public key deletion issue -After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Azure AD to AD during an Azure AD Connect sync cycle. The user's public is written to the `msDS-KeyCredentialLink` attribute of the user object. +After the user provisions a Windows Hello for Business credential in a hybrid key trust environment, the key must sync from Azure AD to AD during an Azure AD Connect sync cycle. The user's public key is written to the `msDS-KeyCredentialLink` attribute of the user object. -Before the user's Windows Hello for Business key is synced, sign-ins with Windows Hello for Business fails with the error message, *That option is temporarily unavailable. For now, please use a different method to sign in.*. After the sync is successful, the user should be able to sign in and unlock with their PIN or enrolled biometrics. +Before the user's Windows Hello for Business key syncs, sign-ins with Windows Hello for Business fail with the error message *That option is temporarily unavailable. For now, please use a different method to sign in.* After the key syncs successfully, the user can sign in and unlock with their PIN or enrolled biometrics. In environments with the issue, after the first sign-in with Windows Hello for Business and provisioning is complete, the next sign-in attempt fails. In environments where domain controllers are running a mix of builds, some users may be impacted by the issue, and subsequent sign in attempts may be sent to different domain controllers. The result is intermittent sign-in failures. -After the initial sign in attempt, the user's Windows Hello for Business public key is deleted from the `msDS-KeyCredentialLink attribute`. You can verify the deletion by querying a user's `msDS-KeyCredentialLink` attribute before and after sign-in. The `msDS-KeyCredentialLink` can be queried in AD using [Get-ADUser](/powershell/module/activedirectory/get-aduser) and specifying `msds-keycredentiallink` for the `-Properties` parameter. +After the initial sign-in attempt, the user's Windows Hello for Business public key is deleted from the `msDS-KeyCredentialLink attribute`. You can verify the deletion by querying a user's `msDS-KeyCredentialLink` attribute before and after sign-in. You can query the `msDS-KeyCredentialLink` in AD using [Get-ADUser](/powershell/module/activedirectory/get-aduser) and specifying `msds-keycredentiallink` for the `-Properties` parameter. ### Resolve user public key deletion issue @@ -55,7 +55,7 @@ Applies to: - Azure AD joined key trust deployments - Third-party certificate authority (CA) issuing domain controller certificates -Windows Hello for Business uses smart card-based authentication for many operations. Smart card has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates. +Windows Hello for Business uses smart-card based authentication for many operations. This type of authentication has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates. For more information, read [Guidelines for enabling smart card sign in with third-party certification authorities](/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities). @@ -102,7 +102,7 @@ Domain controllers running early versions of Windows Server 2019 have an issue t ### Identify Windows Server 2019 key trust authentication issue -On the client, authentication with Windows Hello for Business fails with the error message, *"That option is temporarily unavailable. For now, please use a different method to sign in."* +On the client, authentication with Windows Hello for Business fails with the error message, *That option is temporarily unavailable. For now, please use a different method to sign in.* The error is presented on hybrid Azure AD-joined devices in key trust deployments after Windows Hello for Business is provisioned, but before a user's key is synced from Azure AD to AD. If a user's key isn't synced from Azure AD and the `msDS-keycredentiallink` attribute on the user object in AD is populated for NGC, then it's possible that the error occurs. @@ -189,6 +189,6 @@ This issue is fixed in Windows Server, version 1903 and later. For Windows Serve (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier ``` -1. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'` -1. Restart the AD FS service -1. On the client: Restart the client. User should be prompted to provision Windows Hello for Business +1. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`. +1. Restart the AD FS service. +1. On the client: Restart the client. The user should be prompted to provision Windows Hello for Business. From 93b6cf5ef359276f685ddff3385af4ba8002ab46 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 2 Jun 2023 15:14:00 -0600 Subject: [PATCH 62/80] Apply suggestions from code review Add sentence-ending periods. --- .../hello-for-business/hello-deployment-issues.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 6ca2b50171..b7b8a64228 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -179,10 +179,10 @@ Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientE This issue is fixed in Windows Server, version 1903 and later. For Windows Server 2019, the issue can be remediated by adding the ugs scope manually. -1. Launch AD FS management console. Browse to **Services > Scope Descriptions** -1. Right select **Scope Descriptions** and select **Add Scope Description** -1. Under name type *ugs*, and select **Apply > OK** -1. Launch PowerShell as an administrator +1. Launch AD FS management console. Browse to **Services > Scope Descriptions**. +1. Right select **Scope Descriptions** and select **Add Scope Description**. +1. Under name type *ugs*, and select **Apply > OK**. +1. Launch PowerShell as an administrator. 1. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b": ```powershell From 02ef1bb934b95a6b24fc9c661c73ff8b1787fb8a Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 2 Jun 2023 15:18:35 -0600 Subject: [PATCH 63/80] Update smart-card-events.md Delete internal TOC. The new format adds the internal TOC automatically. --- .../identity-protection/smart-cards/smart-card-events.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/windows/security/identity-protection/smart-cards/smart-card-events.md b/windows/security/identity-protection/smart-cards/smart-card-events.md index d76f02b235..87a6861bb1 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-events.md +++ b/windows/security/identity-protection/smart-cards/smart-card-events.md @@ -11,11 +11,6 @@ This article describes the events related to smart card deployment and developme Many events can be used to monitor smart card activities on a device, including installation, use, and errors. The next sections describe the events and information that you can use to manage smart cards in an organization. -- [Smart card reader name](#smart-card-reader-name) -- [Smart card warning events](#smart-card-warning-events) -- [Smart card error events](#smart-card-error-events) -- [Smart card Plug and Play events](#smart-card-plug-and-play-events) - ## Smart card reader name The Smart Card Resource Manager doesn't use the device name from *Device Manager* to describe a smart card reader. Instead, the name is constructed from three device attributes that are queried directly from the smart card reader driver. From 3f920de8955c56deb86d6cd8bd954106ca23fcf4 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 2 Jun 2023 15:35:33 -0600 Subject: [PATCH 64/80] Apply suggestions from code review Add a missing word and an apostrophe and delete periods from non-sentences. --- .../client-management/mdm/policy-csp-admx-windowsexplorer.md | 4 ++-- windows/client-management/mdm/policy-csp-experience.md | 4 ++-- windows/client-management/mdm/policy-csp-notifications.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md index 1a58f66f9d..18c1da9bdf 100644 --- a/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md +++ b/windows/client-management/mdm/policy-csp-admx-windowsexplorer.md @@ -105,7 +105,7 @@ This setting allows an administrator to revert specific Windows Shell behavior t - If you enable this setting, users can't configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface looks and operates like the interface for Windows NT 4.0, and users can't restore the new features. -Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options. +Enabling this policy will also turn off the preview pane and set the folder options for File Explorer to Use classic folders view and disable the users' ability to change these options. - If you disable or not configure this policy, the default File Explorer behavior is applied to the user. @@ -3965,7 +3965,7 @@ To remove network computers from lists of network resources, use the "No Entire -Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar. +Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If you enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar. The valid items you may display in the Places Bar are: diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 71637d5849..de46845ac8 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -528,8 +528,8 @@ This policy setting allows you to control whether screen recording functionality | Value | Description | |:--|:--| -| 0 | Disabled. | -| 1 (Default) | Enabled. | +| 0 | Disabled | +| 1 (Default) | Enabled | diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 5a9ba3c250..3e87f1d1ca 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -61,8 +61,8 @@ This policy allows you to prevent Windows from displaying notifications to Micro | Value | Description | |:--|:--| -| 0 (Default) | Disabled. | -| 1 | Enabled. | +| 0 (Default) | Disabled | +| 1 | Enabled | From 19dfa5ea5702469115f1e375dd23fece03700c7b Mon Sep 17 00:00:00 2001 From: Carmen Date: Fri, 2 Jun 2023 16:10:31 -0600 Subject: [PATCH 65/80] Acrolinx --- .../do/waas-delivery-optimization-faq.yml | 16 ++++---- .../do/waas-delivery-optimization-setup.md | 40 +++++++++---------- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 4495cdcc35..6f0b6fe690 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -69,7 +69,7 @@ sections: If the connection is identified as a VPN, Delivery Optimization suspends uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there is no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN. + If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there's no peer-to-peer activity over the VPN. When the device isn't connected using a VPN, it can still use peer-to-peer with the default of LAN. With split tunneling, make sure to allow direct access to these endpoints: @@ -106,26 +106,26 @@ sections: answer: | Delivery Optimization uses the cache content on the device to determine what's available for peering. For the upload source device, there's a limited number (4) of slots for cached content that's available for peering at a given time. Delivery Optimization contains logic that rotates the cached content in those slots. - - question: What is the recommended configuration for Delivery Optimization used with cloud proxies (e.g. Zscaler)? + - question: What is the recommended configuration for Delivery Optimization used with cloud proxies (for example, Zscaler)? answer: | - The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (e.g. Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy. + The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy. At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service: • *.prod.do.dsp.mp.microsoft.com - If allowing direct Internet access is not an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode. + If allowing direct Internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode. - question: How do I turn off Delivery Optimization? answer: | - Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default) it will do so in conjunction with the HTTP downloader capabilities to optimize bandwidth usage. - If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and does not have internet access. + Delivery Optimization is an HTTP downloader used by most content providers from Microsoft. When a device is configured to use Delivery Optimization peering (on by default), it does so with the HTTP downloader capabilities to optimize bandwidth usage. + If you'd like to disable peer-to-peer capabilities of Delivery Optimization, change the Delivery Optimization [Download mode](waas-delivery-optimization-reference.md#download-mode) setting to '0', which will disable peer-to-peer and provide hash checks. [Download mode](waas-delivery-optimization-reference.md#download-mode) set to '99' should only be used when the device is offline and doesn't have internet access. > [!NOTE] - > Disabling Delivery Optimization will not prevent content from downloading to your devices. If you are looking to pause updates you will need to set policies for the relevant components such as Windows Update, Windows Store or Edge browser. If you are looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization. + > Disabling Delivery Optimization won't prevent content from downloading to your devices. If you're looking to pause updates, you need to set policies for the relevant components such as Windows Update, Windows Store or Edge browser. If you're looking to reduce the load on your network, look into using Delivery Optimization Peer-to-Peer, Microsoft Connected Cache or apply the [network throttling policies](waas-delivery-optimization-reference.md#maximum-download-bandwidth) available for Delivery Optimization. - question: Delivery Optimization is using device resources and I can't tell why? answer: | - Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Often times customers may not realize the vast application of Delivery Optimization and how it is used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download. + Delivery Optimization is used by most content providers from Microsoft. A complete list can be found [here](waas-delivery-optimization.md#types-of-download-content-supported-by-delivery-optimization). Oftentimes customers may not realize the vast application of Delivery Optimization and how it's used across different apps. Content providers have the option to run downloads in the foreground or background. It's good to check any apps running in the background to see what is running. Also note that depending on the app, closing the app may not necessarily stop the download. - question: What Delivery Optimization settings are available? answer: | diff --git a/windows/deployment/do/waas-delivery-optimization-setup.md b/windows/deployment/do/waas-delivery-optimization-setup.md index 49e1fd4447..550dbf7563 100644 --- a/windows/deployment/do/waas-delivery-optimization-setup.md +++ b/windows/deployment/do/waas-delivery-optimization-setup.md @@ -26,15 +26,15 @@ ms.collection: tier3 You can use Group Policy or an MDM solution like Intune to configure Delivery Optimization. -You'll find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**. +You find the Delivery Optimization settings in Group Policy under **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization**. Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile, which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](/mem/intune/configuration/delivery-optimization-windows). -**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To do this set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5. +**Starting with Windows 10, version 1903**, you can use the Azure Active Directory (Azure AD) Tenant ID as a means to define groups. To set the value for [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) to its new maximum value of 5. ## Allow service endpoints -When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) for more information. +When using a firewall, it's important that the Delivery Optimization Service endpoints are allowed and associated ports are open. For more information, see [Delivery Optimization FAQ](waas-delivery-optimization-faq.yml#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization). ## Allow content endpoints @@ -42,9 +42,9 @@ When using a firewall, it's important that the content endpoints are allowed and ## Recommended Delivery Optimization settings -Delivery Optimization offers a great many settings to fine-tune its behavior (see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list), but for the most efficient performance, there are just a few key parameters that will have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). +Delivery Optimization offers a great many settings to fine-tune its behavior see [Delivery Optimization reference](waas-delivery-optimization-reference.md) for a comprehensive list, but for the most efficient performance, there are just a few key parameters that have the greatest impact if particular situations exist in your deployment. If you just need an overview of Delivery Optimization, see [Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). -- Does your topology include multiple breakouts to the internet (i.e., a "hybrid WAN") or are there only a few connections to the internet, so that all requests appear to come from a single external IP address (a "hub and spoke" topology)? +- Does your topology include multiple breakouts to the internet that is, a "hybrid WAN" or are there only a few connections to the internet, so that all requests appear to come from a single external IP address a "hub and spoke" topology? - If you use boundary groups in your topology, how many devices are present in a given group? - What percentage of your devices are mobile? - Do your devices have a lot of free space on their drives? @@ -69,17 +69,17 @@ Quick-reference table: For this scenario, grouping devices by domain allows devices to be included in peer downloads and uploads across VLANs. **Set Download Mode to 2 - Group**. The default group, when the GroupID or GroupIDSource policies aren't set, is the AD Site (1), Authenticated domain SID (2) or AAD Tenant ID (5), in that order. If your domain-based group is too wide, or your Active Directory sites aren't aligned with your site network topology, then you should consider other options for dynamically creating groups, for example by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) policy. -To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. +In Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. -To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to 1 or 2. +Using with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to 1 or 2. ### Hub and spoke topology with boundary groups -The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP will be considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since those will be used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet. +The default download mode setting is **1**; this means all devices breaking out to the internet using the same public IP is considered as a single peer group. To prevent peer-to-peer activity across your WAN, you should set the download mode to **2**. If you have already defined Active Directory sites per hub or branch office, then you don't need to do anything else since the Active Directory sites are used by default as the source for creation of Group IDs. If you're not using Active Directory sites, you should set a different source for Groups by using the [DOGroupIDSource](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) options or the [DORestrictPeerSelectionBy](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection) policy to restrict the activity to the subnet. -To do this in Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. +With Group Policy go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Download mode** to **2**. -To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**. +Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DODownloadMode](/windows/client-management/mdm/policy-csp-deliveryoptimization#dodownloadmode) to **2**. > [!NOTE] > For more information about using Delivery Optimization with Configuration Manager boundary groups, see [Delivery Optimization for Configuration Manager](/mem/configmgr/core/plan-design/hierarchy/fundamental-concepts-for-content-management#delivery-optimization). @@ -88,25 +88,25 @@ To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimiza If you have a mobile workforce with a great many mobile devices, set Delivery Optimization to allow uploads on battery power, while limiting the use to prevent battery drain. A setting for **DOMinBatteryPercentageAllowedToUpload** of 60% is a good starting point, though you might want to adjust it later. -To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60. +With Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Allow uploads while the device is on battery while under set Battery level** to 60. -To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominbatterypercentageallowedtoupload) to 60. +Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinBatteryPercentageAllowedToUpload](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominbatterypercentageallowedtoupload) to 60. ### Plentiful free space and large numbers of devices -Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you've more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you've more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. +Many devices now come with large internal drives. You can set Delivery Optimization to take better advantage of this space (especially if you have large numbers of devices) by changing the minimum file size to cache. If you have more than 30 devices in your local network or group, change it from the default 50 MB to 10 MB. If you have more than 100 devices (and are running Windows 10, version 1803 or later), set this value to 1 MB. -To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you've more than 30 devices) or 1 (if you've more than 100 devices). +With Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Minimum Peer Caching Content File Size** to 10 (if you have more than 30 devices) or 1 (if you have more than 100 devices). -To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you've more than 30 devices) or 1 (if you've more than 100 devices). +Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMinFileSizeToCache](/windows/client-management/mdm/policy-csp-deliveryoptimization#dominfilesizetocache) to 100 (if you have more than 30 devices) or 1 (if you have more than 100 devices). ### Lab scenario -In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload much more content over a longer period. +In a lab situation, you typically have a large number of devices that are plugged in and have a lot of free disk space. By increasing the content expiration interval, you can take advantage of these devices, using them as excellent upload sources in order to upload more content over a longer period. -To do this in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days). +With Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Delivery Optimization** and set **Max Cache Age** to **604800** (7 days) or more (up to 30 days). -To do this with MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMaxCacheAge](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) to 7 or more (up to 30 days). +Using MDM, go to **./Device/Vendor/MSFT/Policy/Config/DeliveryOptimization/** and set [DOMaxCacheAge](/windows/client-management/mdm/policy-csp-deliveryoptimization#domaxcacheage) to 7 or more (up to 30 days). [Learn more](delivery-optimization-test.md) about Delivery Optimization testing scenarios. @@ -148,8 +148,8 @@ Try these steps: 1. Download the same app on two different devices on the same network, waiting 10 – 15 minutes between downloads. 2. Run `Get-DeliveryOptimizationStatus` from an elevated PowerShell window and ensure that **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1 or 2 on both devices. -3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be non-zero. -4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**, to fix this. +3. Run `Get-DeliveryOptimizationPerfSnap` from an elevated PowerShell window on the second device. The **NumberOfPeers** field should be nonzero. +4. If the number of peers is zero and **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** is 1, ensure that both devices are using the same public IP address to reach the internet (you can easily do this by opening a browser window and do a search for “what is my IP”). In the case where devices aren't reporting the same public IP address, configure **[DODownloadMode](waas-delivery-optimization-reference.md#download-mode)** to 2 (Group) and use a custom **[DOGroupID (Guid)](waas-delivery-optimization-reference.md#group-id)**. > [!NOTE] > Starting in Windows 10, version 2004, `Get-DeliveryOptimizationStatus` has a new option `-PeerInfo` which returns a real-time list of potential peers per file, including which peers are successfully connected and the total bytes sent or received from each peer. From 422df53261fd0c5865df0af31cd8f1056b1a38e4 Mon Sep 17 00:00:00 2001 From: Carmen Date: Fri, 2 Jun 2023 16:20:40 -0600 Subject: [PATCH 66/80] Acrolinx --- windows/deployment/do/waas-delivery-optimization.md | 4 ++-- windows/deployment/do/whats-new-do.md | 4 ++-- windows/deployment/update/wufb-reports-do.md | 10 +++++----- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization.md b/windows/deployment/do/waas-delivery-optimization.md index 649958f159..ba8be8bce6 100644 --- a/windows/deployment/do/waas-delivery-optimization.md +++ b/windows/deployment/do/waas-delivery-optimization.md @@ -23,9 +23,9 @@ ms.date: 12/31/2017 > **Looking for Group Policy objects?** See [Delivery Optimization reference](waas-delivery-optimization-reference.md) or the master spreadsheet available at the Download Center [for Windows 11](https://www.microsoft.com/en-us/download/details.aspx?id=104594) or [for Windows 10](https://www.microsoft.com/en-us/download/details.aspx?id=104678). -Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is completely optional. +Windows updates, upgrades, and applications can contain packages with large files. Downloading and distributing updates can consume quite a bit of network resources on the devices receiving them. Delivery Optimization is a reliable HTTP downloader with a cloud-managed solution that allows Windows devices to download those packages from alternate sources if desired (such as other devices on the network and/or a dedicated cache server) in addition to the traditional internet-based servers (referred to as 'HTTP sources' throughout Delivery Optimization documents). You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment however, the use of peer-to-peer is optional. -To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client will connect to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization will seamlessly fall back to the HTTP source to get the requested content. +To use either the peer-to-peer functionality or the Microsoft Connected Cache features, devices must have access to the Internet and Delivery Optimization cloud services. When Delivery Optimization is configured to use peers and Microsoft Connected Cache (MCC), to achieve the best possible content delivery experience, the client connects to MCC and peers in parallel. If the desired content can't be obtained from MCC or peers, Delivery Optimization seamlessly falls back to the HTTP source to get the requested content. You can use Delivery Optimization with Windows Update, Windows Server Update Services (WSUS), Microsoft Intune/Windows Update for Business, or Microsoft Configuration Manager (when installation of Express Updates is enabled). diff --git a/windows/deployment/do/whats-new-do.md b/windows/deployment/do/whats-new-do.md index fcbdfb959f..d63bb5d612 100644 --- a/windows/deployment/do/whats-new-do.md +++ b/windows/deployment/do/whats-new-do.md @@ -34,8 +34,8 @@ There are two different versions: - Delivery Optimization introduced support for receiver side ledbat (rLedbat) in Windows 11 22H2. -- New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization will connect to locally discovered peers that are also part of the same Group (have the same Group ID)." -- Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization will restrict peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization will connect to locally discovered peers that are also part of the same group, for those devices with the same Group ID). +- New peer selection options: Currently the available options include: 0 = None, 1 = Subnet mask, and 2 = Local Peer Discovery. The subnet mask option applies to both Download Modes LAN (1) and Group (2). If Group mode is set, Delivery Optimization connects to locally discovered peers that are also part of the same Group (have the same Group ID)." +- Local Peer Discovery: a new option for **[Restrict Peer Selection By](waas-delivery-optimization-reference.md#select-a-method-to-restrict-peer-selection)** (in Group Policy) or **DORestrictPeerSelectionBy** (in MDM). This option restricts the discovery of local peers using the DNS-SD protocol. When you set Option 2, Delivery Optimization restricts peer selection to peers that are locally discovered (using DNS-SD). If Group mode is enabled, Delivery Optimization connects to locally discovered peers that are also part of the same group, for those devices with the same Group ID). > [!NOTE] > The Local Peer Discovery (DNS-SD, [RFC 6763](https://datatracker.ietf.org/doc/html/rfc6763)) option can only be set via MDM delivered policies on Windows 11 builds. This feature can be enabled in supported Windows 10 builds by setting the `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization\DORestrictPeerSelectionBy` value to **2**. For more information, see [Delivery Optimization reference](waas-delivery-optimization-reference.md). diff --git a/windows/deployment/update/wufb-reports-do.md b/windows/deployment/update/wufb-reports-do.md index d907318375..da09d3e2d2 100644 --- a/windows/deployment/update/wufb-reports-do.md +++ b/windows/deployment/update/wufb-reports-do.md @@ -48,7 +48,7 @@ Windows Update for Business reports uses the following Delivery Optimization ter - **MCC Device Count**: The device count is the number of devices that have received bytes from the cache server, for supported content types. - **Total # of Devices**: The total number of devices with activity in last 28 days. - **LAN Bytes**: Bytes delivered from LAN peers. -- **Group Bytes**: Bytes from Group peers. If a device is using Group DownloadMode, Delivery Optimization will first look for peers on the LAN and then in the Group. Therefore, if bytes are delivered from LAN peers, they'll be calculated in 'LAN Bytes'. +- **Group Bytes**: Bytes from Group peers. If a device is using Group DownloadMode, Delivery Optimization first looks for peers on the LAN and then in the Group. Therefore, if bytes are delivered from LAN peers, they are calculated in 'LAN Bytes'. - **CDN Bytes**: Bytes delivered from Content Delivery Network (CDN). - **City**: City is determined based on the location of the device where the maximum amount of data is downloaded. - **Country**: Country is determined based on the location of the device where the maximum amount of data is downloaded. @@ -56,7 +56,7 @@ Windows Update for Business reports uses the following Delivery Optimization ter ## Calculations for Delivery Optimization -There are several calculated values that appear on the Delivery Optimization report. Listed below each calculation is the table that's used for it: +Each calculated values used in the Delivery Optimization report are listed below. **Efficiency (%) Calculations**: @@ -182,10 +182,10 @@ A row in UCDOStatus represents data downloaded by a combination of a single devi A row in UCDOAggregatedStatus represents data summarized at the tenant level (AzureADTenantID) for each content type (ContentType). - **How are BytesFromCache calculated when there's a Connected Cache server used by my ISP?** -If there's a Connected Cache server at the ISP level, BytesFromCache will filter out any bytes coming the ISP's Connected Cache. +If there's a Connected Cache server at the ISP level, BytesFromCache filters out any bytes coming the ISP's Connected Cache. - **How do the results from the Delivery Optimization PowerShell cmdlets compare to the results in the report?** [Delivery Optimization PowerShell cmdlets](waas-delivery-optimization-setup.md#monitor-delivery-optimization) can be a powerful tool used to monitor Delivery Optimization data on the device. These cmdlets use the cache on the device. The data calculated in the report is taken from the Delivery Optimization telemetry events. -- **The report represents the last 28 days of data, why do some queries include >= 7 days?** -The data in the report does represent the last 28 days of data. The query for last 7 days is just to get the data for the latest snapshot from past 7 days. It is possible that data is delayed for sometime and not available for current day, so we look for past 7 day snapshot in log analytics ans show the latest snapshot. +- **The report represents the last 28 days of data, why do some queries include >= seven days?** +The data in the report does represent the last 28 days of data. The query for last seven days is just to get the data for the latest snapshot from past seven days. It's possible that data is delayed for sometime and not available for current day, so we look for past 7 day snapshot in log analytics and show the latest snapshot. From 3867203db1fd2e86ac5f5891bf4239146de2aa80 Mon Sep 17 00:00:00 2001 From: Carmen Date: Fri, 2 Jun 2023 21:35:25 -0600 Subject: [PATCH 67/80] Acrolinx --- windows/deployment/do/delivery-optimization-proxy.md | 2 +- windows/deployment/do/delivery-optimization-test.md | 4 ++-- windows/deployment/do/waas-microsoft-connected-cache.md | 7 ++++--- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/deployment/do/delivery-optimization-proxy.md b/windows/deployment/do/delivery-optimization-proxy.md index bab58db796..a94dbfaf85 100644 --- a/windows/deployment/do/delivery-optimization-proxy.md +++ b/windows/deployment/do/delivery-optimization-proxy.md @@ -34,7 +34,7 @@ If a user is signed in, the system uses the Internet Explorer proxy. If no user is signed in, even if both the Internet Explorer proxy and netsh configuration are set, the netsh configuration will take precedence over the Internet Explorer proxy. This can result in download failures. For example, you might receive HTTP_E_STATUS_PROXY_AUTH_REQ or HTTP_E_STATUS_DENIED errors. -You can still use netsh to import the proxy setting from Internet Explorer (`netsh winhttp import proxy source=ie `) if your proxy configuration is a static *proxyServerName:Port*. However, the same limitations mentioned previously apply. +You can still use netsh to import the proxy setting from Internet Explorer (`netsh winhttp import proxy source=ie`) if your proxy configuration is a static *proxyServerName:Port*. However, the same limitations mentioned previously apply. ### Summary of settings behavior diff --git a/windows/deployment/do/delivery-optimization-test.md b/windows/deployment/do/delivery-optimization-test.md index 7ce46ef46c..978410d908 100644 --- a/windows/deployment/do/delivery-optimization-test.md +++ b/windows/deployment/do/delivery-optimization-test.md @@ -90,7 +90,7 @@ The following set of instructions will be used for each machine: |--------|-------------------------------| | :::image type="content" source="images/test-scenarios/win10/m1-basic-complete.png" alt-text="Windows 10 21H2 - Machine 1 - Basic Test." lightbox="images/test-scenarios/win10/m1-basic-complete.png"::: | :::image type="content" source="images/test-scenarios/win11/m1-basic-complete.png" alt-text="Windows 11 21H2 - Machine 1 - Basic Test." lightbox="images/test-scenarios/win11/m1-basic-complete.png"::: | | **Observations** | | -| * No peers were found on the first machine downloading the content.
* 'TotalBytesDownloaded' is equal to the file size.
* Status is set to 'Caching' the content so future peers can use it.
* Download was happening in the foreground.
* DownloadMode is set to 'Group' and no peers were found.
* No distinct observations seen between Window 10 and Windows 11 devices. | +| *No peers were found on the first machine downloading the content.
* 'TotalBytesDownloaded' is equal to the file size.
*Status is set to 'Caching' the content so future peers can use it.
* Download was happening in the foreground.
*DownloadMode is set to 'Group' and no peers were found.
* No distinct observations seen between Window 10 and Windows 11 devices. | *Wait 5 minutes*. @@ -102,7 +102,7 @@ The following set of instructions will be used for each machine: |--------|--------------------------------| | :::image type="content" source="images/test-scenarios/win10/m2-basic-complete.png" alt-text="Windows 10 21H2 - Machine 2 - Basic Test." lightbox="images/test-scenarios/win10/m2-basic-complete.png"::: | :::image type="content" source="images/test-scenarios/win11/m2-basic-complete.png" alt-text="Windows 11 21H2 - Machine 2 - Basic Test." lightbox="images/test-scenarios/win11/m2-basic-complete.png":::| | **Observations** | **Observations**| -| * A peer was found for the content and 87% of total bytes came from the peer.
* One peer was found for the piece of content, which is expected as there are only two devices in the peering group.
* Download mode was set to 'Group', but since group mode includes both LAN and Group devices, Delivery Optimization prioritizes LAN peers, if found. Therefore, 'BytesFromLanPeers' shows bytes where 'BytesFromGroupPeers' doesn't.
* 'DownloadDuration' is roughly the same between machines.|* A peer was found for the content and 90% of total bytes came from the peer.
* All other points are the same as Windows 10 results. | +| *A peer was found for the content and 87% of total bytes came from the peer.
* One peer was found for the piece of content, which is expected as there are only two devices in the peering group.
*Download mode was set to 'Group', but since group mode includes both LAN and Group devices, Delivery Optimization prioritizes LAN peers, if found. Therefore, 'BytesFromLanPeers' shows bytes where 'BytesFromGroupPeers' doesn't.
* 'DownloadDuration' is roughly the same between machines.|*A peer was found for the content and 90% of total bytes came from the peer.
* All other points are the same as Windows 10 results. | ### Scenario 2: Advance Setup diff --git a/windows/deployment/do/waas-microsoft-connected-cache.md b/windows/deployment/do/waas-microsoft-connected-cache.md index 7b4290c2a6..4be489751a 100644 --- a/windows/deployment/do/waas-microsoft-connected-cache.md +++ b/windows/deployment/do/waas-microsoft-connected-cache.md @@ -23,8 +23,9 @@ ms.collection: tier3 > Microsoft Connected Cache is currently a preview feature. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). Microsoft Connected Cache is a software-only caching solution that delivers Microsoft content. Microsoft Connected Cache has two main offerings: -- Microsoft Connected Cache for Internet Service Providers -- Microsoft Connected Cache for Enterprise and Education (early preview). + +- Microsoft Connected Cache for Internet Service Providers +- Microsoft Connected Cache for Enterprise and Education (early preview) Both products are created and managed in the cloud portal. @@ -33,7 +34,7 @@ Both products are created and managed in the cloud portal. > [!NOTE] > Microsoft Connected Cache for Internet Service Providers is now in public preview. To onboard, follow the instructions in the [Operator sign up and service onboarding](mcc-isp-signup.md) article. -Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. Learn more at [Microsoft Connected Cache for ISPs Overview](mcc-isp-overview.md). +Microsoft Connected Cache (MCC) for Internet Service Providers is currently in preview. MCC can be deployed to as many bare-metal servers or VMs as needed and is managed from a cloud portal. When deployed, MCC can help to reduce your network bandwidth usage for Microsoft software content and updates. Cache nodes are created in the cloud portal and are configured to deliver traffic to customers by manual CIDR or BGP routing. Learn more at [Microsoft Connected Cache for ISPs Overview](mcc-isp-overview.md). ## Microsoft Connected Cache for Enterprise and Education (early preview) From 58a7a99542f9d3ff69da5209c9ef071410655cc4 Mon Sep 17 00:00:00 2001 From: Jared DeWitt Date: Sat, 3 Jun 2023 14:29:53 -0600 Subject: [PATCH 68/80] Update network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md --- ...ty-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md index f0c1ef0a6c..dbc99216c2 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md @@ -90,7 +90,7 @@ There are no security audit event policies that can be configured to view output This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the +NTLM and NTLMv2 authentication is vulnerable to various malicious attacks, including SMB relay, man-in-the-middle attacks, and brute force attacks. Reducing and eliminating NTLM authentication from your environment forces the Windows operating system to use more secure protocols, such as the Kerberos version 5 protocol, or different authentication mechanisms, such as smart cards. ### Vulnerability From 5c0344a8eb6e745699a930e19055b65307f6d50d Mon Sep 17 00:00:00 2001 From: Office Content Publishing <34616516+officedocspr@users.noreply.github.com> Date: Sat, 3 Jun 2023 23:31:14 -0700 Subject: [PATCH 69/80] Uploaded file: education-content-updates.md - 2023-06-03 23:31:13.9621 --- .../includes/education-content-updates.md | 20 +++---------------- 1 file changed, 3 insertions(+), 17 deletions(-) diff --git a/education/includes/education-content-updates.md b/education/includes/education-content-updates.md index 665fb1ee2c..23a567db48 100644 --- a/education/includes/education-content-updates.md +++ b/education/includes/education-content-updates.md @@ -2,24 +2,10 @@ -## Week of April 10, 2023 +## Week of May 29, 2023 | Published On |Topic title | Change | |------|------------|--------| -| 4/11/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified | - - -## Week of March 20, 2023 - - -| Published On |Topic title | Change | -|------|------------|--------| -| 3/21/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified | -| 3/22/2023 | [Configure Stickers for Windows 11 SE](/education/windows/edu-stickers) | modified | -| 3/22/2023 | [Configure Take a Test in kiosk mode](/education/windows/edu-take-a-test-kiosk-mode) | modified | -| 3/22/2023 | [Configure federated sign-in for Windows devices](/education/windows/federated-sign-in) | modified | -| 3/22/2023 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified | -| 3/22/2023 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified | -| 3/22/2023 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified | -| 3/22/2023 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified | +| 5/30/2023 | [Windows 11 SE Overview](/education/windows/windows-11-se-overview) | modified | +| 6/2/2023 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified | From c38f6e1b4c39742cb2d6713796bb3eeaf6ff6213 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 5 Jun 2023 06:53:43 -0400 Subject: [PATCH 70/80] fixed line 5444 and 9839 --- .openpublishing.redirection.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 37cc5cf505..f08411d076 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -5442,7 +5442,7 @@ }, { "source_path": "windows/device-security/bitlocker/index.md", - "redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-overview", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/index", "redirect_document_id": false }, { @@ -9837,7 +9837,7 @@ }, { "source_path": "windows/keep-secure/index.md", - "redirect_url": "/windows/device-security/bitlocker/bitlocker-overview", + "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/index", "redirect_document_id": false }, { From 434ce4c45d38d4f8cbfc77bff1bd05a19eeb8e49 Mon Sep 17 00:00:00 2001 From: "Nicholas S. White" <104782157+nicholasswhite@users.noreply.github.com> Date: Mon, 5 Jun 2023 11:32:43 -0400 Subject: [PATCH 71/80] Provisioned apps --- .../provisioned-apps-windows-client-os.md | 283 +++++++++++++----- 1 file changed, 201 insertions(+), 82 deletions(-) diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index 80dcf53c89..e449c6cd1f 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -47,17 +47,47 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ✔️ | ✔️ | ✔️ || + | ✔️ | ✔️ | ✔️ | ✔️️| --- -- [Bing Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | Package name: Microsoft.BingWeather +- [Clipchamp](ms-windows-store://pdp/?ProductId=9P1J8S7CCWWT) | Package name: Clipchamp.Clipchamp - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ | ❌️| + + --- + +- [Cortana](ms-windows-store://pdp/?PFN=Microsoft.549981C3f5f10_8wekyb3d8bbwe) | Package name: Microsoft.549981C3f5f10 + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️️| + + --- + +- [Microsoft News](ms-windows-store://pdp/?PFN=Microsoft.BingNews_8wekyb3d8bbwe) | Package name: Microsoft.BingNews + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ | ✔️️| + + --- + +- [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | Package name: Microsoft.BingWeather + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ✔️ | ✔️ | ✔️ | ✔️️| @@ -67,17 +97,27 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | Use Settings App | ✔️ | ✔️ | ✔️| --- +- [Xbox App](ms-windows-store://pdp/?PFN=Microsoft.GamingApp_8wekyb3d8bbwe) | Package name: Microsoft.GamingApp + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ | ✔️️| + + --- + - [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | Package name: Microsoft.GetHelp - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | |---| --- | --- | --- | | ❌ | ✔️| ✔️| ✔️| @@ -87,7 +127,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️| ✔️| @@ -97,7 +137,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️| ✔️| ✔️| @@ -107,39 +147,49 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ❌ | ✔️||| + | ✔️ | ✔️| ✔️| ✔️| --- >[!NOTE] >For devices running Windows 11, version 21H2, and any supported version of Windows 10, you need to acquire the [HEVC Video Extensions](ms-windows-store://pdp/?productid=9NMZLZ57R3T7) from the Microsoft Store. +- [Microsoft Edge](ms-windows-store://pdp/?productid=XPFFTQ037JWMHS) | Package name:Microsoft.MicrosoftEdge.Stable + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| + + --- + - [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | Package name:Microsoft.Messaging - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️ | ✔️| + | ✔️ | ✔️ | ✔️ | ✔️| --- -- [Microsoft 3D Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | Package name: Microsoft.Microsoft3DViewer +- [3D Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | Package name: Microsoft.Microsoft3DViewer - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️ | ✔️| + | ✔️ | ✔️ | ✔️ | ✔️| --- -- [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftOfficeHub +- [Microsoft 365 (Office)](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | Package name: Microsoft.MicrosoftOfficeHub - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ✔️ | ✔️ | ✔️ | ✔️️| @@ -149,7 +199,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ✔️ | ✔️ | ✔️ | ✔️️| @@ -159,9 +209,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️ | ✔️| + | ✔️ | ✔️ | ✔️ | ✔️| --- @@ -169,19 +219,19 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️ | ✔️| + | ✔️ | ✔️ | ✔️ | ✔️| --- -- [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | Package name: Microsoft.MSPaint +- [MPEG2 Video Extension](ms-windows-store://pdp/?PFN=Microsoft.MPEG2VideoExtension_8wekyb3d8bbwe) | Package name: Microsoft.MPEG2VideoExtension - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️ | ✔️| + | ✔️ | ✔️ | ✔️ | ✔️| --- @@ -189,9 +239,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? | 22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ✔️ | ✔️ | ✔️ | ✔️️| + | ✔️ | ❌ | ✔️ | ✔️️| --- @@ -201,25 +251,45 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. --- | Uninstall through UI? |22H2| 21H1 | 20H2 | | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ | ✔️| + + --- + +- OneDrive Sync | Package name: Microsoft.OneDriveSync + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| --- -- Microsoft.Outlook.DesktopIntegrationServices +- Outlook Desktop Integration | Package name: Microsoft.OutlookDesktopIntegrationServices - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | | ✔️ | ✔️ | ✔️| + | ✔️ | ✔️ | ✔️ | ✔️| --- -- [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | Package name: Microsoft.People +- [Paint](ms-windows-store://pdp/?PFN=Microsoft.paint_8wekyb3d8bbwe) | Package name: Microsoft.Paint - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ | ✔️| + + --- + +- [People](ms-windows-store://pdp/?PFN=Microsoft.people_8wekyb3d8bbwe) | Package name: Microsoft.People + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| @@ -229,29 +299,29 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️ | ✔️| + | ❌ | ❌ | ✔️ | ✔️| --- -- [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | Package name: Microsoft.ScreenSketch +- [Raw Image Extension](ms-windows-store://pdp/?PFN=Microsoft.RawImageExtension_8wekyb3d8bbwe) | Package name: Microsoft.RawImageExtension - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| --- -- [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | Package name: Microsoft.SkypeApp +- [Snipping Tool](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | Package name: Microsoft.ScreenSketch - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️ | ✔️| + | ✔️ | ✔️ | ✔️ | ✔️| --- @@ -259,27 +329,48 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| --- -- Microsoft.VP9VideoExtensions +- [Microsoft To Do](ms-windows-store://pdp/?PFN=Microsoft.ToDos_8wekyb3d8bbwe) | Package name: Microsoft.ToDos - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ | ✔️| + + --- + +- UI.Xaml | Package name: Microsoft.UI.Xaml + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| --- -- [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | Package name: Microsoft.Wallet +- VCLibs | Package name: Microsoft.VCLibs - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ✔️| + + --- + + +- [VP9 Video Extensions](ms-windows-store://pdp/?PFN=Microsoft.VP9VideoExtensions_8wekyb3d8bbwe) | Microsoft.VP9VideoExtensions + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| @@ -289,7 +380,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| @@ -299,17 +390,27 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| --- +- [Whiteboard](ms-windows-store://pdp/?PFN=Microsoft.Whiteboard_8wekyb3d8bbwe) | Package name: Microsoft.Whiteboard + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️| ✔️| + + --- + - [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | Package name: Microsoft.Windows.Photos - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| @@ -319,7 +420,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| @@ -329,9 +430,9 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️ | ✔️| + | ✔️ | ✔️ | ✔️ | ✔️| --- @@ -339,7 +440,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| @@ -349,7 +450,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| @@ -359,7 +460,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| @@ -369,19 +470,29 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️ | ✔️| + | ✔️ | ✔️ | ✔️ | ✔️| --- -- [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | Package name: Microsoft.WindowsSoundRecorder +- [Windows Notepad](ms-windows-store://pdp/?PFN=Microsoft.WindowsNotepad_8wekyb3d8bbwe) | Package name: Microsoft.Notepad - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️ | ✔️| + | ✔️ | ✔️ | ✔️ | ✔️| + + --- + +- [Windows Sound Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | Package name: Microsoft.WindowsSoundRecorder + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ | ✔️| --- @@ -389,29 +500,17 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| --- - - The Store app shouldn't be removed. If you remove the Store app, and want to reinstall it, you must restore your system from a backup, or reset your system. Instead of removing the Store app, use group policies to hide or disable it. - - [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | Package name: Microsoft.Xbox.TCUI - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | - | --- | --- | --- | --- | - | ❌ | ✔️ | ✔️ | ✔️| - - --- - -- [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | Package name: Microsoft.XboxApp - - Supported versions: - - --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| @@ -421,7 +520,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| @@ -431,7 +530,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| @@ -441,37 +540,37 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| --- -- Microsoft.XboxSpeechToTextOverlay +- Xbox speech to text overlay | Package name: Microsoft.XboxSpeechToTextOverlay - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| --- -- [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | Package name: Microsoft.YourPhone +- [Phone Link](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | Package name: Microsoft.YourPhone - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| --- -- [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | Package name: Microsoft.ZuneMusic +- [Windows Media Player](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | Package name: Microsoft.ZuneMusic - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| @@ -481,8 +580,28 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. - Supported versions: --- - | Uninstall through UI? |22H2| 21H1 | 20H2 | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | | --- | --- | --- | --- | | ❌ | ✔️ | ✔️ | ✔️| --- + +- [Quick Assist](ms-windows-store://pdp/?PFN=MicrosoftCorporationII.QuickAssist_8wekyb3d8bbwe) | Package name: MicrosoftCorporationII.QuickAssist + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | ✔️ | ✔️ | ✔️ | ✔️| + + --- + +- Windows Web Experience | Package name: MicrosoftWindows.Client.WebExperience + - Supported versions: + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | ❌ | ✔️ | ✔️ | ❌| + + --- From 7811dc22f395ae8608c1a7fa4a7a08cb97a71d2d Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 5 Jun 2023 08:33:53 -0700 Subject: [PATCH 72/80] Update windows/deployment/do/TOC.yml --- windows/deployment/do/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index e03e08c2ec..ff00445b6c 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -65,7 +65,7 @@ href: mcc-isp-support.md - name: MCC for ISPs (early preview) href: mcc-isp.md -- name: Microsoft Connected Cache content and services endpoints +- name: Endpoints for Microsoft Connected Cache content and services href: delivery-optimization-endpoints.md From c82f606e6e929086f430ac7ed3c77df815decf24 Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 5 Jun 2023 08:38:48 -0700 Subject: [PATCH 73/80] Update windows/deployment/do/waas-delivery-optimization-faq.yml formatting --- windows/deployment/do/waas-delivery-optimization-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 6f0b6fe690..06f77fa59a 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -111,7 +111,7 @@ sections: The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy. At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service: - • *.prod.do.dsp.mp.microsoft.com + - *.prod.do.dsp.mp.microsoft.com If allowing direct Internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode. From ebddccec824e7937e6e5507f4cb7fd0105b3cefc Mon Sep 17 00:00:00 2001 From: Meghan Stewart <33289333+mestew@users.noreply.github.com> Date: Mon, 5 Jun 2023 08:45:16 -0700 Subject: [PATCH 74/80] Update windows/deployment/do/waas-delivery-optimization-faq.yml formatting --- windows/deployment/do/waas-delivery-optimization-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 06f77fa59a..867466f2de 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -111,7 +111,7 @@ sections: The recommended configuration for Delivery Optimization Peer-to-Peer to work most efficiently along with cloud proxy solutions (for example, Zscaler) is to allow traffic to the Delivery Optimization services to go directly to the internet and not through the cloud proxy. At a minimum, the following FQDN that is used for communication between clients and the Delivery Optimization service should be allowed with direct Internet access and bypass the cloud proxy service: - - *.prod.do.dsp.mp.microsoft.com + - *.prod.do.dsp.mp.microsoft.com If allowing direct Internet access isn't an option, try using Group Download Mode '2' to define the peering group. [Learn more](waas-delivery-optimization-reference.md#select-the-source-of-group-ids) about using Group Download mode. From 44f1db1abe0432bfc46934999e2aa6f7f2906848 Mon Sep 17 00:00:00 2001 From: "Nicholas S. White" <104782157+nicholasswhite@users.noreply.github.com> Date: Mon, 5 Jun 2023 12:01:15 -0400 Subject: [PATCH 75/80] Changed last updated date --- .../provisioned-apps-windows-client-os.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index e449c6cd1f..cc40f1255b 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -4,7 +4,7 @@ description: Use the Windows PowerShell Get-AppxProvisionedPackage command to ge author: nicholasswhite ms.author: nwhite manager: aaroncz -ms.date: 01/12/2023 +ms.date: 06/05/2023 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps From 190d898ef37b1a881baa5adbf97fdd2077af0d6c Mon Sep 17 00:00:00 2001 From: "Nicholas S. White" <104782157+nicholasswhite@users.noreply.github.com> Date: Mon, 5 Jun 2023 13:46:13 -0400 Subject: [PATCH 76/80] System apps --- .../system-apps-windows-client-os.md | 277 +++++++++--------- 1 file changed, 143 insertions(+), 134 deletions(-) diff --git a/windows/application-management/system-apps-windows-client-os.md b/windows/application-management/system-apps-windows-client-os.md index efc4c311ec..11134b7ea8 100644 --- a/windows/application-management/system-apps-windows-client-os.md +++ b/windows/application-management/system-apps-windows-client-os.md @@ -4,7 +4,7 @@ description: Use the Windows PowerShell Get-AppxPackage command to get a list of author: nicholasswhite ms.author: nwhite manager: aaroncz -ms.date: 2/14/2023 +ms.date: 6/05/2023 ms.topic: article ms.prod: windows-client ms.technology: itpro-apps @@ -44,314 +44,323 @@ The following information lists the system apps on some Windows Enterprise OS ve - File Picker | Package name: 1527c705-839a-4832-9118-54d4Bd6a0c89 --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - File Explorer | Package name: c5e2524a-ea46-4f67-841f-6a9465d9d515 --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - App Resolver UX | Package name: E2A4F912-2574-4A75-9BB0-0D023378592B --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Add Suggested Folders To Library | Package name: F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- InputApp - - --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | | | ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.AAD.Broker.Plugin | Package name: Microsoft.AAD.Broker.Plugin --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.AccountsControl | Package name: Microsoft.AccountsControl --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.AsyncTextService | Package name: Microsoft.AsyncTextService --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Hello setup UI | Package name: Microsoft.BioEnrollment --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.CredDialogHost --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.ECApp --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.LockApp --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft Edge | Package name: Microsoft.MicrosoftEdge --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.MicrosoftEdgeDevToolsClient --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.PPIProjection - - --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | | | ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.Win32WebViewHost --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.Windows.Apprep.ChxApp --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Microsoft.Windows.AssignedAccessLockApp - - --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.Windows.CapturePicker --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.Windows.CloudExperienceHost --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.Windows.ContentDeliveryManager --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- -- Cortana | Package name: Microsoft.Windows.Cortana +- Narrator QuckStart | Package name: Microsoft.Windows.NarratorQuickStart --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | | | ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.Windows.OOBENetworkCaptivePort --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.Windows.OOBENetworkConnectionFlow --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.Windows.ParentalControls --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - People Hub | Package name: Microsoft.Windows.PeopleExperienceHost --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.Windows.PinningConfirmationDialog --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- -- Microsoft.Windows.SecHealthUI +- Microsoft.Windows.PrintQueueActionCenter --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- -- Microsoft.Windows.SecureAssessmentBrowser +- Microsoft.Windows.ShellExperienceHost --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- -- Start | Package name: Microsoft.Windows.ShellExperienceHost +- Start | Microsoft.Windows.StartMenuExperienceHost --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| + + --- + +- Microsoft.Windows.XGpuEjectDialog + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Microsoft.XboxGameCallableUI --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| + + --- + +- MicrosoftWindows.Client.CBS + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| + + --- + +- MicrosoftWindows.Client.Core + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| + + --- + +- MicrosoftWindows.UndockedDevKit + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| + + --- + +- NcsiUwpApp + + --- + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Windows.CBSPreview --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Settings | Package name: Windows.immersivecontrolpanel --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | - - --- - -- Print 3D | Package name: Windows.Print3D - - --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ✔️ | ✔️ | | | ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- - Print UI | Package name: Windows.PrintDialog --- - | Uninstall through UI? | 22H2 | 22H1 | 21H2 | 20H2 | 1809 | - | --- | --- | --- | --- | --- | --- | - | | ❌ | ❌ | ✔️ | ✔️| ✔️ | + | Uninstall through UI? | KB5026446 | 22H2 | 21H2 | + | --- | --- | --- | --- | + | | ✔️ | ✔️ | ✔️| --- From 1e55e1753b0e5df2563f5e84fadfea8d239afeb0 Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Mon, 5 Jun 2023 13:50:05 -0400 Subject: [PATCH 77/80] Update security-compliance-toolkit-10.md Update Edge supported version to 114 --- .../security-compliance-toolkit-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index bac325bbe0..6f7eef0ed1 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -48,7 +48,7 @@ The Security Compliance Toolkit consists of: - Microsoft 365 Apps for Enterprise Version 2206 - Microsoft Edge security baseline - - Edge version 107 + - Edge version 114 - Tools - Policy Analyzer From 2aa37d4bbde549060cba54e73ad2a1a36f7a7983 Mon Sep 17 00:00:00 2001 From: "Nicholas S. White" <104782157+nicholasswhite@users.noreply.github.com> Date: Mon, 5 Jun 2023 15:00:31 -0400 Subject: [PATCH 78/80] Removed broken link --- .../provisioned-apps-windows-client-os.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/application-management/provisioned-apps-windows-client-os.md b/windows/application-management/provisioned-apps-windows-client-os.md index cc40f1255b..e42358820a 100644 --- a/windows/application-management/provisioned-apps-windows-client-os.md +++ b/windows/application-management/provisioned-apps-windows-client-os.md @@ -325,7 +325,7 @@ Provisioned apps are also listed in **Settings** > **Apps and Features**. --- -- [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | Package name: Microsoft.StorePurchaseApp +- Store Purchase App | Package name: Microsoft.StorePurchaseApp - Supported versions: --- From 768a410399faf12a737cf90fab6e12eddbecf5cc Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Mon, 5 Jun 2023 17:31:26 -0400 Subject: [PATCH 79/80] sync --- .openpublishing.redirection.json | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f08411d076..23ad5f13cf 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -5442,7 +5442,7 @@ }, { "source_path": "windows/device-security/bitlocker/index.md", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/index", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/index", "redirect_document_id": false }, { @@ -9837,7 +9837,7 @@ }, { "source_path": "windows/keep-secure/index.md", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/index", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/index", "redirect_document_id": false }, { @@ -21622,72 +21622,72 @@ }, { "source_path": "windows/security/information-protection/personal-data-encryption/faq-pde.yml", - "redirect_url": "/windows/operating-system-security/data-protection/personal-data-encryption/faq-pde", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/faq-pde", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/bitlocker-and-adds-faq.yml", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-and-adds-faq", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-deployment-and-administration-faq", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/bitlocker-frequently-asked-question.yml", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-question", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-question", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/bitlocker-key-management-faq.yml", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-key-management-faq", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-network-unlock-faq", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-overview-and-requirements-faq", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/bitlocker-security-faq.yml", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-security-faq", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-security-faq", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/bitlocker-to-go-faq.yml", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-to-go-faq", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/bitlocker-upgrading-faq.yml", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-upgrading-faq", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-using-with-other-programs-faq", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/bitlocker-frequently-asked-questions.yml", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/bitlocker-frequently-asked-questions", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/bitlocker/bitlocker-overview.md", - "redirect_url": "/windows/operating-system-security/data-protection/bitlocker/index", + "redirect_url": "/windows/security/operating-system-security/data-protection/bitlocker/index", "redirect_document_id": false }, { "source_path": "windows/security/information-protection/personal-data-encryption/overview-pde.md", - "redirect_url": "/windows/operating-system-security/data-protection/personal-data-encryption/index", + "redirect_url": "/windows/security/operating-system-security/data-protection/personal-data-encryption/index", "redirect_document_id": false } ] From e63832c9784a5da229101ad1dfff5a517e71dc8c Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Mon, 5 Jun 2023 18:57:55 -0500 Subject: [PATCH 80/80] New updates --- ...-autopatch-device-registration-overview.md | 16 +++---- ...utopatch-groups-manage-autopatch-groups.md | 47 +++++++------------ ...s-manage-windows-feature-update-release.md | 5 ++ ...-groups-windows-feature-update-overview.md | 3 ++ 4 files changed, 33 insertions(+), 38 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md index f511e6481b..b1f8d211c8 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-device-registration-overview.md @@ -1,7 +1,7 @@ --- title: Device registration overview description: This article provides an overview on how to register devices in Autopatch -ms.date: 05/08/2023 +ms.date: 06/06/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: conceptual @@ -115,13 +115,13 @@ The Windows Autopatch deployment ring calculation occurs during the device reg > [!NOTE] > You can customize the deployment ring calculation logic by editing the Default Autopatch group. -| Deployment ring | Default device balancing percentage | Description | -| ----- | ----- | ----- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
  • **0–500** devices: minimum **one** device.
  • **500–5000** devices: minimum **five** devices.
  • **5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | -| First | **1%** | The First ring is the first group of production users to receive a change.

This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| -| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

| -| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| -| Last | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. | +| Service-based deployment ring | Default Autopatch group deployment ring | Default device balancing percentage | Description | +| ----- | ----- | ----- | ----- | +| Test | Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring following the required procedure. For more information on these procedures, see [Moving devices in between deployment rings](/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management#moving-devices-in-between-deployment-rings). The recommended number of devices in this ring, based upon your environment size, is as follows:
  • **0–500** devices: minimum **one** device.
  • **500–5000** devices: minimum **five** devices.
  • **5000+** devices: minimum **50** devices.
Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| First | Ring 1 | **1%** | The First ring is the first group of production users to receive a change.

This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| +| Fast | Ring 2 | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

| +| Broad | Ring 3 | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in a software update deployment.| +| N/A | Last | **zero** | The Last ring is intended to be used for either specialized devices or devices that belong to VIP/executives in an organization. Windows Autopatch doesn't automatically add devices to this deployment ring. | ## Software update-based to service-based deployment ring mapping diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md index 9831d4850d..c059889d51 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-groups-manage-autopatch-groups.md @@ -1,7 +1,7 @@ --- title: Manage Windows Autopatch groups description: This article explains how to manage Autopatch groups -ms.date: 05/11/2023 +ms.date: 06/05/2023 ms.prod: windows-client ms.technology: itpro-updates ms.topic: how-to @@ -99,6 +99,10 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr ## Edit the Default or a Custom Autopatch group +> [!TIP] +> You can't edit an Autopatch group when there's one or more Windows feature update releases targeted to it. If you try to edit an Autopatch group with one or more ongoing Windows feature update releases targeted to it, you get the following informational banner message: "**Some settings are not allowed to be modified as there’s one or more on-going Windows feature update release targeted to this Autopatch group.**" +> See [Manage Windows feature update releases](../operate/windows-autopatch-groups-manage-windows-feature-update-release.md) for more information on release and phase statuses. + **To edit either the Default or a Custom Autopatch group:** 1. Select the **horizontal ellipses (…)** > **Edit** for the Autopatch group you want to edit. @@ -111,6 +115,18 @@ Before you start managing Autopatch groups, ensure you’ve met the following pr > [!IMPORTANT] > Windows Autopatch creates the device-based Azure AD assigned groups based on the choices made in the deployment ring composition page. Additionally, the service assigns the update ring policies for each deployment ring created in the Autopatch group based on the choices made in the Windows Update settings page as part of the Autopatch group guided end-user experience. +## Rename a Custom Autopatch group + +You **can’t** rename the Default Autopatch group. However, you can rename a Custom Autopatch group. + +**To rename a Custom Autopatch group:** + +1. Select the **horizontal ellipses (…)** > **Rename** for the Custom Autopatch group you want to rename. The **Rename Autopatch group** fly-in opens. +1. In the **New Autopatch group name**, enter the new Autopatch group name of your choice, then click **Rename group**. + +> [!IMPORTANT] +> Autopatch supports up to 64 characters for the custom Autopatch group name. Additionally, when you rename a custom Autopatch group all [update rings for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-update-rings) and [feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) associated with the custom Autopatch group are renamed to include the new Autopatch group name you define in its name string. Also, when renaming a custom Autopatch group all Azure AD groups representing the custom Autopatch group's deployment rings are renamed to include the new Autopatch group name you define in its name string. + ## Delete a Custom Autopatch group You **can’t** delete the Default Autopatch group. However, you can delete a Custom Autopatch group. @@ -125,10 +141,6 @@ You **can’t** delete the Default Autopatch group. However, you can delete a Cu ## Manage device conflict scenarios when using Autopatch groups -> [!IMPORTANT] -> The Windows Autopatch groups functionaliy is in **public preview**. This feature is being actively developed and not all device conflict detection and resolution scenarios are working as expected. -> For more information on what to expect for this scenario during public preview, see [Known issues](#known-issues). - Overlap in device membership is a common scenario when working with device-based Azure AD groups since sometimes dynamic queries can be large in scope or the same assigned device membership can be used across different Azure AD groups. Since Autopatch groups allow you to use your existing Azure AD groups to create your own deployment ring composition, the service takes on the responsibility of monitoring and automatically solving some of the device conflict scenarios that may occur. @@ -180,22 +192,6 @@ Autopatch groups will keep monitoring for all device conflict scenarios listed i This section lists known issues with Autopatch groups during its public preview. -### Device conflict scenarios when using Autopatch groups - -- **Status: Active** - -The Windows Autopatch team is aware that all device conflict scenarios listed below are currently being evaluated during the device registration process to make sure devices are properly registered with the service, and not evaluated post-device registration. The Windows Autopatch team is currently developing detection and resolution for the followin device conflict scenarios, and plan to make them available during public preview. - -- Default to Custom Autopatch device conflict detection and resolution. -- Device conflict detection and resolution within an Autopatch group. -- Custom to Custom Autopatch group device conflict detection. - -> [!TIP] -> Use the following two best practices to help minimize device conflict scenarios when using Autopatch groups during the public preview: -> -> - Review your software update deployment requirements thoroughly. If your deployment requirements allow, try using the Default Autopatch group as much as possible, instead of start creating Custom Autopatch groups. You can customize the Default Autopatch to have up to 15 deployment rings, and you can use your existing device-based Azure AD groups with custom update deployment cadences. -> - If creating Custom Autopatch groups, try to avoid using device-based Azure AD groups that have device membership overlaps with the devices that are already registered with Windows Autopatch, and already belong to the Default Autopatch group. - ### Autopatch group Azure AD group remediator - **Status: Active** @@ -219,12 +215,3 @@ The Windows Autopatch team is currently developing the Autopatch group Azure AD > - Modern Workplace Devices-Windows Autopatch-Broad > > Use the [Policy health feature](../operate/windows-autopatch-policy-health-and-remediation.md) to restore these groups, if needed. For more information, see [restore deployment groups](../operate/windows-autopatch-policy-health-and-remediation.md#restore-deployment-groups). - -### Rename an Autopatch group - -- **Status: Active** - -You can't rename an Autopatch group yet. The Autopatch group name is appended to all deployment ring names in the Autopatch group. Windows Autopatch is currently developing the rename feature. - -> [!IMPORTANT] -> During the public preview, if you try to rename either the [Update rings](/mem/intune/protect/windows-10-update-rings) or [feature updates](/mem/intune/protect/windows-10-feature-updates) for Windows 10 and later policies directly in the Microsoft Intune end-user experience, the policy names are reverted back to the name defined by the Autopatch group end-user experience interface. diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md index fab7bbabbc..8323fdbc22 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-manage-windows-feature-update-release.md @@ -91,6 +91,7 @@ The release statuses are described in the following table: | Active | All phases in the release are active. This means all phases have reached their first deployment date, which created the Windows feature update policies. |
  • Release can be paused but can't be edited or canceled since the Windows feature update policy was already created for its phases.
  • Autopatch groups and their deployment rings can be assigned to another release.
| | Inactive | All the Autopatch groups within the release have been assigned to a new release. As a result, the Windows feature update policies were unassigned from all phases from within the release. |
  • Release can be viewed as a historical record.
  • Releases can't be deleted, edited, or canceled.
| | Paused | All phases in the release are paused. The release will remain paused until you resume it. |
  • Releases with Paused status can't be edited or canceled since the Windows feature update policy was already created for its phases.
  • Release can be resumed.
| +| Canceled | All phases in the release are canceled. |
  • Releases with Canceled status can't be edited or canceled since the Windows feature update policy wasn't created for its phases.
  • Canceled release can't be deleted.
| ##### Phase statuses @@ -105,6 +106,7 @@ A phase is made of one or more Autopatch group deployment rings. Each phase repo | Active | The first deployment date has been reached. The Windows feature update policy has been created for the respective phase. | | Inactive | All Autopatch groups within the phase were re-assigned to a new release. All Windows feature update policies were unassigned from the Autopatch groups. | | Paused | Phase is paused. You must resume the phase. | +| Canceled | Phase is canceled. All Autopatch groups within the phase can be used with a new release. A phase that's canceled can't be deleted. | #### Details about Windows feature update policies @@ -146,6 +148,9 @@ The following table is an example of the Windows feature update policies that we 2. Additionally, the formula for the goal completion date is ` + ( – 1) * Days in between groups (7) + Deadline for feature updates (5 days) + Grace Period (2 days)`. 1. In the **Review + create** page, review all settings. Once you’re ready, select **Create**. +> [!NOTE] +> Custom releases can't be deleted from the Windows feature updates release management blade. The custom release record serves as a historical record for auditing purposes when needed. + ## Edit a release > [!NOTE] diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md index b49b0c5ba4..c3b733b603 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-groups-windows-feature-update-overview.md @@ -101,6 +101,9 @@ There are two scenarios that the Global release is used: | Scenario #1 | You assign Azure AD groups to be used with the deployment ring (Last) or you add additional deployment rings when you customize the [Default Autopatch group](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#edit-the-default-or-a-custom-autopatch-group).

A global Windows feature update policy is automatically assigned behind the scenes to the newly added deployment rings or when you assigned Azure AD groups to the deployment ring (Last) in the Default Autopatch group.

| | Scenario #2 | You create new [Custom Autopatch groups](../deploy/windows-autopatch-groups-manage-autopatch-groups.md#create-a-custom-autopatch-group).

The global Windows feature policy is automatically assigned behind the scenes to all deployment rings as part of the Custom Autopatch groups you create.

| +> [!NOTE] +> Global releases don't show up in the Windows feature updates release management blade. + #### Policy configuration values See the following table on how Windows Autopatch configures the values for its global Windows feature update policy. If your tenant is enrolled with Windows Autopatch, you can see the following default policies created by the service in the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431):